netwire | 36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f

General

Target

36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f.exe
Size

468KB
MD5

3468e9349c0de79b3e5f926b8bb4974b
SHA1

0d02135533d8529d4971a01c97304fb6a5e093c2
SHA256

36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f
SHA512

11ff9e2dde64154dfc676fd2ddffafd1d83e91772f8d1de616402d51462db495db3e90644d076f61178dc1ed4bb7b0e3aaae65ca6c5c23b89b782a7e47878505
SSDEEP

3072:pB84GtuVJRTutkZYITusCSfjyQwnJtgi2OYPOnmT7UPt+lfEPHe1oVvMV1:I4GgVfuoNjyQ6Jt7QdTfdc

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

extensions14718.sytes.net:3324

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
lock_executable
false
mutex
pjtcCJSh
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/852-70-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral1/memory/852-71-0x000000000040231A-mapping.dmp	netwire
behavioral1/memory/852-75-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral1/memory/852-76-0x0000000000400000-0x0000000000420000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

adobe.exeadobe.exe

pid process

1348 adobe.exe
852 adobe.exe
Loads dropped DLL 3 IoCs

Processes:

WScript.exeadobe.exe

pid process

1744 WScript.exe
1744 WScript.exe
1348 adobe.exe

pid	process
1348	adobe.exe
852	adobe.exe

pid	process
1744	WScript.exe
1744	WScript.exe
1348	adobe.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Acrobat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\subfolder\\adobe.vbs"	WScript.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

adobe.exe

description pid process target process

PID 1348 set thread context of 852 1348 adobe.exe adobe.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f.exeadobe.exe

pid process

1280 36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f.exe
1348 adobe.exe

description	pid	process	target process
PID 1348 set thread context of 852	1348	adobe.exe	adobe.exe

pid	process
1280	36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f.exe
1348	adobe.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f.exeWScript.exeadobe.exe

description	pid	process	target process
PID 1280 wrote to memory of 1744	1280	36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f.exe	WScript.exe
PID 1280 wrote to memory of 1744	1280	36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f.exe	WScript.exe
PID 1280 wrote to memory of 1744	1280	36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f.exe	WScript.exe
PID 1280 wrote to memory of 1744	1280	36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f.exe	WScript.exe
PID 1744 wrote to memory of 1348	1744	WScript.exe	adobe.exe
PID 1744 wrote to memory of 1348	1744	WScript.exe	adobe.exe
PID 1744 wrote to memory of 1348	1744	WScript.exe	adobe.exe
PID 1744 wrote to memory of 1348	1744	WScript.exe	adobe.exe
PID 1348 wrote to memory of 852	1348	adobe.exe	adobe.exe
PID 1348 wrote to memory of 852	1348	adobe.exe	adobe.exe
PID 1348 wrote to memory of 852	1348	adobe.exe	adobe.exe
PID 1348 wrote to memory of 852	1348	adobe.exe	adobe.exe
PID 1348 wrote to memory of 852	1348	adobe.exe	adobe.exe
PID 1348 wrote to memory of 852	1348	adobe.exe	adobe.exe
PID 1348 wrote to memory of 852	1348	adobe.exe	adobe.exe
PID 1348 wrote to memory of 852	1348	adobe.exe	adobe.exe
PID 1348 wrote to memory of 852	1348	adobe.exe	adobe.exe
PID 1348 wrote to memory of 852	1348	adobe.exe	adobe.exe
PID 1348 wrote to memory of 852	1348	adobe.exe	adobe.exe

C:\Users\Admin\AppData\Local\Temp\36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f.exe
"C:\Users\Admin\AppData\Local\Temp\36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\subfolder\adobe.vbs"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1744

C:\Users\Admin\AppData\Local\Temp\subfolder\adobe.exe
"C:\Users\Admin\AppData\Local\Temp\subfolder\adobe.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1348

C:\Users\Admin\AppData\Local\Temp\subfolder\adobe.exe
"C:\Users\Admin\AppData\Local\Temp\subfolder\adobe.exe"
4⤵
- Executes dropped EXE
PID:852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\subfolder\adobe.exe
Filesize
468KB

MD5
22e03070f57232c62d33a43f15790957

SHA1
4b2f5d80bb6b84778fc244b0d6a091eb4701749a

SHA256
68f84625ed99f05e2c84b67b30239855b9d2c1cc0a3aa26b0389bb23423571d6

SHA512
e8cc0787f2d19493fc9351d0928926aeedd1e76176fdf030d00b94d0aea35fcc145146704be5d0e62810f77635eafaac16a04c7eb989fb373447e35879468210

Download Submit
C:\Users\Admin\AppData\Local\Temp\subfolder\adobe.exe
Filesize
468KB

MD5
22e03070f57232c62d33a43f15790957

SHA1
4b2f5d80bb6b84778fc244b0d6a091eb4701749a

SHA256
68f84625ed99f05e2c84b67b30239855b9d2c1cc0a3aa26b0389bb23423571d6

SHA512
e8cc0787f2d19493fc9351d0928926aeedd1e76176fdf030d00b94d0aea35fcc145146704be5d0e62810f77635eafaac16a04c7eb989fb373447e35879468210

Download Submit
C:\Users\Admin\AppData\Local\Temp\subfolder\adobe.exe
Filesize
468KB

MD5
22e03070f57232c62d33a43f15790957

SHA1
4b2f5d80bb6b84778fc244b0d6a091eb4701749a

SHA256
68f84625ed99f05e2c84b67b30239855b9d2c1cc0a3aa26b0389bb23423571d6

SHA512
e8cc0787f2d19493fc9351d0928926aeedd1e76176fdf030d00b94d0aea35fcc145146704be5d0e62810f77635eafaac16a04c7eb989fb373447e35879468210

Download Submit
C:\Users\Admin\AppData\Local\Temp\subfolder\adobe.vbs
Filesize
1024B

MD5
a0e046dacee6d1108914629dc2e001bf

SHA1
aa32ade6bd44a0a364f8e708bd91c8f35679bfe2

SHA256
1b31c781bdbcbb14ec3d21536e89a000a95f451de6877d4e19dd9fe3c6e20e3c

SHA512
ee69de477f3fd47ea54c97f972f31248ccfa772bb4b80a194640935090b98a5205024cea8b63ff51f48f5ffb22f5b01efc79d1ce3e9802a5a47dd736849518d2

Download Submit
\Users\Admin\AppData\Local\Temp\subfolder\adobe.exe
Filesize
468KB

MD5
22e03070f57232c62d33a43f15790957

SHA1
4b2f5d80bb6b84778fc244b0d6a091eb4701749a

SHA256
68f84625ed99f05e2c84b67b30239855b9d2c1cc0a3aa26b0389bb23423571d6

SHA512
e8cc0787f2d19493fc9351d0928926aeedd1e76176fdf030d00b94d0aea35fcc145146704be5d0e62810f77635eafaac16a04c7eb989fb373447e35879468210

Download Submit
\Users\Admin\AppData\Local\Temp\subfolder\adobe.exe
Filesize
468KB

MD5
22e03070f57232c62d33a43f15790957

SHA1
4b2f5d80bb6b84778fc244b0d6a091eb4701749a

SHA256
68f84625ed99f05e2c84b67b30239855b9d2c1cc0a3aa26b0389bb23423571d6

SHA512
e8cc0787f2d19493fc9351d0928926aeedd1e76176fdf030d00b94d0aea35fcc145146704be5d0e62810f77635eafaac16a04c7eb989fb373447e35879468210

Download Submit
\Users\Admin\AppData\Local\Temp\subfolder\adobe.exe
Filesize
468KB

MD5
22e03070f57232c62d33a43f15790957

SHA1
4b2f5d80bb6b84778fc244b0d6a091eb4701749a

SHA256
68f84625ed99f05e2c84b67b30239855b9d2c1cc0a3aa26b0389bb23423571d6

SHA512
e8cc0787f2d19493fc9351d0928926aeedd1e76176fdf030d00b94d0aea35fcc145146704be5d0e62810f77635eafaac16a04c7eb989fb373447e35879468210

Download Submit
memory/852-70-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/852-71-0x000000000040231A-mapping.dmp

Download
memory/852-75-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/852-76-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1280-56-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/1280-57-0x00000000003F0000-0x00000000003F7000-memory.dmp

Filesize
28KB

Download
memory/1348-64-0x0000000000000000-mapping.dmp

Download
memory/1744-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads