netwire | 5f5e8fca6ab9657c82efdc33fe9084c8bf1c3f71dff22879700d7b0a3ec87995

Analysis

max time kernel
150s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f5e8fca6ab9657c82efdc33fe9084c8bf1c3f71dff22879700d7b0a3ec87995.exe
Size

824KB
MD5

601eac781876bbe44d59f1cd2e6f38b0
SHA1

d4467be6a1db3962cf9287d27245ec7ae03641f3
SHA256

5f5e8fca6ab9657c82efdc33fe9084c8bf1c3f71dff22879700d7b0a3ec87995
SHA512

3b46e954a871852f9f124bebffeef9d46616e7f463fd54675fbf256f11853c056acb7fa1f291667bd528d899aeb0c271fa2a8397dd5ab66a20a620cda0804232
SSDEEP

24576:f2O/GlKzBmrxcuUoXJ4yzwmxhKbH3rUO46GnZp0:c+yCSwmxUT3ivZp0

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

185.244.29.116:4066

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Nov12345
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/888-142-0x0000000000000000-mapping.dmp	netwire
behavioral2/memory/888-143-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/888-147-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/888-149-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 3 IoCs

Processes:

fke.exefke.exeRegSvcs.exe

pid process

4596 fke.exe
3056 fke.exe
888 RegSvcs.exe

pid	process
4596	fke.exe
3056	fke.exe
888	RegSvcs.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5f5e8fca6ab9657c82efdc33fe9084c8bf1c3f71dff22879700d7b0a3ec87995.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	5f5e8fca6ab9657c82efdc33fe9084c8bf1c3f71dff22879700d7b0a3ec87995.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

fke.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	fke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81913139\\fke.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\81913139\\LEL_VC~1"	fke.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fke.exe

description pid process target process

PID 3056 set thread context of 888 3056 fke.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

fke.exe

pid process

4596 fke.exe
4596 fke.exe

description	pid	process	target process
PID 3056 set thread context of 888	3056	fke.exe	RegSvcs.exe

pid	process
4596	fke.exe
4596	fke.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

5f5e8fca6ab9657c82efdc33fe9084c8bf1c3f71dff22879700d7b0a3ec87995.exefke.exefke.exe

description	pid	process	target process
PID 988 wrote to memory of 4596	988	5f5e8fca6ab9657c82efdc33fe9084c8bf1c3f71dff22879700d7b0a3ec87995.exe	fke.exe
PID 988 wrote to memory of 4596	988	5f5e8fca6ab9657c82efdc33fe9084c8bf1c3f71dff22879700d7b0a3ec87995.exe	fke.exe
PID 988 wrote to memory of 4596	988	5f5e8fca6ab9657c82efdc33fe9084c8bf1c3f71dff22879700d7b0a3ec87995.exe	fke.exe
PID 4596 wrote to memory of 3056	4596	fke.exe	fke.exe
PID 4596 wrote to memory of 3056	4596	fke.exe	fke.exe
PID 4596 wrote to memory of 3056	4596	fke.exe	fke.exe
PID 3056 wrote to memory of 888	3056	fke.exe	RegSvcs.exe
PID 3056 wrote to memory of 888	3056	fke.exe	RegSvcs.exe
PID 3056 wrote to memory of 888	3056	fke.exe	RegSvcs.exe
PID 3056 wrote to memory of 888	3056	fke.exe	RegSvcs.exe
PID 3056 wrote to memory of 888	3056	fke.exe	RegSvcs.exe
PID 3056 wrote to memory of 888	3056	fke.exe	RegSvcs.exe
PID 3056 wrote to memory of 888	3056	fke.exe	RegSvcs.exe
PID 3056 wrote to memory of 888	3056	fke.exe	RegSvcs.exe
PID 3056 wrote to memory of 888	3056	fke.exe	RegSvcs.exe
PID 3056 wrote to memory of 888	3056	fke.exe	RegSvcs.exe
PID 3056 wrote to memory of 888	3056	fke.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\5f5e8fca6ab9657c82efdc33fe9084c8bf1c3f71dff22879700d7b0a3ec87995.exe
"C:\Users\Admin\AppData\Local\Temp\5f5e8fca6ab9657c82efdc33fe9084c8bf1c3f71dff22879700d7b0a3ec87995.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:988

C:\Users\Admin\AppData\Local\Temp\81913139\fke.exe
"C:\Users\Admin\AppData\Local\Temp\81913139\fke.exe" lel=vcc
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4596

C:\Users\Admin\AppData\Local\Temp\81913139\fke.exe
C:\Users\Admin\AppData\Local\Temp\81913139\fke.exe C:\Users\Admin\AppData\Local\Temp\81913139\YEHKG
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3056

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
4⤵
- Executes dropped EXE
PID:888

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81913139\BorderConstants.docx
Filesize
133B

MD5
88e49f064d3a64a665d1aacec00412f4

SHA1
452ed82da9ba84aeab1a769234c44322106dda43

SHA256
ff35a9dec7311443eb46f398c4a1ae5b7e1e0d461783e07cec082384bf17958b

SHA512
953019ebe9f69e5e1c2468b364c373059f5ee0b738e22a20d5e77fc17882679622eca9cd5c040b04a5183e192cbe39898d89ec712bc8b3ddc0f1fddcab517cf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\81913139\TreeViewConstants.mp4
Filesize
36B

MD5
ca93714441a8d3ef16a7774a3298074c

SHA1
5140b2d0a3a2c36f9ec413cad1ae614fc56d977d

SHA256
9afbd1a569a66aaea4429582a0e9f795ccaec874c9a98b75de620b825db1eba7

SHA512
425e85387f51334eca6f997b041c49ffb1977f19a87704a6336ec2c3350418e9f64158f0f4e495b21ec06a46d6e3381a38071e525f4c5332c0ac0714db02afa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\81913139\YEHKG
Filesize
87KB

MD5
f619d1c321f994280318e4899808f579

SHA1
966c6c06a68c53bb21cebd289cc50de7e88dfd7b

SHA256
f933a5a03de01e9a488c4cb71285bee17baba1a0684d08ce49094ae01cfd2c96

SHA512
8aa70b965fc37292aba22e452dca20291cde7ca71cf791214bbc534da8f003fd282ab50c7ffba7c3a631bdb2358a1948a2de65ae31bca36405415e18b7d6a75b

Download Submit
C:\Users\Admin\AppData\Local\Temp\81913139\fke.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\81913139\fke.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\81913139\fke.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\81913139\fxl.xl
Filesize
491KB

MD5
462f4d1de916f644cdb5ea29c8c51f8f

SHA1
7ac2072c4e3d9ad0b8d2336dd3c52eb48ff93a00

SHA256
02b3a0ccc1716ca0d5be2dff72e715f80bff2fbb11784bdf44449746bb37884b

SHA512
b63dca754b19c080825e55a76e46d753f0207595e3a0c20aace55b86e63c1501002ca3ee78c3c9c2821c6b7b8f0eb570acb1ea4d65a73d203f1229a7edbd175c

Download Submit
C:\Users\Admin\AppData\Local\Temp\81913139\lel=vcc
Filesize
303KB

MD5
b9dd6356f3e9b1281d047ab42650944a

SHA1
15765fee1d0ba347e13037bdac59e7a684ba2be8

SHA256
46df4ccddef86332d56ae5cac26dccac4fc3fb84cbc8a9d297dbacf79af04ce7

SHA512
cdde822cfa1d736409d23b374932adc3bbbe02a060ba9496d8f97b3a7027e19a0f714d138dcea2594a95d1884325f3fae228c598520173ccc3d5843a8b29c956

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
memory/888-142-0x0000000000000000-mapping.dmp

Download
memory/888-143-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/888-147-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/888-149-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3056-139-0x0000000000000000-mapping.dmp

Download
memory/4596-132-0x0000000000000000-mapping.dmp

Download