netwire | 467ef57122a909dadc6824af7c479e429cbd53428edece7472eec5993c2568d6

Analysis

max time kernel
140s
max time network
147s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
16-01-2023 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

467ef57122a909dadc6824af7c479e429cbd53428edece7472eec5993c2568d6.exe
Size

750KB
MD5

278373101cd2d204770e3c8a364eab7f
SHA1

4f693009a539fa5179ac1d0e9c52e9f9f87c8032
SHA256

467ef57122a909dadc6824af7c479e429cbd53428edece7472eec5993c2568d6
SHA512

a9cfe1ce7ca9e10c78c2aaff8175a24567a378ebd0f45802ad63bd590c3b23b1d59be8cd35a32d5bba334dacdc93accba9169c00110a922cc705889963cd101d
SSDEEP

12288:YYzfWMiSSSSSSSSSSSSSSSS8SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSh:YYr7iSSSSSSSSSSSSSSSS8SSSSSSSSS5

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

oneness.duckdns.org:3368

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
INFLOWS
lock_executable
false
offline_keylogger
false
password
Shedyville
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/4640-261-0x0000000000400000-0x000000000044F000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

aetzw.exeaetzw.exe

pid process

3524 aetzw.exe
4640 aetzw.exe

pid	process
3524	aetzw.exe
4640	aetzw.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

aetzw.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\abjewyslgnygb = "C:\\Users\\Admin\\AppData\\Roaming\\utrvljomikp\\hfifqoxdy.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\aetzw.exe\" C:\\Users\\Admin\\AppData\\Loc㥡"	aetzw.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

aetzw.exe

description pid process target process

PID 3524 set thread context of 4640 3524 aetzw.exe aetzw.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

aetzw.exe

pid process

3524 aetzw.exe

description	pid	process	target process
PID 3524 set thread context of 4640	3524	aetzw.exe	aetzw.exe

pid	process
3524	aetzw.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

467ef57122a909dadc6824af7c479e429cbd53428edece7472eec5993c2568d6.exeaetzw.exe

description	pid	process	target process
PID 5112 wrote to memory of 3524	5112	467ef57122a909dadc6824af7c479e429cbd53428edece7472eec5993c2568d6.exe	aetzw.exe
PID 5112 wrote to memory of 3524	5112	467ef57122a909dadc6824af7c479e429cbd53428edece7472eec5993c2568d6.exe	aetzw.exe
PID 5112 wrote to memory of 3524	5112	467ef57122a909dadc6824af7c479e429cbd53428edece7472eec5993c2568d6.exe	aetzw.exe
PID 3524 wrote to memory of 4640	3524	aetzw.exe	aetzw.exe
PID 3524 wrote to memory of 4640	3524	aetzw.exe	aetzw.exe
PID 3524 wrote to memory of 4640	3524	aetzw.exe	aetzw.exe
PID 3524 wrote to memory of 4640	3524	aetzw.exe	aetzw.exe

C:\Users\Admin\AppData\Local\Temp\467ef57122a909dadc6824af7c479e429cbd53428edece7472eec5993c2568d6.exe
"C:\Users\Admin\AppData\Local\Temp\467ef57122a909dadc6824af7c479e429cbd53428edece7472eec5993c2568d6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5112

C:\Users\Admin\AppData\Local\Temp\aetzw.exe
"C:\Users\Admin\AppData\Local\Temp\aetzw.exe" C:\Users\Admin\AppData\Local\Temp\smxytwf.qx
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3524

C:\Users\Admin\AppData\Local\Temp\aetzw.exe
"C:\Users\Admin\AppData\Local\Temp\aetzw.exe"
3⤵
- Executes dropped EXE
PID:4640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aetzw.exe
Filesize
53KB

MD5
508c44cc4fe0cbc09ea9910c18d0cd2a

SHA1
e0339a970aef3f4e7806d06a35816eb6c9fcee4d

SHA256
5e12027a35d653b17c3e9ad814cca0e8bbd7d68db0fd11b4a98cdf7d1b9a61ac

SHA512
6962e6239f8afbe7255a56c820435467ad74079882e28fe6d460d93cc2307b8c3fb722000c867c6020a50f01f0599444a54322ad44161d91adb4b055833e9d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\aetzw.exe
Filesize
53KB

MD5
508c44cc4fe0cbc09ea9910c18d0cd2a

SHA1
e0339a970aef3f4e7806d06a35816eb6c9fcee4d

SHA256
5e12027a35d653b17c3e9ad814cca0e8bbd7d68db0fd11b4a98cdf7d1b9a61ac

SHA512
6962e6239f8afbe7255a56c820435467ad74079882e28fe6d460d93cc2307b8c3fb722000c867c6020a50f01f0599444a54322ad44161d91adb4b055833e9d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\aetzw.exe
Filesize
53KB

MD5
508c44cc4fe0cbc09ea9910c18d0cd2a

SHA1
e0339a970aef3f4e7806d06a35816eb6c9fcee4d

SHA256
5e12027a35d653b17c3e9ad814cca0e8bbd7d68db0fd11b4a98cdf7d1b9a61ac

SHA512
6962e6239f8afbe7255a56c820435467ad74079882e28fe6d460d93cc2307b8c3fb722000c867c6020a50f01f0599444a54322ad44161d91adb4b055833e9d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\kiatkujj.wma
Filesize
292KB

MD5
ac29d4e9d2b825be8aed38b96e306f55

SHA1
117eff1b5269061b65d1f8a21c63a94ff9d2ab04

SHA256
8042a2fd282f5b166a4375d9231cc237bd3d2ff83f3e8d7472e8c85c2a915ae7

SHA512
9de8bd9f2da59d8cab2d371b0a3985542d2029f5e95d1664e0615c6a01ee16ed31430cb7fd9b9247d2f8d8381aa351208624d363830efe3d044c131b31daee79

Download Submit
C:\Users\Admin\AppData\Local\Temp\smxytwf.qx
Filesize
7KB

MD5
acba89ee944a157d5c5e7a57a8d06980

SHA1
de79abec32290a858a98e3d2ae043bced4b6f01a

SHA256
aa5877d424a9ef6611da85bceacec4175469f5c6033b5ee927b98e4e2c7b8581

SHA512
4f07c07c712fa6cf4ef39298425d25005923c534ce45704a40384086f2a7ec3c9e044724c50e38fbc2a94c04fb07482430596e8cf9ebcfc9b6ef8c54b98bcb71

Download Submit
memory/3524-177-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/3524-180-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/3524-169-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/3524-170-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/3524-172-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/3524-174-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/3524-171-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/3524-167-0x0000000000000000-mapping.dmp

Download
memory/3524-178-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/3524-173-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/3524-181-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/3524-183-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/3524-185-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/3524-186-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/3524-184-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/3524-182-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/3524-179-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/3524-175-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/4640-214-0x000000000041AD7B-mapping.dmp

Download
memory/4640-261-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5112-138-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-137-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-148-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-149-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-150-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-143-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-152-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-153-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-155-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-157-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-158-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-160-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-162-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-161-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-164-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-146-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-145-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-144-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-142-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-139-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-141-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-140-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-120-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-147-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-136-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-135-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-134-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-133-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-132-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-130-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-131-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-129-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-128-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-127-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-126-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-166-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-165-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-163-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-159-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-156-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-154-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-151-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-125-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-124-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-123-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-122-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-121-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download