netwire | 51a26615359fa83ea8687290e2141f753b6969e1905c5aa78bf2c1708904806c

General

Target

91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe
Size

420KB
MD5

1517814c4d44cc632abb52d2d6307f15
SHA1

9ee0404b76fe5bda2692f049bb9fc78e17240708
SHA256

91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac
SHA512

34e0804548803b4ece092061dc287078f5853b9d73d7759b403fdc5bbc4141ddad2b146c06edf8dbaa5ce055c62e1106e91df05a7866402f47be6f28acddaf7a
SSDEEP

6144:QjbeiyDBJNEeHfZEW6GH5W288L5ABAYRb+m112Mppeaibjz90645wZUS+:Qu1PzgGH5W28oANn112tLOE+

Score

10^/10

netwire botnet persistence rat stealer upx

Malware Config

Extracted

Family

netwire

C2

qualitytrade12.hopto.org:3194

Attributes

activex_autorun
true
activex_key
{KEW5251T-4080-L0OG-0866-B1E0A86Y18A5}
copy_executable
true
delete_original
false
host_id
NEWCLIENT
install_path
%AppData%\Install\excel.exe
keylogger_dir
%AppData%\Logs\
lock_executable
true
mutex
RPlPfmOq
offline_keylogger
true
password
master45
registry_autorun
true
startup_name
Adobe
use_mutex
true

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4592-140-0x0000000000400000-0x0000000001080000-memory.dmp	netwire
behavioral2/memory/4592-144-0x0000000000400000-0x0000000001080000-memory.dmp	netwire
behavioral2/memory/4592-145-0x0000000000400000-0x0000000001080000-memory.dmp	netwire
behavioral2/memory/4592-148-0x0000000000400000-0x0000000000420000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

1.xyz1.xyz

pid process

5008 1.xyz
4592 1.xyz

pid	process
5008	1.xyz
4592	1.xyz

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz	upx
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz	upx
behavioral2/memory/5008-135-0x0000000000400000-0x0000000001400000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz	upx
behavioral2/memory/5008-149-0x0000000000400000-0x0000000001400000-memory.dmp	upx

Drops startup file 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1.xyz

description pid process target process

PID 5008 set thread context of 4592 5008 1.xyz 1.xyz
Drops file in Windows directory 1 IoCs

Processes:

mspaint.exe

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4208 4592 WerFault.exe 1.xyz
2176 1408 WerFault.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

1.xyzmspaint.exe

pid process

5008 1.xyz
5008 1.xyz
1036 mspaint.exe
1036 mspaint.exe
Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid

4
4
4
4
4
640
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

1.xyzmspaint.exe

pid process

5008 1.xyz
5008 1.xyz
1036 mspaint.exe
1036 mspaint.exe
1036 mspaint.exe
1036 mspaint.exe

description	pid	process	target process
PID 5008 set thread context of 4592	5008	1.xyz	1.xyz

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

pid	pid_target	process	target process
4208	4592	WerFault.exe	1.xyz
2176	1408	WerFault.exe

pid	process
5008	1.xyz
5008	1.xyz
1036	mspaint.exe
1036	mspaint.exe

pid
4
4
4
4
4
640

pid	process
5008	1.xyz
5008	1.xyz
1036	mspaint.exe
1036	mspaint.exe
1036	mspaint.exe
1036	mspaint.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe1.xyzcmd.exenet.exe

description	pid	process	target process
PID 4876 wrote to memory of 5008	4876	91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe	1.xyz
PID 4876 wrote to memory of 5008	4876	91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe	1.xyz
PID 4876 wrote to memory of 5008	4876	91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe	1.xyz
PID 5008 wrote to memory of 4280	5008	1.xyz	cmd.exe
PID 5008 wrote to memory of 4280	5008	1.xyz	cmd.exe
PID 5008 wrote to memory of 4280	5008	1.xyz	cmd.exe
PID 5008 wrote to memory of 4644	5008	1.xyz	cmd.exe
PID 5008 wrote to memory of 4644	5008	1.xyz	cmd.exe
PID 5008 wrote to memory of 4644	5008	1.xyz	cmd.exe
PID 5008 wrote to memory of 4592	5008	1.xyz	1.xyz
PID 5008 wrote to memory of 4592	5008	1.xyz	1.xyz
PID 5008 wrote to memory of 4592	5008	1.xyz	1.xyz
PID 5008 wrote to memory of 4592	5008	1.xyz	1.xyz
PID 5008 wrote to memory of 4592	5008	1.xyz	1.xyz
PID 5008 wrote to memory of 4592	5008	1.xyz	1.xyz
PID 5008 wrote to memory of 4592	5008	1.xyz	1.xyz
PID 5008 wrote to memory of 4592	5008	1.xyz	1.xyz
PID 5008 wrote to memory of 4592	5008	1.xyz	1.xyz
PID 5008 wrote to memory of 4592	5008	1.xyz	1.xyz
PID 5008 wrote to memory of 4592	5008	1.xyz	1.xyz
PID 5008 wrote to memory of 4592	5008	1.xyz	1.xyz
PID 5008 wrote to memory of 4592	5008	1.xyz	1.xyz
PID 5008 wrote to memory of 4592	5008	1.xyz	1.xyz
PID 4644 wrote to memory of 3128	4644	cmd.exe	net.exe
PID 4644 wrote to memory of 3128	4644	cmd.exe	net.exe
PID 4644 wrote to memory of 3128	4644	cmd.exe	net.exe
PID 3128 wrote to memory of 796	3128	net.exe	net1.exe
PID 3128 wrote to memory of 796	3128	net.exe	net1.exe
PID 3128 wrote to memory of 796	3128	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe
"C:\Users\Admin\AppData\Local\Temp\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4876

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
3⤵
- Drops startup file
PID:4280

C:\Windows\SysWOW64\cmd.exe
/c net stop MpsSvc
3⤵
- Suspicious use of WriteProcessMemory
PID:4644

C:\Windows\SysWOW64\net.exe
net stop MpsSvc
4⤵
- Suspicious use of WriteProcessMemory
PID:3128

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
3⤵
- Executes dropped EXE
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 576
4⤵
- Program crash
PID:4208

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MpsSvc
1⤵
PID:796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4592 -ip 4592
1⤵
PID:60

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 1408 -ip 1408
1⤵
PID:2724

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1408 -s 1744
1⤵
- Program crash
PID:2176

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\EditConnect.bmp"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:2836

C:\Windows\System32\fontview.exe
"C:\Windows\System32\fontview.exe" C:\Users\Admin\Desktop\UpdateAssert.fon
1⤵
PID:2256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xy_
Filesize
132KB

MD5
4b28fc60df0738257092268a36fe321e

SHA1
f3440893908f4e59099664ce0abd323ada87e05c

SHA256
7b7170132465e0f87bf9a411324a07c27dd49268f4e9fd8f9d2b61e703b4bd29

SHA512
9335d367203da5d9cb452ca12eda00aa26ce451b0ed5d4fea3fbe1cee258b35b983ce96f25745855063fd35f065ed865cce9e9053c5bb29f1b97db6e31e5cb3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
Filesize
212KB

MD5
b2af3b332d92fc09b79c4bf85263fd22

SHA1
cbb3c3a4b17ba2888cfd0b96f59a5bc454d4ef32

SHA256
b9dd8dfdb9a3fd61b2acffe0018cdf99b02c97025ae0d41a7aac7c9d76647b58

SHA512
b6d7271b1b0e7285bff25b8edb0f31cc7076bbbf611a4bfa9a457463c38ba7d0f5694f89b18a5b26b0f793e76dc0a0e5279dbf4cf976a6b52787157523e17932

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
Filesize
212KB

MD5
b2af3b332d92fc09b79c4bf85263fd22

SHA1
cbb3c3a4b17ba2888cfd0b96f59a5bc454d4ef32

SHA256
b9dd8dfdb9a3fd61b2acffe0018cdf99b02c97025ae0d41a7aac7c9d76647b58

SHA512
b6d7271b1b0e7285bff25b8edb0f31cc7076bbbf611a4bfa9a457463c38ba7d0f5694f89b18a5b26b0f793e76dc0a0e5279dbf4cf976a6b52787157523e17932

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
Filesize
212KB

MD5
b2af3b332d92fc09b79c4bf85263fd22

SHA1
cbb3c3a4b17ba2888cfd0b96f59a5bc454d4ef32

SHA256
b9dd8dfdb9a3fd61b2acffe0018cdf99b02c97025ae0d41a7aac7c9d76647b58

SHA512
b6d7271b1b0e7285bff25b8edb0f31cc7076bbbf611a4bfa9a457463c38ba7d0f5694f89b18a5b26b0f793e76dc0a0e5279dbf4cf976a6b52787157523e17932

Download Submit
memory/796-147-0x0000000000000000-mapping.dmp

Download
memory/3128-146-0x0000000000000000-mapping.dmp

Download
memory/4280-137-0x0000000000000000-mapping.dmp

Download
memory/4592-139-0x0000000000000000-mapping.dmp

Download
memory/4592-140-0x0000000000400000-0x0000000001080000-memory.dmp

Filesize
12.5MB

Download
memory/4592-144-0x0000000000400000-0x0000000001080000-memory.dmp

Filesize
12.5MB

Download
memory/4592-145-0x0000000000400000-0x0000000001080000-memory.dmp

Filesize
12.5MB

Download
memory/4592-148-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4644-138-0x0000000000000000-mapping.dmp

Download
memory/5008-132-0x0000000000000000-mapping.dmp

Download
memory/5008-143-0x000000001A100000-0x000000001A105000-memory.dmp

Filesize
20KB

Download
memory/5008-135-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/5008-149-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads