netwire | f1796f21deed0f3b6b6d48632e95a67a3c677ebb4a5c170cfa39b7ce6c92c83c

General

Target

f1796f21deed0f3b6b6d48632e95a67a3c677ebb4a5c170cfa39b7ce6c92c83c.exe
Size

916KB
MD5

7cf3347c350a02b5631ff0897746a7f6
SHA1

839d21fe675706bf1e0e4baa8ecc824c857a3a75
SHA256

f1796f21deed0f3b6b6d48632e95a67a3c677ebb4a5c170cfa39b7ce6c92c83c
SHA512

235b3162ceb0768b19f77ceaf8db0065d15943ff4ba138bb3991872528640f9a9e3a937b4060bba76a3f29bb2caa98f0f5c632c206add828a2c96702fffb6c42
SSDEEP

12288:mK2mhAMJ/cPlDXXFEh8h7UZYE82Y5UKUL4n4y3Xp3SbSlEeG7:H2O/GlDF77g6zwm4m53Sb2Ez

Score

10^/10

netwire botnet evasion persistence rat stealer trojan

Malware Config

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4068-139-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/4068-141-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/4068-142-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

neubw.exe

pid process

2236 neubw.exe

pid	process
2236	neubw.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f1796f21deed0f3b6b6d48632e95a67a3c677ebb4a5c170cfa39b7ce6c92c83c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	f1796f21deed0f3b6b6d48632e95a67a3c677ebb4a5c170cfa39b7ce6c92c83c.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

neubw.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	neubw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\C:\Users\Admin\DF8UCB~1 = "C:\\Users\\Admin\\DF8UCB~1\\ummrrxv.vbs"	neubw.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

neubw.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA neubw.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

neubw.exe

description pid process target process

PID 2236 set thread context of 4068 2236 neubw.exe RegSvcs.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	neubw.exe

description	pid	process	target process
PID 2236 set thread context of 4068	2236	neubw.exe	RegSvcs.exe

Drops file in Windows directory 2 IoCs

Processes:

RegSvcs.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\.Identifier	RegSvcs.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\.Identifier	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

neubw.exe

pid process

2236 neubw.exe
2236 neubw.exe
2236 neubw.exe
2236 neubw.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

neubw.exe

description pid process

Token: SeDebugPrivilege 2236 neubw.exe

pid	process
2236	neubw.exe
2236	neubw.exe
2236	neubw.exe
2236	neubw.exe

description	pid	process
Token: SeDebugPrivilege	2236	neubw.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

f1796f21deed0f3b6b6d48632e95a67a3c677ebb4a5c170cfa39b7ce6c92c83c.exeneubw.exe

description	pid	process	target process
PID 4316 wrote to memory of 2236	4316	f1796f21deed0f3b6b6d48632e95a67a3c677ebb4a5c170cfa39b7ce6c92c83c.exe	neubw.exe
PID 4316 wrote to memory of 2236	4316	f1796f21deed0f3b6b6d48632e95a67a3c677ebb4a5c170cfa39b7ce6c92c83c.exe	neubw.exe
PID 4316 wrote to memory of 2236	4316	f1796f21deed0f3b6b6d48632e95a67a3c677ebb4a5c170cfa39b7ce6c92c83c.exe	neubw.exe
PID 2236 wrote to memory of 4068	2236	neubw.exe	RegSvcs.exe
PID 2236 wrote to memory of 4068	2236	neubw.exe	RegSvcs.exe
PID 2236 wrote to memory of 4068	2236	neubw.exe	RegSvcs.exe
PID 2236 wrote to memory of 4068	2236	neubw.exe	RegSvcs.exe
PID 2236 wrote to memory of 4068	2236	neubw.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\f1796f21deed0f3b6b6d48632e95a67a3c677ebb4a5c170cfa39b7ce6c92c83c.exe
"C:\Users\Admin\AppData\Local\Temp\f1796f21deed0f3b6b6d48632e95a67a3c677ebb4a5c170cfa39b7ce6c92c83c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4316

C:\Users\Admin\df8ucb46rmz4lh\neubw.exe
"C:\Users\Admin\df8ucb46rmz4lh\neubw.exe" wqzyoarxjf
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Drops file in Windows directory
PID:4068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\DF8UCB~1\pxzqzi.ATF
Filesize
81KB

MD5
2c0b467468b1aeb65902d21e19886af9

SHA1
adda0360e356b11dcbace9587154d8968f7cf2c4

SHA256
3ebc2407ea3a3b8544e70b5f5af54d78ae8a7508b70213d4965613d27daa9ab9

SHA512
b40f0c7a9107787e1560d081d1168e41a13e56acedf72b6cd9fbb51a12d9cfdbb051308bd8410b9a07e99e79ac3402eb76dfe9818d88f2d729f997fdc87e000d

Download Submit
C:\Users\Admin\DF8UCB~1\vrsdpsva.ZJQ
Filesize
63B

MD5
a5c44e1b6f674a570a02269650e1bac0

SHA1
0ee8df733ab6731e1be122aea678921c02fed849

SHA256
df2f082929dac898d57f29e4ac5f8f1eb902e0f9c5ada145d6abe3756b52481e

SHA512
2762c468e8263c8d5dce609650ea565e79e5371a71ece2faf8a87c78c4522bff9813f4398aa07a6a90cff4e05f2b37404f56903b09d04c6b553c798e28db97db

Download Submit
C:\Users\Admin\df8ucb46rmz4lh\neubw.exe
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\df8ucb46rmz4lh\neubw.exe
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\df8ucb46rmz4lh\wqzyoarxjf
Filesize
646.7MB

MD5
fd4ca3c05864f14d08b583e91a4cc2c2

SHA1
46c75f7ec58aa2f44e4d89f387311e05dfa9e2f6

SHA256
7b0138926f849d43d127b45aa5aaeb7764cbe9e61a3532488c8aa68c3d913759

SHA512
2827fca40c39f7e281cbf445a7483451e037d77f724805987645df08d3b7f8d661844d3f875338e9e7e2a7de71c89571471a21209266cfe7da04116d071d9bca

Download Submit
memory/2236-132-0x0000000000000000-mapping.dmp

Download
memory/4068-138-0x0000000000000000-mapping.dmp

Download
memory/4068-139-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4068-141-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4068-142-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads