netwire | 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1

General

Target

0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe
Size

533KB
MD5

9ef3eb3bdfc86bfdb5c131fe229d6c6c
SHA1

cb86276276349a1b973869aa84bb44048b2cdfe5
SHA256

0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1
SHA512

3ab04c41784f70299969d22c4fb076c15c5178d6765c72269246790197421ba142ca624d4cbb41db2a8f9bcd929fff9a4e207933d3beb64fddf43b86103ec31a
SSDEEP

6144:qTyU80LGVHKDpIoiiPmj8bc5kLGxXtPdomPDNmr2cmuD/4Djh9gH2RdEkNMM+6et:mtj6GQ0m5AgZmbDgPg2R3LrxAu

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FolderName\\file.exe"	reg.exe

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tmp.exe	netwire
C:\Users\Admin\AppData\Local\Temp\tmp.exe	netwire
behavioral2/memory/2008-143-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/2008-145-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

tmp.exe

pid process

1936 tmp.exe

pid	process
1936	tmp.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exewscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe

description	pid	process	target process
PID 3836 set thread context of 2008	3836	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe

Drops file in Windows directory 3 IoCs

Processes:

0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\Desktop.ini	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe
File opened for modification	C:\Windows\assembly	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe
File created	C:\Windows\assembly\Desktop.ini	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5112 2008 WerFault.exe 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe

pid	pid_target	process	target process
5112	2008	WerFault.exe	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe

pid	process
3836	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe
3836	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe
3836	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe
3836	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe
3836	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe

description pid process

Token: SeDebugPrivilege 3836 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe

description	pid	process
Token: SeDebugPrivilege	3836	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.execmd.exewscript.execmd.exe

description	pid	process	target process
PID 3836 wrote to memory of 5080	3836	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe	cmd.exe
PID 3836 wrote to memory of 5080	3836	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe	cmd.exe
PID 3836 wrote to memory of 5080	3836	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe	cmd.exe
PID 5080 wrote to memory of 5076	5080	cmd.exe	wscript.exe
PID 5080 wrote to memory of 5076	5080	cmd.exe	wscript.exe
PID 5080 wrote to memory of 5076	5080	cmd.exe	wscript.exe
PID 5076 wrote to memory of 1104	5076	wscript.exe	cmd.exe
PID 5076 wrote to memory of 1104	5076	wscript.exe	cmd.exe
PID 5076 wrote to memory of 1104	5076	wscript.exe	cmd.exe
PID 3836 wrote to memory of 1936	3836	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe	tmp.exe
PID 3836 wrote to memory of 1936	3836	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe	tmp.exe
PID 3836 wrote to memory of 1936	3836	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe	tmp.exe
PID 3836 wrote to memory of 2008	3836	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe
PID 3836 wrote to memory of 2008	3836	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe
PID 3836 wrote to memory of 2008	3836	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe
PID 3836 wrote to memory of 2008	3836	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe
PID 3836 wrote to memory of 2008	3836	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe
PID 3836 wrote to memory of 2008	3836	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe
PID 3836 wrote to memory of 2008	3836	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe
PID 3836 wrote to memory of 2008	3836	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe
PID 3836 wrote to memory of 2008	3836	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe	0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe
PID 1104 wrote to memory of 2200	1104	cmd.exe	reg.exe
PID 1104 wrote to memory of 2200	1104	cmd.exe	reg.exe
PID 1104 wrote to memory of 2200	1104	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe
"C:\Users\Admin\AppData\Local\Temp\0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:5080

C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderName\file.exe" /f
5⤵
- Modifies WinLogon for persistence
PID:2200

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Executes dropped EXE
PID:1936

C:\Users\Admin\AppData\Local\Temp\0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe
C:\Users\Admin\AppData\Local\Temp\0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe
2⤵
PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 312
3⤵
- Program crash
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2008 -ip 2008
1⤵
PID:2092

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FolderName\file.exe
Filesize
533KB

MD5
9ef3eb3bdfc86bfdb5c131fe229d6c6c

SHA1
cb86276276349a1b973869aa84bb44048b2cdfe5

SHA256
0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1

SHA512
3ab04c41784f70299969d22c4fb076c15c5178d6765c72269246790197421ba142ca624d4cbb41db2a8f9bcd929fff9a4e207933d3beb64fddf43b86103ec31a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbs
Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat
Filesize
70B

MD5
23f72401196919748c14cb64c1d55c3b

SHA1
869e3809cb4391e6f5aee5349a871e40a1e1fb22

SHA256
d09c4054568f89c5de2bd9bae9cbcbcb3ef2dda9a9ded0153e29da26dc405d11

SHA512
2ab844717c31c4819d8773d7604dfc831e950ae9e38fe311acf8178d46f39fafb54b448ebb6b9cf5d1edd47ed36eae11d649c1be346b0a35d380dd07101c79f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat
Filesize
264B

MD5
e124c4434aca9a49f8207d1fa30128e4

SHA1
d1e70b4238f594ece857ca1a417d4a5c8b28b62e

SHA256
b1c0fd1f562cc9dab8db39eb0c1c2dcc44cd2277e6e3ae55730602f4cc14f79c

SHA512
7cfedaf6e6acce3aad0b206d80be8b28cde9b14dabb9143907934b848ea972c27a282e78c976d1d2a365256bbd4ac275d9bd3e765a448a447df8f9e9ad6b086e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
81KB

MD5
6e490dfa724c6f4edf62202deead93da

SHA1
84f0ede9796fb43bd5f47a10d0a0b5303588c22b

SHA256
42754fd77a139452c87f3b214aa910c718ce0bac372c522995351c8ce49d2109

SHA512
f20058d5973b6a612d57971f5babf1340dce29c411a7e29406b7163c7d5744dbc8e605f79fb99bc1d3d38a65ab9d7fd3e893483eda59bf2114069b8924ca1d0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
81KB

MD5
6e490dfa724c6f4edf62202deead93da

SHA1
84f0ede9796fb43bd5f47a10d0a0b5303588c22b

SHA256
42754fd77a139452c87f3b214aa910c718ce0bac372c522995351c8ce49d2109

SHA512
f20058d5973b6a612d57971f5babf1340dce29c411a7e29406b7163c7d5744dbc8e605f79fb99bc1d3d38a65ab9d7fd3e893483eda59bf2114069b8924ca1d0a

Download Submit
memory/1104-138-0x0000000000000000-mapping.dmp

Download
memory/1936-139-0x0000000000000000-mapping.dmp

Download
memory/2008-142-0x0000000000000000-mapping.dmp

Download
memory/2008-143-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2008-145-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2200-146-0x0000000000000000-mapping.dmp

Download
memory/3836-132-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/3836-148-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/5076-135-0x0000000000000000-mapping.dmp

Download
memory/5080-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads