netwire | 2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a

Analysis

max time kernel
184s
max time network
235s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe
Size

122KB
MD5

9ff5d58cf0757ff0bf356c49680f0cc3
SHA1

9ca1083de077af72213b9bdaa92a0da435ccbf56
SHA256

2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a
SHA512

db17686a2821011af6bfe4f0e371a5d234ba5467d987530fb38d0c69b5616c2026e9f6304e5e62f3297ff78cc2971011db87daf9a735f81f1a3d12a13e250214
SSDEEP

3072:gM1BjoYNXoKDIJBXJPtWrSxKubAAU5xqvfjmnKmpmc/6tXJRiT:gMMYNXqBBsuxKubAAUE7OKmB/GXJRiT

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/268-64-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/268-66-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/268-67-0x0000000000402196-mapping.dmp	netwire
behavioral1/memory/268-70-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/268-74-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1728-91-0x0000000000402196-mapping.dmp	netwire
behavioral1/memory/1728-96-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host.exeHost.exe

pid process

1476 Host.exe
1728 Host.exe

pid	process
1476	Host.exe
1728	Host.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{851C4BFW-6IAR-2O5U-73E4-3I534Y5F3AH5}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe\""	Host.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{851C4BFW-6IAR-2O5U-73E4-3I534Y5F3AH5}	Host.exe

Loads dropped DLL 10 IoCs

Processes:

2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exeHost.exe

pid	process
940	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe
940	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe
940	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe
940	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe
268	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe
1476	Host.exe
1476	Host.exe
1476	Host.exe
1476	Host.exe
1476	Host.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exeHost.exe

description	pid	process	target process
PID 940 set thread context of 268	940	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe
PID 1476 set thread context of 1728	1476	Host.exe	Host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 10 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Install\Host.exe	nsis_installer_1
\Users\Admin\AppData\Roaming\Install\Host.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\Install\Host.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\Install\Host.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\Install\Host.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\Install\Host.exe	nsis_installer_2
\Users\Admin\AppData\Roaming\Install\Host.exe	nsis_installer_1
\Users\Admin\AppData\Roaming\Install\Host.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\Install\Host.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\Install\Host.exe	nsis_installer_2

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exeHost.exe

description	pid	process	target process
PID 940 wrote to memory of 268	940	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe
PID 940 wrote to memory of 268	940	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe
PID 940 wrote to memory of 268	940	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe
PID 940 wrote to memory of 268	940	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe
PID 940 wrote to memory of 268	940	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe
PID 940 wrote to memory of 268	940	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe
PID 940 wrote to memory of 268	940	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe
PID 940 wrote to memory of 268	940	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe
PID 940 wrote to memory of 268	940	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe
PID 940 wrote to memory of 268	940	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe
PID 940 wrote to memory of 268	940	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe
PID 940 wrote to memory of 268	940	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe
PID 268 wrote to memory of 1476	268	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe	Host.exe
PID 268 wrote to memory of 1476	268	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe	Host.exe
PID 268 wrote to memory of 1476	268	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe	Host.exe
PID 268 wrote to memory of 1476	268	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe	Host.exe
PID 268 wrote to memory of 1476	268	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe	Host.exe
PID 268 wrote to memory of 1476	268	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe	Host.exe
PID 268 wrote to memory of 1476	268	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe	Host.exe
PID 1476 wrote to memory of 1728	1476	Host.exe	Host.exe
PID 1476 wrote to memory of 1728	1476	Host.exe	Host.exe
PID 1476 wrote to memory of 1728	1476	Host.exe	Host.exe
PID 1476 wrote to memory of 1728	1476	Host.exe	Host.exe
PID 1476 wrote to memory of 1728	1476	Host.exe	Host.exe
PID 1476 wrote to memory of 1728	1476	Host.exe	Host.exe
PID 1476 wrote to memory of 1728	1476	Host.exe	Host.exe
PID 1476 wrote to memory of 1728	1476	Host.exe	Host.exe
PID 1476 wrote to memory of 1728	1476	Host.exe	Host.exe
PID 1476 wrote to memory of 1728	1476	Host.exe	Host.exe
PID 1476 wrote to memory of 1728	1476	Host.exe	Host.exe
PID 1476 wrote to memory of 1728	1476	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe
"C:\Users\Admin\AppData\Local\Temp\2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:940

C:\Users\Admin\AppData\Local\Temp\2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe
"C:\Users\Admin\AppData\Local\Temp\2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:268

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1476

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:1728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
122KB

MD5
9ff5d58cf0757ff0bf356c49680f0cc3

SHA1
9ca1083de077af72213b9bdaa92a0da435ccbf56

SHA256
2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a

SHA512
db17686a2821011af6bfe4f0e371a5d234ba5467d987530fb38d0c69b5616c2026e9f6304e5e62f3297ff78cc2971011db87daf9a735f81f1a3d12a13e250214

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
122KB

MD5
9ff5d58cf0757ff0bf356c49680f0cc3

SHA1
9ca1083de077af72213b9bdaa92a0da435ccbf56

SHA256
2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a

SHA512
db17686a2821011af6bfe4f0e371a5d234ba5467d987530fb38d0c69b5616c2026e9f6304e5e62f3297ff78cc2971011db87daf9a735f81f1a3d12a13e250214

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
122KB

MD5
9ff5d58cf0757ff0bf356c49680f0cc3

SHA1
9ca1083de077af72213b9bdaa92a0da435ccbf56

SHA256
2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a

SHA512
db17686a2821011af6bfe4f0e371a5d234ba5467d987530fb38d0c69b5616c2026e9f6304e5e62f3297ff78cc2971011db87daf9a735f81f1a3d12a13e250214

Download Submit
C:\Users\Admin\AppData\Roaming\UsaBit.com_lap-rso.avi
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\nst5820.tmp\UserInfo.dll
Filesize
4KB

MD5
d9a3fc12d56726dde60c1ead1df366f7

SHA1
f531768159c14f07ac896437445652b33750a237

SHA256
401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

SHA512
6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

Download Submit
\Users\Admin\AppData\Local\Temp\nst5820.tmp\UserInfo.dll
Filesize
4KB

MD5
d9a3fc12d56726dde60c1ead1df366f7

SHA1
f531768159c14f07ac896437445652b33750a237

SHA256
401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

SHA512
6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

Download Submit
\Users\Admin\AppData\Local\Temp\nst5820.tmp\UserInfo.dll
Filesize
4KB

MD5
d9a3fc12d56726dde60c1ead1df366f7

SHA1
f531768159c14f07ac896437445652b33750a237

SHA256
401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

SHA512
6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

Download Submit
\Users\Admin\AppData\Local\Temp\nst5820.tmp\pipeline.dll
Filesize
91KB

MD5
913a399f2964253488edd521c3e413cd

SHA1
e125001d8d05743c6eec2a5d4c9463e9253aadd4

SHA256
6a301d0878fe36e7fa12ad60e31417e37c590d85da493a16220bfe290dfac9fe

SHA512
3c31f951fa8cf52f9bc1755b0ef6bbd23742ec01ca11704486be87adfc958bea409d631f0ae5699b10a3382ff94fe8f5c893728169d5389cc589c1ae3dc6e8e3

Download Submit
\Users\Admin\AppData\Local\Temp\nsz602C.tmp\UserInfo.dll
Filesize
4KB

MD5
d9a3fc12d56726dde60c1ead1df366f7

SHA1
f531768159c14f07ac896437445652b33750a237

SHA256
401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

SHA512
6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

Download Submit
\Users\Admin\AppData\Local\Temp\nsz602C.tmp\UserInfo.dll
Filesize
4KB

MD5
d9a3fc12d56726dde60c1ead1df366f7

SHA1
f531768159c14f07ac896437445652b33750a237

SHA256
401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

SHA512
6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

Download Submit
\Users\Admin\AppData\Local\Temp\nsz602C.tmp\UserInfo.dll
Filesize
4KB

MD5
d9a3fc12d56726dde60c1ead1df366f7

SHA1
f531768159c14f07ac896437445652b33750a237

SHA256
401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

SHA512
6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

Download Submit
\Users\Admin\AppData\Local\Temp\nsz602C.tmp\pipeline.dll
Filesize
91KB

MD5
913a399f2964253488edd521c3e413cd

SHA1
e125001d8d05743c6eec2a5d4c9463e9253aadd4

SHA256
6a301d0878fe36e7fa12ad60e31417e37c590d85da493a16220bfe290dfac9fe

SHA512
3c31f951fa8cf52f9bc1755b0ef6bbd23742ec01ca11704486be87adfc958bea409d631f0ae5699b10a3382ff94fe8f5c893728169d5389cc589c1ae3dc6e8e3

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
122KB

MD5
9ff5d58cf0757ff0bf356c49680f0cc3

SHA1
9ca1083de077af72213b9bdaa92a0da435ccbf56

SHA256
2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a

SHA512
db17686a2821011af6bfe4f0e371a5d234ba5467d987530fb38d0c69b5616c2026e9f6304e5e62f3297ff78cc2971011db87daf9a735f81f1a3d12a13e250214

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
122KB

MD5
9ff5d58cf0757ff0bf356c49680f0cc3

SHA1
9ca1083de077af72213b9bdaa92a0da435ccbf56

SHA256
2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a

SHA512
db17686a2821011af6bfe4f0e371a5d234ba5467d987530fb38d0c69b5616c2026e9f6304e5e62f3297ff78cc2971011db87daf9a735f81f1a3d12a13e250214

Download Submit
memory/268-70-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/268-67-0x0000000000402196-mapping.dmp

Download
memory/268-66-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/268-64-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/268-62-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/268-60-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/268-74-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/268-59-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/940-54-0x0000000075B61000-0x0000000075B63000-memory.dmp

Filesize
8KB

Download
memory/1476-72-0x0000000000000000-mapping.dmp

Download
memory/1728-91-0x0000000000402196-mapping.dmp

Download
memory/1728-96-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download