netwire | 02dde7041a6f4581cef09b30c2019fad50c71bbdf9e7cda527a18a228bd48710

General

Target

02dde7041a6f4581cef09b30c2019fad50c71bbdf9e7cda527a18a228bd48710.exe
Size

626KB
MD5

7af42f187551fa37410b77c2bfb9d8ba
SHA1

3e799bfb72b63f5908856fc7dd4bde5af40ca84c
SHA256

02dde7041a6f4581cef09b30c2019fad50c71bbdf9e7cda527a18a228bd48710
SHA512

8259b47a094eb006eea22a8a9b570f612fc811e6d847ae2a29cc4a1ad85a3fff25802657242caa1554bcac779b1c7c610287be4e73fc7d6e9f25f208feb25d7b
SSDEEP

12288:xJRYT/jA1+FSpwPpwHd+3anVKB7myuK0bcNb2amWsVODj:M/RF4wPid+qbyxkatFDj

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1816-58-0x0000000000400000-0x0000000000417000-memory.dmp	netwire
behavioral1/memory/1640-68-0x0000000000400000-0x0000000000417000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host.exeHost.exe

pid process

1708 Host.exe
1640 Host.exe

pid	process
1708	Host.exe
1640	Host.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{XV7NSHJ6-303K-MEHH-0C16-7258W7M0L217}	Host.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{XV7NSHJ6-303K-MEHH-0C16-7258W7M0L217}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe\""	Host.exe

Loads dropped DLL 2 IoCs

Processes:

02dde7041a6f4581cef09b30c2019fad50c71bbdf9e7cda527a18a228bd48710.exe

pid	process
1816	02dde7041a6f4581cef09b30c2019fad50c71bbdf9e7cda527a18a228bd48710.exe
1816	02dde7041a6f4581cef09b30c2019fad50c71bbdf9e7cda527a18a228bd48710.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnewisrto = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

02dde7041a6f4581cef09b30c2019fad50c71bbdf9e7cda527a18a228bd48710.exeHost.exe

description	pid	process	target process
PID 1232 set thread context of 1816	1232	02dde7041a6f4581cef09b30c2019fad50c71bbdf9e7cda527a18a228bd48710.exe	02dde7041a6f4581cef09b30c2019fad50c71bbdf9e7cda527a18a228bd48710.exe
PID 1708 set thread context of 1640	1708	Host.exe	Host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

02dde7041a6f4581cef09b30c2019fad50c71bbdf9e7cda527a18a228bd48710.exeHost.exe

pid	process
1232	02dde7041a6f4581cef09b30c2019fad50c71bbdf9e7cda527a18a228bd48710.exe
1232	02dde7041a6f4581cef09b30c2019fad50c71bbdf9e7cda527a18a228bd48710.exe
1708	Host.exe
1708	Host.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

02dde7041a6f4581cef09b30c2019fad50c71bbdf9e7cda527a18a228bd48710.exe02dde7041a6f4581cef09b30c2019fad50c71bbdf9e7cda527a18a228bd48710.exeHost.exe

description	pid	process	target process
PID 1232 wrote to memory of 1816	1232	02dde7041a6f4581cef09b30c2019fad50c71bbdf9e7cda527a18a228bd48710.exe	02dde7041a6f4581cef09b30c2019fad50c71bbdf9e7cda527a18a228bd48710.exe
PID 1232 wrote to memory of 1816	1232	02dde7041a6f4581cef09b30c2019fad50c71bbdf9e7cda527a18a228bd48710.exe	02dde7041a6f4581cef09b30c2019fad50c71bbdf9e7cda527a18a228bd48710.exe
PID 1232 wrote to memory of 1816	1232	02dde7041a6f4581cef09b30c2019fad50c71bbdf9e7cda527a18a228bd48710.exe	02dde7041a6f4581cef09b30c2019fad50c71bbdf9e7cda527a18a228bd48710.exe
PID 1232 wrote to memory of 1816	1232	02dde7041a6f4581cef09b30c2019fad50c71bbdf9e7cda527a18a228bd48710.exe	02dde7041a6f4581cef09b30c2019fad50c71bbdf9e7cda527a18a228bd48710.exe
PID 1816 wrote to memory of 1708	1816	02dde7041a6f4581cef09b30c2019fad50c71bbdf9e7cda527a18a228bd48710.exe	Host.exe
PID 1816 wrote to memory of 1708	1816	02dde7041a6f4581cef09b30c2019fad50c71bbdf9e7cda527a18a228bd48710.exe	Host.exe
PID 1816 wrote to memory of 1708	1816	02dde7041a6f4581cef09b30c2019fad50c71bbdf9e7cda527a18a228bd48710.exe	Host.exe
PID 1816 wrote to memory of 1708	1816	02dde7041a6f4581cef09b30c2019fad50c71bbdf9e7cda527a18a228bd48710.exe	Host.exe
PID 1708 wrote to memory of 1640	1708	Host.exe	Host.exe
PID 1708 wrote to memory of 1640	1708	Host.exe	Host.exe
PID 1708 wrote to memory of 1640	1708	Host.exe	Host.exe
PID 1708 wrote to memory of 1640	1708	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\02dde7041a6f4581cef09b30c2019fad50c71bbdf9e7cda527a18a228bd48710.exe
"C:\Users\Admin\AppData\Local\Temp\02dde7041a6f4581cef09b30c2019fad50c71bbdf9e7cda527a18a228bd48710.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1232

C:\Users\Admin\AppData\Local\Temp\02dde7041a6f4581cef09b30c2019fad50c71bbdf9e7cda527a18a228bd48710.exe
"C:\Users\Admin\AppData\Local\Temp\02dde7041a6f4581cef09b30c2019fad50c71bbdf9e7cda527a18a228bd48710.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1816

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1708

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:1640

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
626KB

MD5
7af42f187551fa37410b77c2bfb9d8ba

SHA1
3e799bfb72b63f5908856fc7dd4bde5af40ca84c

SHA256
02dde7041a6f4581cef09b30c2019fad50c71bbdf9e7cda527a18a228bd48710

SHA512
8259b47a094eb006eea22a8a9b570f612fc811e6d847ae2a29cc4a1ad85a3fff25802657242caa1554bcac779b1c7c610287be4e73fc7d6e9f25f208feb25d7b

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
626KB

MD5
7af42f187551fa37410b77c2bfb9d8ba

SHA1
3e799bfb72b63f5908856fc7dd4bde5af40ca84c

SHA256
02dde7041a6f4581cef09b30c2019fad50c71bbdf9e7cda527a18a228bd48710

SHA512
8259b47a094eb006eea22a8a9b570f612fc811e6d847ae2a29cc4a1ad85a3fff25802657242caa1554bcac779b1c7c610287be4e73fc7d6e9f25f208feb25d7b

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
626KB

MD5
7af42f187551fa37410b77c2bfb9d8ba

SHA1
3e799bfb72b63f5908856fc7dd4bde5af40ca84c

SHA256
02dde7041a6f4581cef09b30c2019fad50c71bbdf9e7cda527a18a228bd48710

SHA512
8259b47a094eb006eea22a8a9b570f612fc811e6d847ae2a29cc4a1ad85a3fff25802657242caa1554bcac779b1c7c610287be4e73fc7d6e9f25f208feb25d7b

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
626KB

MD5
7af42f187551fa37410b77c2bfb9d8ba

SHA1
3e799bfb72b63f5908856fc7dd4bde5af40ca84c

SHA256
02dde7041a6f4581cef09b30c2019fad50c71bbdf9e7cda527a18a228bd48710

SHA512
8259b47a094eb006eea22a8a9b570f612fc811e6d847ae2a29cc4a1ad85a3fff25802657242caa1554bcac779b1c7c610287be4e73fc7d6e9f25f208feb25d7b

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
626KB

MD5
7af42f187551fa37410b77c2bfb9d8ba

SHA1
3e799bfb72b63f5908856fc7dd4bde5af40ca84c

SHA256
02dde7041a6f4581cef09b30c2019fad50c71bbdf9e7cda527a18a228bd48710

SHA512
8259b47a094eb006eea22a8a9b570f612fc811e6d847ae2a29cc4a1ad85a3fff25802657242caa1554bcac779b1c7c610287be4e73fc7d6e9f25f208feb25d7b

Download Submit
memory/1232-54-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/1232-56-0x0000000000290000-0x0000000000295000-memory.dmp

Filesize
20KB

Download
memory/1640-65-0x0000000000401F8F-mapping.dmp

Download
memory/1640-68-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1708-61-0x0000000000000000-mapping.dmp

Download
memory/1816-55-0x0000000000401F8F-mapping.dmp

Download
memory/1816-58-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads