netwire | 04670a7a3b1e740d9019aa3ca77e4cd37bb08ad3fc25abd150c8d0b70784b783

General

Target

04670a7a3b1e740d9019aa3ca77e4cd37bb08ad3fc25abd150c8d0b70784b783.exe
Size

725KB
MD5

9b221a5e407da5e59976cdd73e204425
SHA1

6e5c84a4e49d296b7d3ec4a377653895eb2f82b5
SHA256

04670a7a3b1e740d9019aa3ca77e4cd37bb08ad3fc25abd150c8d0b70784b783
SHA512

6670e5084e608e015d9c32372b20a5bf02e705bce2af8d434a383e7bf700940ff136a8070d6c2cd8d3fc0c4732e0fc101781943701953a24d7dfc705a6a8a9a3
SSDEEP

12288:mK2mhAMJ/cPl5LMA2jpy98h7UZYE82Y5UKUL4n4y3Xp3SbSlI:H2O/Gl5PM17g6zwm4m53Sb2I

Score

10^/10

netwire botnet evasion persistence rat stealer trojan

Malware Config

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4944-139-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/4944-138-0x0000000000000000-mapping.dmp	netwire
behavioral2/memory/4944-141-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/4944-142-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

adqpuilnekzd.exe

pid process

2084 adqpuilnekzd.exe

pid	process
2084	adqpuilnekzd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

04670a7a3b1e740d9019aa3ca77e4cd37bb08ad3fc25abd150c8d0b70784b783.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	04670a7a3b1e740d9019aa3ca77e4cd37bb08ad3fc25abd150c8d0b70784b783.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

adqpuilnekzd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	adqpuilnekzd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\C:\Users\Admin\TWQUDV~1 = "C:\\Users\\Admin\\TWQUDV~1\\ogsujmgnf.vbs"	adqpuilnekzd.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

adqpuilnekzd.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA adqpuilnekzd.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

adqpuilnekzd.exe

description pid process target process

PID 2084 set thread context of 4944 2084 adqpuilnekzd.exe RegSvcs.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	adqpuilnekzd.exe

description	pid	process	target process
PID 2084 set thread context of 4944	2084	adqpuilnekzd.exe	RegSvcs.exe

Drops file in Windows directory 2 IoCs

Processes:

RegSvcs.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\.Identifier	RegSvcs.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\.Identifier	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

adqpuilnekzd.exe

pid process

2084 adqpuilnekzd.exe
2084 adqpuilnekzd.exe
2084 adqpuilnekzd.exe
2084 adqpuilnekzd.exe

pid	process
2084	adqpuilnekzd.exe
2084	adqpuilnekzd.exe
2084	adqpuilnekzd.exe
2084	adqpuilnekzd.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

04670a7a3b1e740d9019aa3ca77e4cd37bb08ad3fc25abd150c8d0b70784b783.exeadqpuilnekzd.exe

description	pid	process	target process
PID 3188 wrote to memory of 2084	3188	04670a7a3b1e740d9019aa3ca77e4cd37bb08ad3fc25abd150c8d0b70784b783.exe	adqpuilnekzd.exe
PID 3188 wrote to memory of 2084	3188	04670a7a3b1e740d9019aa3ca77e4cd37bb08ad3fc25abd150c8d0b70784b783.exe	adqpuilnekzd.exe
PID 3188 wrote to memory of 2084	3188	04670a7a3b1e740d9019aa3ca77e4cd37bb08ad3fc25abd150c8d0b70784b783.exe	adqpuilnekzd.exe
PID 2084 wrote to memory of 4944	2084	adqpuilnekzd.exe	RegSvcs.exe
PID 2084 wrote to memory of 4944	2084	adqpuilnekzd.exe	RegSvcs.exe
PID 2084 wrote to memory of 4944	2084	adqpuilnekzd.exe	RegSvcs.exe
PID 2084 wrote to memory of 4944	2084	adqpuilnekzd.exe	RegSvcs.exe
PID 2084 wrote to memory of 4944	2084	adqpuilnekzd.exe	RegSvcs.exe
PID 2084 wrote to memory of 4944	2084	adqpuilnekzd.exe	RegSvcs.exe
PID 2084 wrote to memory of 4944	2084	adqpuilnekzd.exe	RegSvcs.exe
PID 2084 wrote to memory of 4944	2084	adqpuilnekzd.exe	RegSvcs.exe
PID 2084 wrote to memory of 4944	2084	adqpuilnekzd.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\04670a7a3b1e740d9019aa3ca77e4cd37bb08ad3fc25abd150c8d0b70784b783.exe
"C:\Users\Admin\AppData\Local\Temp\04670a7a3b1e740d9019aa3ca77e4cd37bb08ad3fc25abd150c8d0b70784b783.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3188

C:\Users\Admin\twqudvq84\adqpuilnekzd.exe
"C:\Users\Admin\twqudvq84\adqpuilnekzd.exe" kjlqavftrdkh
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2084

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
3⤵
- Drops file in Windows directory
PID:4944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\TWQUDV~1\YABAZX~1.UIW
Filesize
81KB

MD5
fc1d46c26757b6c9814ea66696a2915f

SHA1
c2674cad0e17c2a1601d8bcd1518bd63636d8b55

SHA256
dfd5ed1c31876c5a029916eed49ad3d00e14b50baadc425f91c997f636d5c7f6

SHA512
15dc5b560ea68a18488a81d41728bc3338cf9be0d7b309d466c2918dbd8d9c2b308a3c996753fbff340ff5b2d6f0c815c8281b8fa3b93cd446ccdfb6864db870

Download Submit
C:\Users\Admin\TWQUDV~1\khficpndvn.FGT
Filesize
86B

MD5
f0fc2d3ab46d7b713255a0c05183e8be

SHA1
b7368f65a730ba46b277329a0f7c7b53ccfbcf7e

SHA256
b5673f6ec974623df0c1c01752cca07990bb8d70e6fa266ce8d4df2f58a18981

SHA512
bb08e1ad7cab500c86f5e23cae9f265181cde52deb2ddef8e995100a4fba9f28f46543e7663f3c15eba6a9a1f657bcafd9d0b8c9f5f21d65b6f55e6a135d1ee7

Download Submit
C:\Users\Admin\twqudvq84\adqpuilnekzd.exe
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\twqudvq84\adqpuilnekzd.exe
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\twqudvq84\kjlqavftrdkh
Filesize
306.2MB

MD5
06af97aad260c8aef09b2a60990347d1

SHA1
df53285455eacb91197cc06c709ae7f18a58eef9

SHA256
92073be508678b847ae690b6f5a96f378eb4525b9f04a36ae9bf003848909eae

SHA512
efd3c5f3b305f2923e6dec0cf312d754481cb65af7f685e353eba580acc38d8953a503decc72ab2032c8f8e1a69ea28b3ad3b89d9c5c9be2d249b8f8a72c4a53

Download Submit
memory/2084-132-0x0000000000000000-mapping.dmp

Download
memory/4944-139-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4944-138-0x0000000000000000-mapping.dmp

Download
memory/4944-141-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4944-142-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads