netwire | 8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20

Analysis

max time kernel
103s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exe
Size

620KB
MD5

126a93893a231d0d04d51c062ffacb24
SHA1

2dc7626161923496e1161321564649de8a505462
SHA256

8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20
SHA512

7ead5d82543478d48820429fa78a6b47c4b96f9a081d6599bc7f47208acc73dee20b97345f971b7298642fb4104d90eb8a660cbdc8f592449410cba459d46715
SSDEEP

6144:jIgLd7M38csN+OepKstohqNuPSzjRfXfqSicv2oJ04YIEr7rwdaJ:JNMJzpWhYvRfXiSicbJ0d7rco

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

Wealthybond.ddns.me:39560

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
uElWAoFe
offline_keylogger
true
password
sucess
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1608-127-0x0000000000400000-0x000000000049D000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Elektroteknikkerne3.exeElektroteknikkerne3.exe

pid process

1168 Elektroteknikkerne3.exe
1608 Elektroteknikkerne3.exe

pid	process
1168	Elektroteknikkerne3.exe
1608	Elektroteknikkerne3.exe

Loads dropped DLL 3 IoCs

Processes:

8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exeElektroteknikkerne3.exe

pid	process
2004	8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exe
2004	8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exe
1168	Elektroteknikkerne3.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Elektroteknikkerne3.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	Elektroteknikkerne3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Fejdendes = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Elektroteknikkerne3.vbs\""	Elektroteknikkerne3.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exeElektroteknikkerne3.exe

description	pid	process	target process
PID 1764 set thread context of 2004	1764	8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exe	8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exe
PID 1168 set thread context of 1608	1168	Elektroteknikkerne3.exe	Elektroteknikkerne3.exe

Drops file in Windows directory 4 IoCs

Processes:

8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exe8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exeElektroteknikkerne3.exeElektroteknikkerne3.exe

description	ioc	process
File opened for modification	C:\Windows\win.ini	8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exe
File opened for modification	C:\Windows\win.ini	8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exe
File opened for modification	C:\Windows\win.ini	Elektroteknikkerne3.exe
File opened for modification	C:\Windows\win.ini	Elektroteknikkerne3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exe8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exeElektroteknikkerne3.exeElektroteknikkerne3.exe

pid	process
1764	8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exe
1764	8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exe
2004	8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exe
2004	8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exe
1168	Elektroteknikkerne3.exe
1168	Elektroteknikkerne3.exe
1608	Elektroteknikkerne3.exe
1608	Elektroteknikkerne3.exe

Suspicious use of SendNotifyMessage 8 IoCs

Processes:

8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exe8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exeElektroteknikkerne3.exeElektroteknikkerne3.exe

pid	process
1764	8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exe
1764	8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exe
2004	8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exe
2004	8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exe
1168	Elektroteknikkerne3.exe
1168	Elektroteknikkerne3.exe
1608	Elektroteknikkerne3.exe
1608	Elektroteknikkerne3.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exe8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exeElektroteknikkerne3.exeElektroteknikkerne3.exe

pid	process
1764	8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exe
2004	8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exe
1168	Elektroteknikkerne3.exe
1608	Elektroteknikkerne3.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exe8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exeElektroteknikkerne3.exe

description	pid	process	target process
PID 1764 wrote to memory of 2004	1764	8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exe	8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exe
PID 1764 wrote to memory of 2004	1764	8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exe	8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exe
PID 1764 wrote to memory of 2004	1764	8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exe	8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exe
PID 1764 wrote to memory of 2004	1764	8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exe	8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exe
PID 2004 wrote to memory of 1168	2004	8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exe	Elektroteknikkerne3.exe
PID 2004 wrote to memory of 1168	2004	8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exe	Elektroteknikkerne3.exe
PID 2004 wrote to memory of 1168	2004	8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exe	Elektroteknikkerne3.exe
PID 2004 wrote to memory of 1168	2004	8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exe	Elektroteknikkerne3.exe
PID 1168 wrote to memory of 1608	1168	Elektroteknikkerne3.exe	Elektroteknikkerne3.exe
PID 1168 wrote to memory of 1608	1168	Elektroteknikkerne3.exe	Elektroteknikkerne3.exe
PID 1168 wrote to memory of 1608	1168	Elektroteknikkerne3.exe	Elektroteknikkerne3.exe
PID 1168 wrote to memory of 1608	1168	Elektroteknikkerne3.exe	Elektroteknikkerne3.exe

C:\Users\Admin\AppData\Local\Temp\8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exe
"C:\Users\Admin\AppData\Local\Temp\8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1764

C:\Users\Admin\AppData\Local\Temp\8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exe
"C:\Users\Admin\AppData\Local\Temp\8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exe"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\AppData\Local\Temp\Elektroteknikkerne3.exe
"C:\Users\Admin\AppData\Local\Temp\Elektroteknikkerne3.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1168

C:\Users\Admin\AppData\Local\Temp\Elektroteknikkerne3.exe
"C:\Users\Admin\AppData\Local\Temp\Elektroteknikkerne3.exe"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Elektroteknikkerne3.exe
Filesize
620KB

MD5
c8b740d5083715048f6ec93a3fdc627c

SHA1
754919550bdd0d8c911e2a8f064a474d0cdeb457

SHA256
7cc46b7baca763d9a1ec051befb75e5d2e6e30aeffd76613d149e6ccb6f9e42b

SHA512
9ca26f1f9f716320792804152eda11c17f85f55fbb02fea7f074415d72c87795dbb34ecc3944042f1597c5c64b3da4c19f30c123d24d9ddee01c772f5d2d366e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Elektroteknikkerne3.exe
Filesize
620KB

MD5
c8b740d5083715048f6ec93a3fdc627c

SHA1
754919550bdd0d8c911e2a8f064a474d0cdeb457

SHA256
7cc46b7baca763d9a1ec051befb75e5d2e6e30aeffd76613d149e6ccb6f9e42b

SHA512
9ca26f1f9f716320792804152eda11c17f85f55fbb02fea7f074415d72c87795dbb34ecc3944042f1597c5c64b3da4c19f30c123d24d9ddee01c772f5d2d366e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Elektroteknikkerne3.exe
Filesize
620KB

MD5
c8b740d5083715048f6ec93a3fdc627c

SHA1
754919550bdd0d8c911e2a8f064a474d0cdeb457

SHA256
7cc46b7baca763d9a1ec051befb75e5d2e6e30aeffd76613d149e6ccb6f9e42b

SHA512
9ca26f1f9f716320792804152eda11c17f85f55fbb02fea7f074415d72c87795dbb34ecc3944042f1597c5c64b3da4c19f30c123d24d9ddee01c772f5d2d366e

Download Submit
C:\Windows\win.ini
Filesize
509B

MD5
d2a2412bddba16d60ec63bd9550d933f

SHA1
deb3d3bdc9055f0b4909b31d3048446848fae0e1

SHA256
79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a

SHA512
8fecada107f72e59e43a689eeb8e2e18fa6134d0941c122025ed5bd00e5eab8114d7125bd289505be75641385a0c3f112d402c693f142c3ddc870d5fa8116e31

Download Submit
C:\Windows\win.ini
Filesize
509B

MD5
d2a2412bddba16d60ec63bd9550d933f

SHA1
deb3d3bdc9055f0b4909b31d3048446848fae0e1

SHA256
79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a

SHA512
8fecada107f72e59e43a689eeb8e2e18fa6134d0941c122025ed5bd00e5eab8114d7125bd289505be75641385a0c3f112d402c693f142c3ddc870d5fa8116e31

Download Submit
C:\Windows\win.ini
Filesize
509B

MD5
d2a2412bddba16d60ec63bd9550d933f

SHA1
deb3d3bdc9055f0b4909b31d3048446848fae0e1

SHA256
79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a

SHA512
8fecada107f72e59e43a689eeb8e2e18fa6134d0941c122025ed5bd00e5eab8114d7125bd289505be75641385a0c3f112d402c693f142c3ddc870d5fa8116e31

Download Submit
\Users\Admin\AppData\Local\Temp\Elektroteknikkerne3.exe
Filesize
620KB

MD5
c8b740d5083715048f6ec93a3fdc627c

SHA1
754919550bdd0d8c911e2a8f064a474d0cdeb457

SHA256
7cc46b7baca763d9a1ec051befb75e5d2e6e30aeffd76613d149e6ccb6f9e42b

SHA512
9ca26f1f9f716320792804152eda11c17f85f55fbb02fea7f074415d72c87795dbb34ecc3944042f1597c5c64b3da4c19f30c123d24d9ddee01c772f5d2d366e

Download Submit
\Users\Admin\AppData\Local\Temp\Elektroteknikkerne3.exe
Filesize
620KB

MD5
c8b740d5083715048f6ec93a3fdc627c

SHA1
754919550bdd0d8c911e2a8f064a474d0cdeb457

SHA256
7cc46b7baca763d9a1ec051befb75e5d2e6e30aeffd76613d149e6ccb6f9e42b

SHA512
9ca26f1f9f716320792804152eda11c17f85f55fbb02fea7f074415d72c87795dbb34ecc3944042f1597c5c64b3da4c19f30c123d24d9ddee01c772f5d2d366e

Download Submit
\Users\Admin\AppData\Local\Temp\Elektroteknikkerne3.exe
Filesize
620KB

MD5
c8b740d5083715048f6ec93a3fdc627c

SHA1
754919550bdd0d8c911e2a8f064a474d0cdeb457

SHA256
7cc46b7baca763d9a1ec051befb75e5d2e6e30aeffd76613d149e6ccb6f9e42b

SHA512
9ca26f1f9f716320792804152eda11c17f85f55fbb02fea7f074415d72c87795dbb34ecc3944042f1597c5c64b3da4c19f30c123d24d9ddee01c772f5d2d366e

Download Submit
memory/1168-113-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1168-117-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1168-126-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1168-124-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1168-123-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1168-122-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1168-121-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1168-120-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1168-119-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1168-118-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1168-116-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1168-115-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1168-114-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1168-112-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1168-111-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1168-110-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1168-85-0x0000000000000000-mapping.dmp

Download
memory/1168-109-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1168-108-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1168-107-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1168-106-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1168-105-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1168-104-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1168-103-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1168-102-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1168-100-0x0000000002690000-0x00000000027A0000-memory.dmp

Filesize
1.1MB

Download
memory/1168-101-0x00000000776A0000-0x0000000077849000-memory.dmp

Filesize
1.7MB

Download
memory/1608-127-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1608-95-0x0000000000000000-mapping.dmp

Download
memory/1608-130-0x0000000002610000-0x0000000002720000-memory.dmp

Filesize
1.1MB

Download
memory/1608-129-0x00000000776A0000-0x0000000077849000-memory.dmp

Filesize
1.7MB

Download
memory/1608-128-0x0000000002610000-0x0000000002720000-memory.dmp

Filesize
1.1MB

Download
memory/1764-79-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1764-76-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1764-64-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1764-66-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1764-67-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1764-82-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1764-68-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1764-56-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/1764-80-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1764-61-0x0000000002600000-0x0000000002710000-memory.dmp

Filesize
1.1MB

Download
memory/1764-78-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1764-69-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1764-77-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1764-62-0x00000000776A0000-0x0000000077849000-memory.dmp

Filesize
1.7MB

Download
memory/1764-75-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1764-74-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1764-73-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1764-72-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1764-71-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1764-63-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1764-70-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1764-65-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/2004-88-0x0000000077890000-0x0000000077966000-memory.dmp

Filesize
856KB

Download
memory/2004-57-0x0000000000000000-mapping.dmp

Download
memory/2004-86-0x00000000776A0000-0x0000000077849000-memory.dmp

Filesize
1.7MB

Download