netwire | 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1

General

Target

0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe
Size

533KB
MD5

9ef3eb3bdfc86bfdb5c131fe229d6c6c
SHA1

cb86276276349a1b973869aa84bb44048b2cdfe5
SHA256

0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1
SHA512

3ab04c41784f70299969d22c4fb076c15c5178d6765c72269246790197421ba142ca624d4cbb41db2a8f9bcd929fff9a4e207933d3beb64fddf43b86103ec31a
SSDEEP

6144:qTyU80LGVHKDpIoiiPmj8bc5kLGxXtPdomPDNmr2cmuD/4Djh9gH2RdEkNMM+6et:mtj6GQ0m5AgZmbDgPg2R3LrxAu

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FolderName\\file.exe"	reg.exe

NetWire RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\tmp.exe	netwire
\Users\Admin\AppData\Local\Temp\tmp.exe	netwire
C:\Users\Admin\AppData\Local\Temp\tmp.exe	netwire
behavioral1/memory/1396-71-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1396-75-0x0000000000402196-mapping.dmp	netwire
behavioral1/memory/1396-74-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1396-78-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

tmp.exe

pid process

1716 tmp.exe

pid	process
1716	tmp.exe

Loads dropped DLL 2 IoCs

Processes:

0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe

pid	process
1480	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe
1480	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe

description	pid	process	target process
PID 1480 set thread context of 1396	1480	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe

pid	process
1480	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe
1480	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe
1480	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe
1480	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe
1480	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe

description pid process

Token: SeDebugPrivilege 1480 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe

description	pid	process
Token: SeDebugPrivilege	1480	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.execmd.exewscript.execmd.exe

description	pid	process	target process
PID 1480 wrote to memory of 2032	1480	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe	cmd.exe
PID 1480 wrote to memory of 2032	1480	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe	cmd.exe
PID 1480 wrote to memory of 2032	1480	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe	cmd.exe
PID 1480 wrote to memory of 2032	1480	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe	cmd.exe
PID 2032 wrote to memory of 996	2032	cmd.exe	wscript.exe
PID 2032 wrote to memory of 996	2032	cmd.exe	wscript.exe
PID 2032 wrote to memory of 996	2032	cmd.exe	wscript.exe
PID 2032 wrote to memory of 996	2032	cmd.exe	wscript.exe
PID 1480 wrote to memory of 1716	1480	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe	tmp.exe
PID 1480 wrote to memory of 1716	1480	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe	tmp.exe
PID 1480 wrote to memory of 1716	1480	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe	tmp.exe
PID 1480 wrote to memory of 1716	1480	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe	tmp.exe
PID 1480 wrote to memory of 1396	1480	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe
PID 1480 wrote to memory of 1396	1480	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe
PID 1480 wrote to memory of 1396	1480	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe
PID 1480 wrote to memory of 1396	1480	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe
PID 1480 wrote to memory of 1396	1480	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe
PID 1480 wrote to memory of 1396	1480	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe
PID 1480 wrote to memory of 1396	1480	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe
PID 1480 wrote to memory of 1396	1480	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe
PID 1480 wrote to memory of 1396	1480	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe
PID 996 wrote to memory of 936	996	wscript.exe	cmd.exe
PID 996 wrote to memory of 936	996	wscript.exe	cmd.exe
PID 996 wrote to memory of 936	996	wscript.exe	cmd.exe
PID 996 wrote to memory of 936	996	wscript.exe	cmd.exe
PID 936 wrote to memory of 1348	936	cmd.exe	reg.exe
PID 936 wrote to memory of 1348	936	cmd.exe	reg.exe
PID 936 wrote to memory of 1348	936	cmd.exe	reg.exe
PID 936 wrote to memory of 1348	936	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe
"C:\Users\Admin\AppData\Local\Temp\0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderName\file.exe" /f
5⤵
- Modifies WinLogon for persistence
PID:1348

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Executes dropped EXE
PID:1716

C:\Users\Admin\AppData\Local\Temp\0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe
C:\Users\Admin\AppData\Local\Temp\0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe
2⤵
PID:1396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.Identifier
Filesize
68B

MD5
a3cc3cc6427bde076b2691f82e9756b4

SHA1
f4cc793534e36ac0c405249e3eefcaed31925621

SHA256
98e5df79386d5b07cc629935564ae4286eb0cbb4cc9a5df37b0827ad93d458a3

SHA512
b1391d81111ce946d1bad10a39cb9e3e2314ac037a251bf98dddcdaed905fed4a64b018d9bf1b4727e97a07fb17dd931de3c3957331d188dc60d8a00c550c2d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\file.exe
Filesize
533KB

MD5
9ef3eb3bdfc86bfdb5c131fe229d6c6c

SHA1
cb86276276349a1b973869aa84bb44048b2cdfe5

SHA256
0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1

SHA512
3ab04c41784f70299969d22c4fb076c15c5178d6765c72269246790197421ba142ca624d4cbb41db2a8f9bcd929fff9a4e207933d3beb64fddf43b86103ec31a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbs
Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat
Filesize
70B

MD5
23f72401196919748c14cb64c1d55c3b

SHA1
869e3809cb4391e6f5aee5349a871e40a1e1fb22

SHA256
d09c4054568f89c5de2bd9bae9cbcbcb3ef2dda9a9ded0153e29da26dc405d11

SHA512
2ab844717c31c4819d8773d7604dfc831e950ae9e38fe311acf8178d46f39fafb54b448ebb6b9cf5d1edd47ed36eae11d649c1be346b0a35d380dd07101c79f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat
Filesize
264B

MD5
e124c4434aca9a49f8207d1fa30128e4

SHA1
d1e70b4238f594ece857ca1a417d4a5c8b28b62e

SHA256
b1c0fd1f562cc9dab8db39eb0c1c2dcc44cd2277e6e3ae55730602f4cc14f79c

SHA512
7cfedaf6e6acce3aad0b206d80be8b28cde9b14dabb9143907934b848ea972c27a282e78c976d1d2a365256bbd4ac275d9bd3e765a448a447df8f9e9ad6b086e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
81KB

MD5
6e490dfa724c6f4edf62202deead93da

SHA1
84f0ede9796fb43bd5f47a10d0a0b5303588c22b

SHA256
42754fd77a139452c87f3b214aa910c718ce0bac372c522995351c8ce49d2109

SHA512
f20058d5973b6a612d57971f5babf1340dce29c411a7e29406b7163c7d5744dbc8e605f79fb99bc1d3d38a65ab9d7fd3e893483eda59bf2114069b8924ca1d0a

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
81KB

MD5
6e490dfa724c6f4edf62202deead93da

SHA1
84f0ede9796fb43bd5f47a10d0a0b5303588c22b

SHA256
42754fd77a139452c87f3b214aa910c718ce0bac372c522995351c8ce49d2109

SHA512
f20058d5973b6a612d57971f5babf1340dce29c411a7e29406b7163c7d5744dbc8e605f79fb99bc1d3d38a65ab9d7fd3e893483eda59bf2114069b8924ca1d0a

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
81KB

MD5
6e490dfa724c6f4edf62202deead93da

SHA1
84f0ede9796fb43bd5f47a10d0a0b5303588c22b

SHA256
42754fd77a139452c87f3b214aa910c718ce0bac372c522995351c8ce49d2109

SHA512
f20058d5973b6a612d57971f5babf1340dce29c411a7e29406b7163c7d5744dbc8e605f79fb99bc1d3d38a65ab9d7fd3e893483eda59bf2114069b8924ca1d0a

Download Submit
memory/936-81-0x0000000000000000-mapping.dmp

Download
memory/996-59-0x0000000000000000-mapping.dmp

Download
memory/1348-82-0x0000000000000000-mapping.dmp

Download
memory/1396-75-0x0000000000402196-mapping.dmp

Download
memory/1396-69-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1396-71-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1396-67-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1396-74-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1396-78-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1396-66-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1396-83-0x0000000000401000-0x0000000000413000-memory.dmp

Filesize
72KB

Download
memory/1480-55-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/1480-85-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/1480-56-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/1480-54-0x0000000076831000-0x0000000076833000-memory.dmp

Filesize
8KB

Download
memory/1716-62-0x0000000000000000-mapping.dmp

Download
memory/2032-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads