netwire | 36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f

General

Target

36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f.exe
Size

468KB
MD5

3468e9349c0de79b3e5f926b8bb4974b
SHA1

0d02135533d8529d4971a01c97304fb6a5e093c2
SHA256

36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f
SHA512

11ff9e2dde64154dfc676fd2ddffafd1d83e91772f8d1de616402d51462db495db3e90644d076f61178dc1ed4bb7b0e3aaae65ca6c5c23b89b782a7e47878505
SSDEEP

3072:pB84GtuVJRTutkZYITusCSfjyQwnJtgi2OYPOnmT7UPt+lfEPHe1oVvMV1:I4GgVfuoNjyQ6Jt7QdTfdc

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

extensions14718.sytes.net:3324

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
lock_executable
false
mutex
pjtcCJSh
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3164-142-0x0000000000000000-mapping.dmp	netwire
behavioral2/memory/3164-143-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/3164-146-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/3164-147-0x0000000000400000-0x0000000000420000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

adobe.exeadobe.exe

pid process

2256 adobe.exe
3164 adobe.exe

pid	process
2256	adobe.exe
3164	adobe.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Acrobat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\subfolder\\adobe.vbs"	WScript.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

adobe.exe

description pid process target process

PID 2256 set thread context of 3164 2256 adobe.exe adobe.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 2256 set thread context of 3164	2256	adobe.exe	adobe.exe

Modifies registry class 1 IoCs

Processes:

36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f.exeadobe.exe

pid process

1112 36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f.exe
2256 adobe.exe

pid	process
1112	36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f.exe
2256	adobe.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f.exeWScript.exeadobe.exe

description	pid	process	target process
PID 1112 wrote to memory of 2672	1112	36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f.exe	WScript.exe
PID 1112 wrote to memory of 2672	1112	36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f.exe	WScript.exe
PID 1112 wrote to memory of 2672	1112	36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f.exe	WScript.exe
PID 2672 wrote to memory of 2256	2672	WScript.exe	adobe.exe
PID 2672 wrote to memory of 2256	2672	WScript.exe	adobe.exe
PID 2672 wrote to memory of 2256	2672	WScript.exe	adobe.exe
PID 2256 wrote to memory of 3164	2256	adobe.exe	adobe.exe
PID 2256 wrote to memory of 3164	2256	adobe.exe	adobe.exe
PID 2256 wrote to memory of 3164	2256	adobe.exe	adobe.exe
PID 2256 wrote to memory of 3164	2256	adobe.exe	adobe.exe
PID 2256 wrote to memory of 3164	2256	adobe.exe	adobe.exe
PID 2256 wrote to memory of 3164	2256	adobe.exe	adobe.exe
PID 2256 wrote to memory of 3164	2256	adobe.exe	adobe.exe
PID 2256 wrote to memory of 3164	2256	adobe.exe	adobe.exe
PID 2256 wrote to memory of 3164	2256	adobe.exe	adobe.exe
PID 2256 wrote to memory of 3164	2256	adobe.exe	adobe.exe

C:\Users\Admin\AppData\Local\Temp\36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f.exe
"C:\Users\Admin\AppData\Local\Temp\36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\subfolder\adobe.vbs"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2672

C:\Users\Admin\AppData\Local\Temp\subfolder\adobe.exe
"C:\Users\Admin\AppData\Local\Temp\subfolder\adobe.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2256

C:\Users\Admin\AppData\Local\Temp\subfolder\adobe.exe
"C:\Users\Admin\AppData\Local\Temp\subfolder\adobe.exe"
4⤵
- Executes dropped EXE
PID:3164

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\subfolder\adobe.exe
Filesize
468KB

MD5
22e03070f57232c62d33a43f15790957

SHA1
4b2f5d80bb6b84778fc244b0d6a091eb4701749a

SHA256
68f84625ed99f05e2c84b67b30239855b9d2c1cc0a3aa26b0389bb23423571d6

SHA512
e8cc0787f2d19493fc9351d0928926aeedd1e76176fdf030d00b94d0aea35fcc145146704be5d0e62810f77635eafaac16a04c7eb989fb373447e35879468210

Download Submit
C:\Users\Admin\AppData\Local\Temp\subfolder\adobe.exe
Filesize
468KB

MD5
22e03070f57232c62d33a43f15790957

SHA1
4b2f5d80bb6b84778fc244b0d6a091eb4701749a

SHA256
68f84625ed99f05e2c84b67b30239855b9d2c1cc0a3aa26b0389bb23423571d6

SHA512
e8cc0787f2d19493fc9351d0928926aeedd1e76176fdf030d00b94d0aea35fcc145146704be5d0e62810f77635eafaac16a04c7eb989fb373447e35879468210

Download Submit
C:\Users\Admin\AppData\Local\Temp\subfolder\adobe.exe
Filesize
468KB

MD5
22e03070f57232c62d33a43f15790957

SHA1
4b2f5d80bb6b84778fc244b0d6a091eb4701749a

SHA256
68f84625ed99f05e2c84b67b30239855b9d2c1cc0a3aa26b0389bb23423571d6

SHA512
e8cc0787f2d19493fc9351d0928926aeedd1e76176fdf030d00b94d0aea35fcc145146704be5d0e62810f77635eafaac16a04c7eb989fb373447e35879468210

Download Submit
C:\Users\Admin\AppData\Local\Temp\subfolder\adobe.vbs
Filesize
1024B

MD5
a0e046dacee6d1108914629dc2e001bf

SHA1
aa32ade6bd44a0a364f8e708bd91c8f35679bfe2

SHA256
1b31c781bdbcbb14ec3d21536e89a000a95f451de6877d4e19dd9fe3c6e20e3c

SHA512
ee69de477f3fd47ea54c97f972f31248ccfa772bb4b80a194640935090b98a5205024cea8b63ff51f48f5ffb22f5b01efc79d1ce3e9802a5a47dd736849518d2

Download Submit
memory/1112-134-0x00000000022F0000-0x00000000022F7000-memory.dmp

Filesize
28KB

Download
memory/2256-138-0x0000000000000000-mapping.dmp

Download
memory/2672-135-0x0000000000000000-mapping.dmp

Download
memory/3164-142-0x0000000000000000-mapping.dmp

Download
memory/3164-143-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3164-146-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3164-147-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads