netwire | 68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b

General

Target

68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe
Size

136KB
MD5

21b289e88c52899e189bd93995cd4f45
SHA1

4b73d5200538d31d5a8aebab6ca2387df4489d96
SHA256

68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b
SHA512

013b6644a35bf5611dec48886c177552170b1ac02ae88a5218ce76a6082d664b5c27de61843576679af3f5ba4d95fcc3ca67e65790052bcee52d71eef439f703
SSDEEP

3072:RM+9i7SFCIXJZHWYekfrwKQjSs2cRgIuabx0AW9CVcpdPdMJ:RMTCP2YhfrwKQjSYgIuEeAKnLs

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1756-71-0x0000000000400000-0x0000000000417000-memory.dmp	netwire
behavioral1/memory/1968-89-0x0000000000400000-0x0000000000417000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host.exeHost.exe

pid process

1988 Host.exe
1968 Host.exe

pid	process
1988	Host.exe
1968	Host.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27FGINSK-LK06-10M2-G7BC-RFJPIKC3M3G7}	Host.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27FGINSK-LK06-10M2-G7BC-RFJPIKC3M3G7}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Setup\\Host.exe\""	Host.exe

Loads dropped DLL 3 IoCs

Processes:

68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exeHost.exe

pid	process
656	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe
1756	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe
1988	Host.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ThrFile = "C:\\Users\\Admin\\AppData\\Roaming\\Setup\\Host.exe"	Host.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exeHost.exe

description	pid	process	target process
PID 656 set thread context of 1756	656	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe
PID 1988 set thread context of 1968	1988	Host.exe	Host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 8 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Setup\Host.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\Setup\Host.exe	nsis_installer_2
\Users\Admin\AppData\Roaming\Setup\Host.exe	nsis_installer_1
\Users\Admin\AppData\Roaming\Setup\Host.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\Setup\Host.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\Setup\Host.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\Setup\Host.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\Setup\Host.exe	nsis_installer_2

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exeHost.exe

description	pid	process	target process
PID 656 wrote to memory of 1756	656	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe
PID 656 wrote to memory of 1756	656	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe
PID 656 wrote to memory of 1756	656	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe
PID 656 wrote to memory of 1756	656	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe
PID 656 wrote to memory of 1756	656	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe
PID 656 wrote to memory of 1756	656	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe
PID 656 wrote to memory of 1756	656	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe
PID 656 wrote to memory of 1756	656	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe
PID 656 wrote to memory of 1756	656	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe
PID 1756 wrote to memory of 1988	1756	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe	Host.exe
PID 1756 wrote to memory of 1988	1756	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe	Host.exe
PID 1756 wrote to memory of 1988	1756	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe	Host.exe
PID 1756 wrote to memory of 1988	1756	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe	Host.exe
PID 1988 wrote to memory of 1968	1988	Host.exe	Host.exe
PID 1988 wrote to memory of 1968	1988	Host.exe	Host.exe
PID 1988 wrote to memory of 1968	1988	Host.exe	Host.exe
PID 1988 wrote to memory of 1968	1988	Host.exe	Host.exe
PID 1988 wrote to memory of 1968	1988	Host.exe	Host.exe
PID 1988 wrote to memory of 1968	1988	Host.exe	Host.exe
PID 1988 wrote to memory of 1968	1988	Host.exe	Host.exe
PID 1988 wrote to memory of 1968	1988	Host.exe	Host.exe
PID 1988 wrote to memory of 1968	1988	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe
"C:\Users\Admin\AppData\Local\Temp\68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:656

C:\Users\Admin\AppData\Local\Temp\68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe
"C:\Users\Admin\AppData\Local\Temp\68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\AppData\Roaming\Setup\Host.exe
"C:\Users\Admin\AppData\Roaming\Setup\Host.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1988

C:\Users\Admin\AppData\Roaming\Setup\Host.exe
"C:\Users\Admin\AppData\Roaming\Setup\Host.exe"
4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:1968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sprees.mjw
Filesize
68KB

MD5
ebdd3b8ebf400c8d56ef48adf8b78dff

SHA1
553dbb7db9457d249683d36114d0fed90087bdac

SHA256
50f942da50af23e6149873501452b25cb9ab00e2fec1d6c2cb6c460ce61cdc5d

SHA512
c192e9ea00c67f440f309f2f782c6bb7c6fecb773ccc992a57d697bf11cb01c93482c580377463b3a626424b52e9d7d69ce5cd744dd46f710899b61fee73fd9c

Download Submit
C:\Users\Admin\AppData\Roaming\Setup\Host.exe
Filesize
136KB

MD5
21b289e88c52899e189bd93995cd4f45

SHA1
4b73d5200538d31d5a8aebab6ca2387df4489d96

SHA256
68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b

SHA512
013b6644a35bf5611dec48886c177552170b1ac02ae88a5218ce76a6082d664b5c27de61843576679af3f5ba4d95fcc3ca67e65790052bcee52d71eef439f703

Download Submit
C:\Users\Admin\AppData\Roaming\Setup\Host.exe
Filesize
136KB

MD5
21b289e88c52899e189bd93995cd4f45

SHA1
4b73d5200538d31d5a8aebab6ca2387df4489d96

SHA256
68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b

SHA512
013b6644a35bf5611dec48886c177552170b1ac02ae88a5218ce76a6082d664b5c27de61843576679af3f5ba4d95fcc3ca67e65790052bcee52d71eef439f703

Download Submit
C:\Users\Admin\AppData\Roaming\Setup\Host.exe
Filesize
136KB

MD5
21b289e88c52899e189bd93995cd4f45

SHA1
4b73d5200538d31d5a8aebab6ca2387df4489d96

SHA256
68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b

SHA512
013b6644a35bf5611dec48886c177552170b1ac02ae88a5218ce76a6082d664b5c27de61843576679af3f5ba4d95fcc3ca67e65790052bcee52d71eef439f703

Download Submit
\Users\Admin\AppData\Local\Temp\nseBD49.tmp\sprees.dll
Filesize
57KB

MD5
2aac95e2511af03b42b391a420a2db04

SHA1
c7aac5b6f68de9c7d6aa3fb91db42b957d000e6c

SHA256
5a39e3e9583fa118254280b7a7e55837a3a8aa8e0f9027c014eb163ecd305b17

SHA512
8e522dfcd49bd41ab6d2c00a03de97a5302b151763df76ce6532b83dc48181e3ca1df239947d3c8ad55b538691b5567293785fef5d509c3ad9f0131c1912c3aa

Download Submit
\Users\Admin\AppData\Local\Temp\nsyC90B.tmp\sprees.dll
Filesize
57KB

MD5
2aac95e2511af03b42b391a420a2db04

SHA1
c7aac5b6f68de9c7d6aa3fb91db42b957d000e6c

SHA256
5a39e3e9583fa118254280b7a7e55837a3a8aa8e0f9027c014eb163ecd305b17

SHA512
8e522dfcd49bd41ab6d2c00a03de97a5302b151763df76ce6532b83dc48181e3ca1df239947d3c8ad55b538691b5567293785fef5d509c3ad9f0131c1912c3aa

Download Submit
\Users\Admin\AppData\Roaming\Setup\Host.exe
Filesize
136KB

MD5
21b289e88c52899e189bd93995cd4f45

SHA1
4b73d5200538d31d5a8aebab6ca2387df4489d96

SHA256
68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b

SHA512
013b6644a35bf5611dec48886c177552170b1ac02ae88a5218ce76a6082d664b5c27de61843576679af3f5ba4d95fcc3ca67e65790052bcee52d71eef439f703

Download Submit
memory/656-56-0x00000000020C0000-0x00000000020D7000-memory.dmp

Filesize
92KB

Download
memory/656-54-0x0000000075131000-0x0000000075133000-memory.dmp

Filesize
8KB

Download
memory/1756-60-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1756-67-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1756-64-0x0000000000401F8F-mapping.dmp

Download
memory/1756-71-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1756-63-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1756-62-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1756-58-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1756-57-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1968-84-0x0000000000401F8F-mapping.dmp

Download
memory/1968-89-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1988-69-0x0000000000000000-mapping.dmp

Download
memory/1988-76-0x0000000000900000-0x0000000000917000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads