netwire | e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8

General

Target

e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe
Size

1.1MB
MD5

580f1b384fe4aa7646a51775c2521a1b
SHA1

092dd20627d03b35064ddc8381be9c63dbdbac57
SHA256

e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8
SHA512

3374b1d0fe89aff7fcc3c105f73eda716330f7024f0b616fa44171e6e70cd7dc168a6558cd8c57cac7a59835f2d2c7973608cf134a79168fe4890cb64a0042ef
SSDEEP

12288:ljy055i/LxmIx+Nmd+Qg+0Xi5qE2lTyG9tl:PwxmIx+Nmcxty4E20Gt

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\tmp.exe	netwire
\Users\Admin\AppData\Local\Temp\tmp.exe	netwire
C:\Users\Admin\AppData\Local\Temp\tmp.exe	netwire
behavioral1/memory/1968-70-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1968-73-0x0000000000402196-mapping.dmp	netwire
behavioral1/memory/1968-72-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1968-76-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

tmp.exe

pid process

856 tmp.exe

pid	process
856	tmp.exe

Loads dropped DLL 2 IoCs

Processes:

e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe

pid	process
524	e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe
524	e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe

description	pid	process	target process
PID 524 set thread context of 1968	524	e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe	e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe

pid	process
524	e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe
524	e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe
524	e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe
524	e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe
524	e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe

description pid process

Token: SeDebugPrivilege 524 e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe

description	pid	process
Token: SeDebugPrivilege	524	e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.execmd.exe

description	pid	process	target process
PID 524 wrote to memory of 932	524	e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe	cmd.exe
PID 524 wrote to memory of 932	524	e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe	cmd.exe
PID 524 wrote to memory of 932	524	e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe	cmd.exe
PID 524 wrote to memory of 932	524	e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe	cmd.exe
PID 932 wrote to memory of 1924	932	cmd.exe	wscript.exe
PID 932 wrote to memory of 1924	932	cmd.exe	wscript.exe
PID 932 wrote to memory of 1924	932	cmd.exe	wscript.exe
PID 932 wrote to memory of 1924	932	cmd.exe	wscript.exe
PID 524 wrote to memory of 856	524	e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe	tmp.exe
PID 524 wrote to memory of 856	524	e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe	tmp.exe
PID 524 wrote to memory of 856	524	e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe	tmp.exe
PID 524 wrote to memory of 856	524	e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe	tmp.exe
PID 524 wrote to memory of 1968	524	e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe	e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe
PID 524 wrote to memory of 1968	524	e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe	e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe
PID 524 wrote to memory of 1968	524	e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe	e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe
PID 524 wrote to memory of 1968	524	e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe	e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe
PID 524 wrote to memory of 1968	524	e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe	e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe
PID 524 wrote to memory of 1968	524	e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe	e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe
PID 524 wrote to memory of 1968	524	e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe	e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe
PID 524 wrote to memory of 1968	524	e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe	e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe
PID 524 wrote to memory of 1968	524	e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe	e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe

C:\Users\Admin\AppData\Local\Temp\e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe
"C:\Users\Admin\AppData\Local\Temp\e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\f\1.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:932

C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\f\vbs.vbs" "C:\Users\Admin\AppData\Local\Temp\f\2.bat"
3⤵
PID:1924

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Executes dropped EXE
PID:856

C:\Users\Admin\AppData\Local\Temp\e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe
C:\Users\Admin\AppData\Local\Temp\e9453c2bb2511fbb6e9e0d27beeddb5602f08cddd26022b36e756ecd3edfd0c8.exe
2⤵
PID:1968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.Identifier
Filesize
68B

MD5
a2ead345ab5a951a2a0432a1856590f8

SHA1
5274cb4d22843ca4a31134f5c59a85baf4599b80

SHA256
a07ae94cbe7f4c79da91558dc1db9f5d836a3ab4b1a5b72ff297a0015b5d2751

SHA512
d28d743efcf07e46b813a4383e9de146d9461d313b1795a011177fb81b3486bd537da1953bfb0acd5b49b8b83bc9ecac7c7297f36e024b47b5290d0ce1eb9356

Download Submit
C:\Users\Admin\AppData\Local\Temp\f\1.bat
Filesize
47B

MD5
624373df2461660386e47113698fab32

SHA1
6f920b7128ef24a2e2da251cb1462d49bf275dc8

SHA256
e00ac04f41983738840e5ca1d6946e03f23eaa788d0f7eeea6ed992b30900558

SHA512
e794d05bd44bce25e877efb1a187af564a9de7f19458f6032f2ca8e8725b9d0c8e42b4c7ceb93e22367c61fd1ce9c8807b03da61982783c4400123f8d6dcdfa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\f\vbs.vbs
Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
81KB

MD5
4b42a02bc2d4ce5833a8750147b7a942

SHA1
a295ed74276421bf1fc675e3176c9a77e2dc4bde

SHA256
8f05e2a0ef9331ff2f7aee2fb054d6aee363abd55f25f7a99883fb2045183646

SHA512
a72317ef36853c79776d1b322b812ab9d25649fbd73b7d8aeb71f741bfca192d8df293ff72ce855c86b8062cc07f5cc1571984fdec226fb9f51de690cde0d8bf

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
81KB

MD5
4b42a02bc2d4ce5833a8750147b7a942

SHA1
a295ed74276421bf1fc675e3176c9a77e2dc4bde

SHA256
8f05e2a0ef9331ff2f7aee2fb054d6aee363abd55f25f7a99883fb2045183646

SHA512
a72317ef36853c79776d1b322b812ab9d25649fbd73b7d8aeb71f741bfca192d8df293ff72ce855c86b8062cc07f5cc1571984fdec226fb9f51de690cde0d8bf

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
81KB

MD5
4b42a02bc2d4ce5833a8750147b7a942

SHA1
a295ed74276421bf1fc675e3176c9a77e2dc4bde

SHA256
8f05e2a0ef9331ff2f7aee2fb054d6aee363abd55f25f7a99883fb2045183646

SHA512
a72317ef36853c79776d1b322b812ab9d25649fbd73b7d8aeb71f741bfca192d8df293ff72ce855c86b8062cc07f5cc1571984fdec226fb9f51de690cde0d8bf

Download Submit
memory/524-55-0x0000000074040000-0x00000000745EB000-memory.dmp

Filesize
5.7MB

Download
memory/524-54-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/524-80-0x0000000074040000-0x00000000745EB000-memory.dmp

Filesize
5.7MB

Download
memory/856-61-0x0000000000000000-mapping.dmp

Download
memory/932-56-0x0000000000000000-mapping.dmp

Download
memory/1924-58-0x0000000000000000-mapping.dmp

Download
memory/1968-65-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1968-70-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1968-73-0x0000000000402196-mapping.dmp

Download
memory/1968-72-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1968-76-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1968-68-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1968-78-0x0000000000401000-0x0000000000413000-memory.dmp

Filesize
72KB

Download
memory/1968-66-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads