netwire | 2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a

Analysis

max time kernel
160s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe
Size

122KB
MD5

9ff5d58cf0757ff0bf356c49680f0cc3
SHA1

9ca1083de077af72213b9bdaa92a0da435ccbf56
SHA256

2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a
SHA512

db17686a2821011af6bfe4f0e371a5d234ba5467d987530fb38d0c69b5616c2026e9f6304e5e62f3297ff78cc2971011db87daf9a735f81f1a3d12a13e250214
SSDEEP

3072:gM1BjoYNXoKDIJBXJPtWrSxKubAAU5xqvfjmnKmpmc/6tXJRiT:gMMYNXqBBsuxKubAAUE7OKmB/GXJRiT

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1324-140-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/1324-142-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/1324-143-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/1432-157-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host.exeHost.exe

pid process

388 Host.exe
1432 Host.exe

pid	process
388	Host.exe
1432	Host.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{851C4BFW-6IAR-2O5U-73E4-3I534Y5F3AH5}	Host.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{851C4BFW-6IAR-2O5U-73E4-3I534Y5F3AH5}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe\""	Host.exe

Loads dropped DLL 8 IoCs

Processes:

2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exeHost.exe

pid	process
4060	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe
4060	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe
4060	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe
4060	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe
388	Host.exe
388	Host.exe
388	Host.exe
388	Host.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exeHost.exe

description	pid	process	target process
PID 4060 set thread context of 1324	4060	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe
PID 388 set thread context of 1432	388	Host.exe	Host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Install\Host.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\Install\Host.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\Install\Host.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\Install\Host.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\Install\Host.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\Install\Host.exe	nsis_installer_2

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exeHost.exe

description	pid	process	target process
PID 4060 wrote to memory of 1324	4060	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe
PID 4060 wrote to memory of 1324	4060	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe
PID 4060 wrote to memory of 1324	4060	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe
PID 4060 wrote to memory of 1324	4060	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe
PID 4060 wrote to memory of 1324	4060	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe
PID 4060 wrote to memory of 1324	4060	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe
PID 4060 wrote to memory of 1324	4060	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe
PID 4060 wrote to memory of 1324	4060	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe
PID 4060 wrote to memory of 1324	4060	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe
PID 1324 wrote to memory of 388	1324	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe	Host.exe
PID 1324 wrote to memory of 388	1324	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe	Host.exe
PID 1324 wrote to memory of 388	1324	2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe	Host.exe
PID 388 wrote to memory of 1432	388	Host.exe	Host.exe
PID 388 wrote to memory of 1432	388	Host.exe	Host.exe
PID 388 wrote to memory of 1432	388	Host.exe	Host.exe
PID 388 wrote to memory of 1432	388	Host.exe	Host.exe
PID 388 wrote to memory of 1432	388	Host.exe	Host.exe
PID 388 wrote to memory of 1432	388	Host.exe	Host.exe
PID 388 wrote to memory of 1432	388	Host.exe	Host.exe
PID 388 wrote to memory of 1432	388	Host.exe	Host.exe
PID 388 wrote to memory of 1432	388	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe
"C:\Users\Admin\AppData\Local\Temp\2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4060

C:\Users\Admin\AppData\Local\Temp\2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe
"C:\Users\Admin\AppData\Local\Temp\2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1324

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:388

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:1432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsiE7F5.tmp\UserInfo.dll
Filesize
4KB

MD5
d9a3fc12d56726dde60c1ead1df366f7

SHA1
f531768159c14f07ac896437445652b33750a237

SHA256
401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

SHA512
6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiE7F5.tmp\UserInfo.dll
Filesize
4KB

MD5
d9a3fc12d56726dde60c1ead1df366f7

SHA1
f531768159c14f07ac896437445652b33750a237

SHA256
401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

SHA512
6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiE7F5.tmp\UserInfo.dll
Filesize
4KB

MD5
d9a3fc12d56726dde60c1ead1df366f7

SHA1
f531768159c14f07ac896437445652b33750a237

SHA256
401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

SHA512
6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiE7F5.tmp\pipeline.dll
Filesize
91KB

MD5
913a399f2964253488edd521c3e413cd

SHA1
e125001d8d05743c6eec2a5d4c9463e9253aadd4

SHA256
6a301d0878fe36e7fa12ad60e31417e37c590d85da493a16220bfe290dfac9fe

SHA512
3c31f951fa8cf52f9bc1755b0ef6bbd23742ec01ca11704486be87adfc958bea409d631f0ae5699b10a3382ff94fe8f5c893728169d5389cc589c1ae3dc6e8e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmF1B9.tmp\UserInfo.dll
Filesize
4KB

MD5
d9a3fc12d56726dde60c1ead1df366f7

SHA1
f531768159c14f07ac896437445652b33750a237

SHA256
401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

SHA512
6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmF1B9.tmp\UserInfo.dll
Filesize
4KB

MD5
d9a3fc12d56726dde60c1ead1df366f7

SHA1
f531768159c14f07ac896437445652b33750a237

SHA256
401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

SHA512
6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmF1B9.tmp\UserInfo.dll
Filesize
4KB

MD5
d9a3fc12d56726dde60c1ead1df366f7

SHA1
f531768159c14f07ac896437445652b33750a237

SHA256
401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

SHA512
6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmF1B9.tmp\pipeline.dll
Filesize
91KB

MD5
913a399f2964253488edd521c3e413cd

SHA1
e125001d8d05743c6eec2a5d4c9463e9253aadd4

SHA256
6a301d0878fe36e7fa12ad60e31417e37c590d85da493a16220bfe290dfac9fe

SHA512
3c31f951fa8cf52f9bc1755b0ef6bbd23742ec01ca11704486be87adfc958bea409d631f0ae5699b10a3382ff94fe8f5c893728169d5389cc589c1ae3dc6e8e3

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
122KB

MD5
9ff5d58cf0757ff0bf356c49680f0cc3

SHA1
9ca1083de077af72213b9bdaa92a0da435ccbf56

SHA256
2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a

SHA512
db17686a2821011af6bfe4f0e371a5d234ba5467d987530fb38d0c69b5616c2026e9f6304e5e62f3297ff78cc2971011db87daf9a735f81f1a3d12a13e250214

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
122KB

MD5
9ff5d58cf0757ff0bf356c49680f0cc3

SHA1
9ca1083de077af72213b9bdaa92a0da435ccbf56

SHA256
2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a

SHA512
db17686a2821011af6bfe4f0e371a5d234ba5467d987530fb38d0c69b5616c2026e9f6304e5e62f3297ff78cc2971011db87daf9a735f81f1a3d12a13e250214

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
122KB

MD5
9ff5d58cf0757ff0bf356c49680f0cc3

SHA1
9ca1083de077af72213b9bdaa92a0da435ccbf56

SHA256
2b9921ac79908737bfe2ccef8f3d5741b3e520d9141732ac2b4512944f1cd75a

SHA512
db17686a2821011af6bfe4f0e371a5d234ba5467d987530fb38d0c69b5616c2026e9f6304e5e62f3297ff78cc2971011db87daf9a735f81f1a3d12a13e250214

Download Submit
C:\Users\Admin\AppData\Roaming\UsaBit.com_lap-rso.avi
Filesize
81KB

MD5
c9bd81c0aaa09ffe139c7c1e9a3066f8

SHA1
1833298ddf039f4b9aafb9e3e2dea47dcdffe51d

SHA256
ac9166783f8dc3ebc064eb894eadf3ec956a7e1f40e574981ab6f45199fe99dd

SHA512
e9707f38f2511e253b8c7b9a9b29ebe91cec0d6aab590252fe69e54f1cc160e461dd67451283cb29e5fff4ffd57dd9c198bdf8eb41884a3e83942e327541230f

Download Submit
memory/388-144-0x0000000000000000-mapping.dmp

Download
memory/1324-143-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1324-142-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1324-140-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1324-139-0x0000000000000000-mapping.dmp

Download
memory/1432-152-0x0000000000000000-mapping.dmp

Download
memory/1432-157-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download