netwire | 01f2e272be7404ce5c9d13bb0afe224e9257477bff1be0bbaa8c51f1b270a904

General

Target

01f2e272be7404ce5c9d13bb0afe224e9257477bff1be0bbaa8c51f1b270a904.exe
Size

157KB
MD5

1b1ee2cddf6295c45045c5c19f64c97c
SHA1

999c3bec2e1c5c2c5f343343f3fdc882d466f2c7
SHA256

01f2e272be7404ce5c9d13bb0afe224e9257477bff1be0bbaa8c51f1b270a904
SHA512

e3c5172947ec8405f0d406036b9487695079722d25b1430c2cccbae1e7bb7818f72317e3e02bd967b6c4aad6be67da670e71160ff506b58a08fb0fb376e4548f
SSDEEP

3072:5xUH7LJ8EqJR4c5XEtVPUYMTQknntozSPBqJ/wWix3wq3dinkajFyV26:5xUH/J8FRXLM/wWix3wq3gDjFyV26

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1744-70-0x0000000000400000-0x0000000000417000-memory.dmp	netwire
behavioral1/memory/1584-91-0x0000000000400000-0x0000000000417000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

winhst.exewinhst.exe

pid process

1088 winhst.exe
1584 winhst.exe

pid	process
1088	winhst.exe
1584	winhst.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

winhst.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0VH30DK4-78V0-W3AI-37S7-VWR010J7WQ53}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\winhst.exe\""	winhst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0VH30DK4-78V0-W3AI-37S7-VWR010J7WQ53}	winhst.exe

Loads dropped DLL 1 IoCs

Processes:

01f2e272be7404ce5c9d13bb0afe224e9257477bff1be0bbaa8c51f1b270a904.exe

pid process

1744 01f2e272be7404ce5c9d13bb0afe224e9257477bff1be0bbaa8c51f1b270a904.exe

pid	process
1744	01f2e272be7404ce5c9d13bb0afe224e9257477bff1be0bbaa8c51f1b270a904.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

winhst.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	winhst.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\syhst1 = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\winhst.exe"	winhst.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

01f2e272be7404ce5c9d13bb0afe224e9257477bff1be0bbaa8c51f1b270a904.exewinhst.exe

description	pid	process	target process
PID 1636 set thread context of 1744	1636	01f2e272be7404ce5c9d13bb0afe224e9257477bff1be0bbaa8c51f1b270a904.exe	01f2e272be7404ce5c9d13bb0afe224e9257477bff1be0bbaa8c51f1b270a904.exe
PID 1088 set thread context of 1584	1088	winhst.exe	winhst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

01f2e272be7404ce5c9d13bb0afe224e9257477bff1be0bbaa8c51f1b270a904.exewinhst.exe

description	pid	process
Token: SeDebugPrivilege	1636	01f2e272be7404ce5c9d13bb0afe224e9257477bff1be0bbaa8c51f1b270a904.exe
Token: SeDebugPrivilege	1088	winhst.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

01f2e272be7404ce5c9d13bb0afe224e9257477bff1be0bbaa8c51f1b270a904.exe01f2e272be7404ce5c9d13bb0afe224e9257477bff1be0bbaa8c51f1b270a904.exewinhst.exe

description	pid	process	target process
PID 1636 wrote to memory of 1744	1636	01f2e272be7404ce5c9d13bb0afe224e9257477bff1be0bbaa8c51f1b270a904.exe	01f2e272be7404ce5c9d13bb0afe224e9257477bff1be0bbaa8c51f1b270a904.exe
PID 1636 wrote to memory of 1744	1636	01f2e272be7404ce5c9d13bb0afe224e9257477bff1be0bbaa8c51f1b270a904.exe	01f2e272be7404ce5c9d13bb0afe224e9257477bff1be0bbaa8c51f1b270a904.exe
PID 1636 wrote to memory of 1744	1636	01f2e272be7404ce5c9d13bb0afe224e9257477bff1be0bbaa8c51f1b270a904.exe	01f2e272be7404ce5c9d13bb0afe224e9257477bff1be0bbaa8c51f1b270a904.exe
PID 1636 wrote to memory of 1744	1636	01f2e272be7404ce5c9d13bb0afe224e9257477bff1be0bbaa8c51f1b270a904.exe	01f2e272be7404ce5c9d13bb0afe224e9257477bff1be0bbaa8c51f1b270a904.exe
PID 1636 wrote to memory of 1744	1636	01f2e272be7404ce5c9d13bb0afe224e9257477bff1be0bbaa8c51f1b270a904.exe	01f2e272be7404ce5c9d13bb0afe224e9257477bff1be0bbaa8c51f1b270a904.exe
PID 1636 wrote to memory of 1744	1636	01f2e272be7404ce5c9d13bb0afe224e9257477bff1be0bbaa8c51f1b270a904.exe	01f2e272be7404ce5c9d13bb0afe224e9257477bff1be0bbaa8c51f1b270a904.exe
PID 1636 wrote to memory of 1744	1636	01f2e272be7404ce5c9d13bb0afe224e9257477bff1be0bbaa8c51f1b270a904.exe	01f2e272be7404ce5c9d13bb0afe224e9257477bff1be0bbaa8c51f1b270a904.exe
PID 1636 wrote to memory of 1744	1636	01f2e272be7404ce5c9d13bb0afe224e9257477bff1be0bbaa8c51f1b270a904.exe	01f2e272be7404ce5c9d13bb0afe224e9257477bff1be0bbaa8c51f1b270a904.exe
PID 1636 wrote to memory of 1744	1636	01f2e272be7404ce5c9d13bb0afe224e9257477bff1be0bbaa8c51f1b270a904.exe	01f2e272be7404ce5c9d13bb0afe224e9257477bff1be0bbaa8c51f1b270a904.exe
PID 1744 wrote to memory of 1088	1744	01f2e272be7404ce5c9d13bb0afe224e9257477bff1be0bbaa8c51f1b270a904.exe	winhst.exe
PID 1744 wrote to memory of 1088	1744	01f2e272be7404ce5c9d13bb0afe224e9257477bff1be0bbaa8c51f1b270a904.exe	winhst.exe
PID 1744 wrote to memory of 1088	1744	01f2e272be7404ce5c9d13bb0afe224e9257477bff1be0bbaa8c51f1b270a904.exe	winhst.exe
PID 1744 wrote to memory of 1088	1744	01f2e272be7404ce5c9d13bb0afe224e9257477bff1be0bbaa8c51f1b270a904.exe	winhst.exe
PID 1088 wrote to memory of 1584	1088	winhst.exe	winhst.exe
PID 1088 wrote to memory of 1584	1088	winhst.exe	winhst.exe
PID 1088 wrote to memory of 1584	1088	winhst.exe	winhst.exe
PID 1088 wrote to memory of 1584	1088	winhst.exe	winhst.exe
PID 1088 wrote to memory of 1584	1088	winhst.exe	winhst.exe
PID 1088 wrote to memory of 1584	1088	winhst.exe	winhst.exe
PID 1088 wrote to memory of 1584	1088	winhst.exe	winhst.exe
PID 1088 wrote to memory of 1584	1088	winhst.exe	winhst.exe
PID 1088 wrote to memory of 1584	1088	winhst.exe	winhst.exe

C:\Users\Admin\AppData\Local\Temp\01f2e272be7404ce5c9d13bb0afe224e9257477bff1be0bbaa8c51f1b270a904.exe
"C:\Users\Admin\AppData\Local\Temp\01f2e272be7404ce5c9d13bb0afe224e9257477bff1be0bbaa8c51f1b270a904.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636

C:\Users\Admin\AppData\Local\Temp\01f2e272be7404ce5c9d13bb0afe224e9257477bff1be0bbaa8c51f1b270a904.exe
"C:\Users\Admin\AppData\Local\Temp\01f2e272be7404ce5c9d13bb0afe224e9257477bff1be0bbaa8c51f1b270a904.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744

C:\Users\Admin\AppData\Roaming\Install\winhst.exe
"C:\Users\Admin\AppData\Roaming\Install\winhst.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088

C:\Users\Admin\AppData\Roaming\Install\winhst.exe
"C:\Users\Admin\AppData\Roaming\Install\winhst.exe"
4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:1584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\winhst.exe
Filesize
157KB

MD5
1b1ee2cddf6295c45045c5c19f64c97c

SHA1
999c3bec2e1c5c2c5f343343f3fdc882d466f2c7

SHA256
01f2e272be7404ce5c9d13bb0afe224e9257477bff1be0bbaa8c51f1b270a904

SHA512
e3c5172947ec8405f0d406036b9487695079722d25b1430c2cccbae1e7bb7818f72317e3e02bd967b6c4aad6be67da670e71160ff506b58a08fb0fb376e4548f

Download Submit
C:\Users\Admin\AppData\Roaming\Install\winhst.exe
Filesize
157KB

MD5
1b1ee2cddf6295c45045c5c19f64c97c

SHA1
999c3bec2e1c5c2c5f343343f3fdc882d466f2c7

SHA256
01f2e272be7404ce5c9d13bb0afe224e9257477bff1be0bbaa8c51f1b270a904

SHA512
e3c5172947ec8405f0d406036b9487695079722d25b1430c2cccbae1e7bb7818f72317e3e02bd967b6c4aad6be67da670e71160ff506b58a08fb0fb376e4548f

Download Submit
C:\Users\Admin\AppData\Roaming\Install\winhst.exe
Filesize
157KB

MD5
1b1ee2cddf6295c45045c5c19f64c97c

SHA1
999c3bec2e1c5c2c5f343343f3fdc882d466f2c7

SHA256
01f2e272be7404ce5c9d13bb0afe224e9257477bff1be0bbaa8c51f1b270a904

SHA512
e3c5172947ec8405f0d406036b9487695079722d25b1430c2cccbae1e7bb7818f72317e3e02bd967b6c4aad6be67da670e71160ff506b58a08fb0fb376e4548f

Download Submit
\Users\Admin\AppData\Roaming\Install\winhst.exe
Filesize
157KB

MD5
1b1ee2cddf6295c45045c5c19f64c97c

SHA1
999c3bec2e1c5c2c5f343343f3fdc882d466f2c7

SHA256
01f2e272be7404ce5c9d13bb0afe224e9257477bff1be0bbaa8c51f1b270a904

SHA512
e3c5172947ec8405f0d406036b9487695079722d25b1430c2cccbae1e7bb7818f72317e3e02bd967b6c4aad6be67da670e71160ff506b58a08fb0fb376e4548f

Download Submit
memory/1088-88-0x0000000074340000-0x00000000748EB000-memory.dmp

Filesize
5.7MB

Download
memory/1088-72-0x0000000000000000-mapping.dmp

Download
memory/1088-76-0x0000000074340000-0x00000000748EB000-memory.dmp

Filesize
5.7MB

Download
memory/1584-91-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1584-85-0x0000000000401ED7-mapping.dmp

Download
memory/1584-90-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1636-67-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/1636-54-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/1636-56-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/1636-55-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/1744-60-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1744-70-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1744-69-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1744-65-0x0000000000401ED7-mapping.dmp

Download
memory/1744-64-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1744-62-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1744-58-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1744-57-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads