netwire | de1dca28f32c8367c84d51ae14b26c4432f91e0845dc0db65fdb4ccb7eefbcb0

General

Target

GBO -590 ORDER.exe
Size

833KB
MD5

1a9ce8f81c2b5e3dbd4de1681975f1e1
SHA1

1e5ec9bf8bb045caa2c9e1090444d8b5a07fa19b
SHA256

de1dca28f32c8367c84d51ae14b26c4432f91e0845dc0db65fdb4ccb7eefbcb0
SHA512

5aa435dbee766fe7395cb58f5e3ff1f2795b9348e7f7706e494e1a848715132ef99ad77aaef9b8c5f0408a37e34651d37ea75674576a37b61e5336f89dea7fe5
SSDEEP

12288:yf0bR6AbG9g+ULV7/yCabiYgONmRyUVzgMl79f7y7m:o0bVa9ALFy5eOERyUWq7NyK

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

212.193.30.230:7324

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
lock_executable
false
offline_keylogger
false
password
Password123
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 8 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4900-143-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral2/memory/4900-144-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral2/memory/4900-145-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral2/memory/4900-151-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral2/memory/1640-171-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral2/memory/1640-172-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral2/memory/1640-174-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral2/memory/1640-176-0x0000000000400000-0x000000000044F000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host.exeHost.exe

pid process

2260 Host.exe
1640 Host.exe

pid	process
2260	Host.exe
1640	Host.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

GBO -590 ORDER.exeGBO -590 ORDER.exeHost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	GBO -590 ORDER.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	GBO -590 ORDER.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	Host.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

GBO -590 ORDER.exeHost.exe

description	pid	process	target process
PID 1712 set thread context of 4900	1712	GBO -590 ORDER.exe	GBO -590 ORDER.exe
PID 2260 set thread context of 1640	2260	Host.exe	Host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1884 schtasks.exe
4860 schtasks.exe

pid	process
1884	schtasks.exe
4860	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

GBO -590 ORDER.exepowershell.exeHost.exepowershell.exe

pid	process
1712	GBO -590 ORDER.exe
1712	GBO -590 ORDER.exe
3568	powershell.exe
3568	powershell.exe
2260	Host.exe
4872	powershell.exe
2260	Host.exe
4872	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

GBO -590 ORDER.exepowershell.exeHost.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1712	GBO -590 ORDER.exe
Token: SeDebugPrivilege	3568	powershell.exe
Token: SeDebugPrivilege	2260	Host.exe
Token: SeDebugPrivilege	4872	powershell.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

GBO -590 ORDER.exeGBO -590 ORDER.exeHost.exe

description	pid	process	target process
PID 1712 wrote to memory of 3568	1712	GBO -590 ORDER.exe	powershell.exe
PID 1712 wrote to memory of 3568	1712	GBO -590 ORDER.exe	powershell.exe
PID 1712 wrote to memory of 3568	1712	GBO -590 ORDER.exe	powershell.exe
PID 1712 wrote to memory of 1884	1712	GBO -590 ORDER.exe	schtasks.exe
PID 1712 wrote to memory of 1884	1712	GBO -590 ORDER.exe	schtasks.exe
PID 1712 wrote to memory of 1884	1712	GBO -590 ORDER.exe	schtasks.exe
PID 1712 wrote to memory of 4900	1712	GBO -590 ORDER.exe	GBO -590 ORDER.exe
PID 1712 wrote to memory of 4900	1712	GBO -590 ORDER.exe	GBO -590 ORDER.exe
PID 1712 wrote to memory of 4900	1712	GBO -590 ORDER.exe	GBO -590 ORDER.exe
PID 1712 wrote to memory of 4900	1712	GBO -590 ORDER.exe	GBO -590 ORDER.exe
PID 1712 wrote to memory of 4900	1712	GBO -590 ORDER.exe	GBO -590 ORDER.exe
PID 1712 wrote to memory of 4900	1712	GBO -590 ORDER.exe	GBO -590 ORDER.exe
PID 1712 wrote to memory of 4900	1712	GBO -590 ORDER.exe	GBO -590 ORDER.exe
PID 1712 wrote to memory of 4900	1712	GBO -590 ORDER.exe	GBO -590 ORDER.exe
PID 1712 wrote to memory of 4900	1712	GBO -590 ORDER.exe	GBO -590 ORDER.exe
PID 1712 wrote to memory of 4900	1712	GBO -590 ORDER.exe	GBO -590 ORDER.exe
PID 4900 wrote to memory of 2260	4900	GBO -590 ORDER.exe	Host.exe
PID 4900 wrote to memory of 2260	4900	GBO -590 ORDER.exe	Host.exe
PID 4900 wrote to memory of 2260	4900	GBO -590 ORDER.exe	Host.exe
PID 2260 wrote to memory of 4872	2260	Host.exe	powershell.exe
PID 2260 wrote to memory of 4872	2260	Host.exe	powershell.exe
PID 2260 wrote to memory of 4872	2260	Host.exe	powershell.exe
PID 2260 wrote to memory of 4860	2260	Host.exe	schtasks.exe
PID 2260 wrote to memory of 4860	2260	Host.exe	schtasks.exe
PID 2260 wrote to memory of 4860	2260	Host.exe	schtasks.exe
PID 2260 wrote to memory of 1640	2260	Host.exe	Host.exe
PID 2260 wrote to memory of 1640	2260	Host.exe	Host.exe
PID 2260 wrote to memory of 1640	2260	Host.exe	Host.exe
PID 2260 wrote to memory of 1640	2260	Host.exe	Host.exe
PID 2260 wrote to memory of 1640	2260	Host.exe	Host.exe
PID 2260 wrote to memory of 1640	2260	Host.exe	Host.exe
PID 2260 wrote to memory of 1640	2260	Host.exe	Host.exe
PID 2260 wrote to memory of 1640	2260	Host.exe	Host.exe
PID 2260 wrote to memory of 1640	2260	Host.exe	Host.exe
PID 2260 wrote to memory of 1640	2260	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\GBO -590 ORDER.exe
"C:\Users\Admin\AppData\Local\Temp\GBO -590 ORDER.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QmkdACHcaWibL.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3568

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QmkdACHcaWibL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1CFE.tmp"
2⤵
- Creates scheduled task(s)
PID:1884

C:\Users\Admin\AppData\Local\Temp\GBO -590 ORDER.exe
"C:\Users\Admin\AppData\Local\Temp\GBO -590 ORDER.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4900

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QmkdACHcaWibL.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4872

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QmkdACHcaWibL" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB779.tmp"
4⤵
- Creates scheduled task(s)
PID:4860

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
PID:1640

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
e773483042d3da243aeb37a66238eb3f

SHA1
7b7f4dfd38845293ff5fcf504cef394a7c069e6c

SHA256
bda8b41d071dd145781174e794fcb66c97a303a474bfbf731ba29c5437f0b3b3

SHA512
922cee798755d426aa9aecb75d568c33d88b7386ee14f3bfe5c733272c3ce91aa0676aed710c3a9d929854d8bf79019f5515faab196bd9101eb3133fa326c80c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1CFE.tmp
Filesize
1KB

MD5
538768614921b35cb63d70a30467795f

SHA1
236478a05de3c84e467b37bca1c6369863932827

SHA256
43758859ac47f4809acdb0407b7c80df85e7d532401d2bf42bf2590f768226f8

SHA512
580b18dd8f0e502db1d8c364ff118f85300f7ae40b5152842f667d82477c7d5eb6558f30549f3f640bcac4dad89493992cc86af617d145780c2c3ab20ffccece

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB779.tmp
Filesize
1KB

MD5
538768614921b35cb63d70a30467795f

SHA1
236478a05de3c84e467b37bca1c6369863932827

SHA256
43758859ac47f4809acdb0407b7c80df85e7d532401d2bf42bf2590f768226f8

SHA512
580b18dd8f0e502db1d8c364ff118f85300f7ae40b5152842f667d82477c7d5eb6558f30549f3f640bcac4dad89493992cc86af617d145780c2c3ab20ffccece

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
833KB

MD5
1a9ce8f81c2b5e3dbd4de1681975f1e1

SHA1
1e5ec9bf8bb045caa2c9e1090444d8b5a07fa19b

SHA256
de1dca28f32c8367c84d51ae14b26c4432f91e0845dc0db65fdb4ccb7eefbcb0

SHA512
5aa435dbee766fe7395cb58f5e3ff1f2795b9348e7f7706e494e1a848715132ef99ad77aaef9b8c5f0408a37e34651d37ea75674576a37b61e5336f89dea7fe5

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
833KB

MD5
1a9ce8f81c2b5e3dbd4de1681975f1e1

SHA1
1e5ec9bf8bb045caa2c9e1090444d8b5a07fa19b

SHA256
de1dca28f32c8367c84d51ae14b26c4432f91e0845dc0db65fdb4ccb7eefbcb0

SHA512
5aa435dbee766fe7395cb58f5e3ff1f2795b9348e7f7706e494e1a848715132ef99ad77aaef9b8c5f0408a37e34651d37ea75674576a37b61e5336f89dea7fe5

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
833KB

MD5
1a9ce8f81c2b5e3dbd4de1681975f1e1

SHA1
1e5ec9bf8bb045caa2c9e1090444d8b5a07fa19b

SHA256
de1dca28f32c8367c84d51ae14b26c4432f91e0845dc0db65fdb4ccb7eefbcb0

SHA512
5aa435dbee766fe7395cb58f5e3ff1f2795b9348e7f7706e494e1a848715132ef99ad77aaef9b8c5f0408a37e34651d37ea75674576a37b61e5336f89dea7fe5

Download Submit
memory/1640-171-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1640-168-0x0000000000000000-mapping.dmp

Download
memory/1640-176-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1640-174-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1640-172-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1712-134-0x0000000004BC0000-0x0000000004C52000-memory.dmp

Filesize
584KB

Download
memory/1712-133-0x00000000050D0000-0x0000000005674000-memory.dmp

Filesize
5.6MB

Download
memory/1712-132-0x0000000000110000-0x00000000001E6000-memory.dmp

Filesize
856KB

Download
memory/1712-135-0x0000000004B90000-0x0000000004B9A000-memory.dmp

Filesize
40KB

Download
memory/1712-136-0x0000000008750000-0x00000000087EC000-memory.dmp

Filesize
624KB

Download
memory/1884-138-0x0000000000000000-mapping.dmp

Download
memory/2260-149-0x0000000000000000-mapping.dmp

Download
memory/3568-141-0x0000000004EA0000-0x00000000054C8000-memory.dmp

Filesize
6.2MB

Download
memory/3568-148-0x0000000005720000-0x0000000005786000-memory.dmp

Filesize
408KB

Download
memory/3568-153-0x0000000005D30000-0x0000000005D4E000-memory.dmp

Filesize
120KB

Download
memory/3568-154-0x0000000006F00000-0x0000000006F32000-memory.dmp

Filesize
200KB

Download
memory/3568-155-0x0000000070E70000-0x0000000070EBC000-memory.dmp

Filesize
304KB

Download
memory/3568-156-0x0000000006300000-0x000000000631E000-memory.dmp

Filesize
120KB

Download
memory/3568-157-0x0000000007680000-0x0000000007CFA000-memory.dmp

Filesize
6.5MB

Download
memory/3568-158-0x0000000007040000-0x000000000705A000-memory.dmp

Filesize
104KB

Download
memory/3568-159-0x00000000070B0000-0x00000000070BA000-memory.dmp

Filesize
40KB

Download
memory/3568-160-0x00000000072C0000-0x0000000007356000-memory.dmp

Filesize
600KB

Download
memory/3568-161-0x0000000007270000-0x000000000727E000-memory.dmp

Filesize
56KB

Download
memory/3568-162-0x0000000007380000-0x000000000739A000-memory.dmp

Filesize
104KB

Download
memory/3568-163-0x0000000007360000-0x0000000007368000-memory.dmp

Filesize
32KB

Download
memory/3568-147-0x0000000005640000-0x00000000056A6000-memory.dmp

Filesize
408KB

Download
memory/3568-146-0x0000000004E70000-0x0000000004E92000-memory.dmp

Filesize
136KB

Download
memory/3568-139-0x00000000047B0000-0x00000000047E6000-memory.dmp

Filesize
216KB

Download
memory/3568-137-0x0000000000000000-mapping.dmp

Download
memory/4860-165-0x0000000000000000-mapping.dmp

Download
memory/4872-164-0x0000000000000000-mapping.dmp

Download
memory/4872-175-0x00000000713F0000-0x000000007143C000-memory.dmp

Filesize
304KB

Download
memory/4900-151-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4900-145-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4900-144-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4900-143-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4900-142-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads