netwire | 169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b

General

Target

169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
Size

344KB
MD5

9f58ab1ff6fffcd9ebc688400caebb43
SHA1

4d13349bc26eeeda8dd10df5c69afbf5c415776d
SHA256

169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b
SHA512

cce5e3156b8164bbd1ae5f35759f6e3aeb3766a7dcde8b026a0b8ed8140f1ffd777444d2942f856d5d255b7298671c575e6135633eaba37a698b39063f0d242c
SSDEEP

3072:2c0acFibrRuC1OdlyKm9LDKElxLwYnMc1BVrox006FGchraTfvTdr9gpu7GCpuT8:2JlX8LD3scjnkGObTdJoC0l

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2968-135-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/2968-137-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/2968-138-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/2968-158-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 3 IoCs

Processes:

AppMgmt.exehkmsvc.exeAppMgmt.exe

pid process

1524 AppMgmt.exe
4576 hkmsvc.exe
1036 AppMgmt.exe

pid	process
1524	AppMgmt.exe
4576	hkmsvc.exe
1036	AppMgmt.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

hkmsvc.exe169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exeAppMgmt.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	hkmsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AppMgmt.exe

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\SysWOW64\.Identifier svchost.exe
File opened for modification C:\Windows\SysWOW64\.Identifier svchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\.Identifier	svchost.exe
File opened for modification	C:\Windows\SysWOW64\.Identifier	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exehkmsvc.exe

description	pid	process	target process
PID 4184 set thread context of 2968	4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe	svchost.exe
PID 4576 set thread context of 3116	4576	hkmsvc.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exeAppMgmt.exehkmsvc.exe

pid	process
4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
1524	AppMgmt.exe
4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
1524	AppMgmt.exe
4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
1524	AppMgmt.exe
4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
1524	AppMgmt.exe
4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
1524	AppMgmt.exe
4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
1524	AppMgmt.exe
4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
1524	AppMgmt.exe
4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
1524	AppMgmt.exe
4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
1524	AppMgmt.exe
4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
1524	AppMgmt.exe
4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
1524	AppMgmt.exe
4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
1524	AppMgmt.exe
4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
4576	hkmsvc.exe
4576	hkmsvc.exe
4576	hkmsvc.exe
4576	hkmsvc.exe
4576	hkmsvc.exe
4576	hkmsvc.exe
4576	hkmsvc.exe
4576	hkmsvc.exe
4576	hkmsvc.exe
4576	hkmsvc.exe
4576	hkmsvc.exe
4576	hkmsvc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exeAppMgmt.exehkmsvc.exeAppMgmt.exe

description	pid	process
Token: SeDebugPrivilege	4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
Token: SeDebugPrivilege	1524	AppMgmt.exe
Token: SeDebugPrivilege	4576	hkmsvc.exe
Token: SeDebugPrivilege	1036	AppMgmt.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exeAppMgmt.exehkmsvc.exe

description	pid	process	target process
PID 4184 wrote to memory of 2968	4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe	svchost.exe
PID 4184 wrote to memory of 2968	4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe	svchost.exe
PID 4184 wrote to memory of 2968	4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe	svchost.exe
PID 4184 wrote to memory of 2968	4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe	svchost.exe
PID 4184 wrote to memory of 2968	4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe	svchost.exe
PID 4184 wrote to memory of 2968	4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe	svchost.exe
PID 4184 wrote to memory of 2968	4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe	svchost.exe
PID 4184 wrote to memory of 2968	4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe	svchost.exe
PID 4184 wrote to memory of 1524	4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe	AppMgmt.exe
PID 4184 wrote to memory of 1524	4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe	AppMgmt.exe
PID 4184 wrote to memory of 1524	4184	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe	AppMgmt.exe
PID 1524 wrote to memory of 4576	1524	AppMgmt.exe	hkmsvc.exe
PID 1524 wrote to memory of 4576	1524	AppMgmt.exe	hkmsvc.exe
PID 1524 wrote to memory of 4576	1524	AppMgmt.exe	hkmsvc.exe
PID 4576 wrote to memory of 3116	4576	hkmsvc.exe	svchost.exe
PID 4576 wrote to memory of 3116	4576	hkmsvc.exe	svchost.exe
PID 4576 wrote to memory of 3116	4576	hkmsvc.exe	svchost.exe
PID 4576 wrote to memory of 3116	4576	hkmsvc.exe	svchost.exe
PID 4576 wrote to memory of 3116	4576	hkmsvc.exe	svchost.exe
PID 4576 wrote to memory of 3116	4576	hkmsvc.exe	svchost.exe
PID 4576 wrote to memory of 3116	4576	hkmsvc.exe	svchost.exe
PID 4576 wrote to memory of 3116	4576	hkmsvc.exe	svchost.exe
PID 4576 wrote to memory of 1036	4576	hkmsvc.exe	AppMgmt.exe
PID 4576 wrote to memory of 1036	4576	hkmsvc.exe	AppMgmt.exe
PID 4576 wrote to memory of 1036	4576	hkmsvc.exe	AppMgmt.exe

C:\Users\Admin\AppData\Local\Temp\169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
"C:\Users\Admin\AppData\Local\Temp\169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4184

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
2⤵
- Drops file in System32 directory
PID:2968

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgmt.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgmt.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hkmsvc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hkmsvc.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4576

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
4⤵
PID:3116

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgmt.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgmt.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\AppMgmt.exe.log
Filesize
404B

MD5
15b6596d028baa2a113143d1828bcc36

SHA1
f1be43126c4e765fe499718c388823d44bf1fef1

SHA256
529f9fde2234067382b4c6fb8e5aee49d8a8b1b85c82b0bdae425fa2a0264f75

SHA512
f2a6cb8498f596c7bf9178ea32a245dbb3657f43a179f378ce952ce5cb8580810cd67ef1efb623bcf6cd796d74e2c9b7bc42cb8665ead397546ce3b400181e83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgmt.exe
Filesize
11KB

MD5
767893283ac1bfe94e5a90eb058af81e

SHA1
84e06d1f09172a3e9e880843d4aaad9b3fb1fb9f

SHA256
a09c1d674cbe2b7383b9bf3a17b0ef9ea251e2f4dc8343cf8df78930b624f8f7

SHA512
a9be0214498ffc890d8272de8cf73d3d9b35eeb530dc5e9b34e4da62c3c1027a013c4a8512587e4e9c36f83b00eef7068a387bd748d7bf2c40ce8dc2aa89ac95

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgmt.exe
Filesize
11KB

MD5
767893283ac1bfe94e5a90eb058af81e

SHA1
84e06d1f09172a3e9e880843d4aaad9b3fb1fb9f

SHA256
a09c1d674cbe2b7383b9bf3a17b0ef9ea251e2f4dc8343cf8df78930b624f8f7

SHA512
a9be0214498ffc890d8272de8cf73d3d9b35eeb530dc5e9b34e4da62c3c1027a013c4a8512587e4e9c36f83b00eef7068a387bd748d7bf2c40ce8dc2aa89ac95

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgmt.exe
Filesize
11KB

MD5
767893283ac1bfe94e5a90eb058af81e

SHA1
84e06d1f09172a3e9e880843d4aaad9b3fb1fb9f

SHA256
a09c1d674cbe2b7383b9bf3a17b0ef9ea251e2f4dc8343cf8df78930b624f8f7

SHA512
a9be0214498ffc890d8272de8cf73d3d9b35eeb530dc5e9b34e4da62c3c1027a013c4a8512587e4e9c36f83b00eef7068a387bd748d7bf2c40ce8dc2aa89ac95

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgmt.exe
Filesize
11KB

MD5
767893283ac1bfe94e5a90eb058af81e

SHA1
84e06d1f09172a3e9e880843d4aaad9b3fb1fb9f

SHA256
a09c1d674cbe2b7383b9bf3a17b0ef9ea251e2f4dc8343cf8df78930b624f8f7

SHA512
a9be0214498ffc890d8272de8cf73d3d9b35eeb530dc5e9b34e4da62c3c1027a013c4a8512587e4e9c36f83b00eef7068a387bd748d7bf2c40ce8dc2aa89ac95

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hkmsvc.exe
Filesize
344KB

MD5
9f58ab1ff6fffcd9ebc688400caebb43

SHA1
4d13349bc26eeeda8dd10df5c69afbf5c415776d

SHA256
169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b

SHA512
cce5e3156b8164bbd1ae5f35759f6e3aeb3766a7dcde8b026a0b8ed8140f1ffd777444d2942f856d5d255b7298671c575e6135633eaba37a698b39063f0d242c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hkmsvc.exe
Filesize
344KB

MD5
9f58ab1ff6fffcd9ebc688400caebb43

SHA1
4d13349bc26eeeda8dd10df5c69afbf5c415776d

SHA256
169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b

SHA512
cce5e3156b8164bbd1ae5f35759f6e3aeb3766a7dcde8b026a0b8ed8140f1ffd777444d2942f856d5d255b7298671c575e6135633eaba37a698b39063f0d242c

Download Submit
memory/1036-153-0x0000000000000000-mapping.dmp

Download
memory/1036-160-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/1036-157-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/1524-148-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/1524-142-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/1524-139-0x0000000000000000-mapping.dmp

Download
memory/2968-134-0x0000000000000000-mapping.dmp

Download
memory/2968-135-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2968-137-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2968-158-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2968-138-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3116-150-0x0000000000000000-mapping.dmp

Download
memory/4184-149-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/4184-132-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/4184-133-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/4576-147-0x000000000154B000-0x000000000154F000-memory.dmp

Filesize
16KB

Download
memory/4576-146-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/4576-144-0x0000000000000000-mapping.dmp

Download
memory/4576-159-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads