netwire | 1801a874e23097185c396dfcc625bebae49577d65a9177332b8f791810054b4e

Analysis

max time kernel
84s
max time network
95s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
19-01-2023 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

INQ 80469046 DBT.exe
Size

1001KB
MD5

84e792790474ec5d19a491b9ec553b3d
SHA1

25d20a249b0e1d38ecc0f368605ff39776645d1a
SHA256

1801a874e23097185c396dfcc625bebae49577d65a9177332b8f791810054b4e
SHA512

570126783e260cd4b638804cb19e27593019526f72aa0f64868dbc05a19905cedaaa27f2a40779d39297b96e973c5ef7a59b809082032c25adbf2dc6370282ba
SSDEEP

24576:7gPD5Nb3ewHdqoXpDLycm6AP+nYWUP4tFd8vHX6E/VhL:7gPD5Nb/Jycm62+neP4tF6360VhL

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

212.193.30.230:6063

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
TestLink.lnk
lock_executable
false
offline_keylogger
false
password
Password123@
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 10 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1212-69-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1212-71-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1212-72-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1212-74-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1212-75-0x000000000041AD7B-mapping.dmp	netwire
behavioral1/memory/1212-78-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1212-83-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1948-106-0x000000000041AD7B-mapping.dmp	netwire
behavioral1/memory/1948-110-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1948-114-0x0000000000400000-0x000000000044F000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host.exeHost.exe

pid process

1752 Host.exe
1948 Host.exe
Drops startup file 1 IoCs

Processes:

Host.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TestLink.lnk Host.exe
Loads dropped DLL 3 IoCs

Processes:

INQ 80469046 DBT.exeHost.exe

pid process

1212 INQ 80469046 DBT.exe
1212 INQ 80469046 DBT.exe
1948 Host.exe

pid	process
1752	Host.exe
1948	Host.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TestLink.lnk	Host.exe

pid	process
1212	INQ 80469046 DBT.exe
1212	INQ 80469046 DBT.exe
1948	Host.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vÀÙá=ëÏþ½Pe… = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

INQ 80469046 DBT.exeHost.exe

description	pid	process	target process
PID 2028 set thread context of 1212	2028	INQ 80469046 DBT.exe	INQ 80469046 DBT.exe
PID 1752 set thread context of 1948	1752	Host.exe	Host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1632 schtasks.exe
472 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

INQ 80469046 DBT.exepowershell.exeHost.exepowershell.exe

pid process

2028 INQ 80469046 DBT.exe
2028 INQ 80469046 DBT.exe
1796 powershell.exe
1752 Host.exe
1760 powershell.exe
1752 Host.exe

pid	process
1632	schtasks.exe
472	schtasks.exe

pid	process
2028	INQ 80469046 DBT.exe
2028	INQ 80469046 DBT.exe
1796	powershell.exe
1752	Host.exe
1760	powershell.exe
1752	Host.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

INQ 80469046 DBT.exepowershell.exeHost.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2028	INQ 80469046 DBT.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	1752	Host.exe
Token: SeDebugPrivilege	1760	powershell.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

INQ 80469046 DBT.exeINQ 80469046 DBT.exeHost.exe

description	pid	process	target process
PID 2028 wrote to memory of 1796	2028	INQ 80469046 DBT.exe	powershell.exe
PID 2028 wrote to memory of 1796	2028	INQ 80469046 DBT.exe	powershell.exe
PID 2028 wrote to memory of 1796	2028	INQ 80469046 DBT.exe	powershell.exe
PID 2028 wrote to memory of 1796	2028	INQ 80469046 DBT.exe	powershell.exe
PID 2028 wrote to memory of 472	2028	INQ 80469046 DBT.exe	schtasks.exe
PID 2028 wrote to memory of 472	2028	INQ 80469046 DBT.exe	schtasks.exe
PID 2028 wrote to memory of 472	2028	INQ 80469046 DBT.exe	schtasks.exe
PID 2028 wrote to memory of 472	2028	INQ 80469046 DBT.exe	schtasks.exe
PID 2028 wrote to memory of 1212	2028	INQ 80469046 DBT.exe	INQ 80469046 DBT.exe
PID 2028 wrote to memory of 1212	2028	INQ 80469046 DBT.exe	INQ 80469046 DBT.exe
PID 2028 wrote to memory of 1212	2028	INQ 80469046 DBT.exe	INQ 80469046 DBT.exe
PID 2028 wrote to memory of 1212	2028	INQ 80469046 DBT.exe	INQ 80469046 DBT.exe
PID 2028 wrote to memory of 1212	2028	INQ 80469046 DBT.exe	INQ 80469046 DBT.exe
PID 2028 wrote to memory of 1212	2028	INQ 80469046 DBT.exe	INQ 80469046 DBT.exe
PID 2028 wrote to memory of 1212	2028	INQ 80469046 DBT.exe	INQ 80469046 DBT.exe
PID 2028 wrote to memory of 1212	2028	INQ 80469046 DBT.exe	INQ 80469046 DBT.exe
PID 2028 wrote to memory of 1212	2028	INQ 80469046 DBT.exe	INQ 80469046 DBT.exe
PID 2028 wrote to memory of 1212	2028	INQ 80469046 DBT.exe	INQ 80469046 DBT.exe
PID 2028 wrote to memory of 1212	2028	INQ 80469046 DBT.exe	INQ 80469046 DBT.exe
PID 1212 wrote to memory of 1752	1212	INQ 80469046 DBT.exe	Host.exe
PID 1212 wrote to memory of 1752	1212	INQ 80469046 DBT.exe	Host.exe
PID 1212 wrote to memory of 1752	1212	INQ 80469046 DBT.exe	Host.exe
PID 1212 wrote to memory of 1752	1212	INQ 80469046 DBT.exe	Host.exe
PID 1752 wrote to memory of 1760	1752	Host.exe	powershell.exe
PID 1752 wrote to memory of 1760	1752	Host.exe	powershell.exe
PID 1752 wrote to memory of 1760	1752	Host.exe	powershell.exe
PID 1752 wrote to memory of 1760	1752	Host.exe	powershell.exe
PID 1752 wrote to memory of 1632	1752	Host.exe	schtasks.exe
PID 1752 wrote to memory of 1632	1752	Host.exe	schtasks.exe
PID 1752 wrote to memory of 1632	1752	Host.exe	schtasks.exe
PID 1752 wrote to memory of 1632	1752	Host.exe	schtasks.exe
PID 1752 wrote to memory of 1948	1752	Host.exe	Host.exe
PID 1752 wrote to memory of 1948	1752	Host.exe	Host.exe
PID 1752 wrote to memory of 1948	1752	Host.exe	Host.exe
PID 1752 wrote to memory of 1948	1752	Host.exe	Host.exe
PID 1752 wrote to memory of 1948	1752	Host.exe	Host.exe
PID 1752 wrote to memory of 1948	1752	Host.exe	Host.exe
PID 1752 wrote to memory of 1948	1752	Host.exe	Host.exe
PID 1752 wrote to memory of 1948	1752	Host.exe	Host.exe
PID 1752 wrote to memory of 1948	1752	Host.exe	Host.exe
PID 1752 wrote to memory of 1948	1752	Host.exe	Host.exe
PID 1752 wrote to memory of 1948	1752	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\INQ 80469046 DBT.exe
"C:\Users\Admin\AppData\Local\Temp\INQ 80469046 DBT.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qKcaUVIbG.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qKcaUVIbG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9F7B.tmp"
2⤵
- Creates scheduled task(s)
PID:472

C:\Users\Admin\AppData\Local\Temp\INQ 80469046 DBT.exe
"C:\Users\Admin\AppData\Local\Temp\INQ 80469046 DBT.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qKcaUVIbG.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qKcaUVIbG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3DEB.tmp"
4⤵
- Creates scheduled task(s)
PID:1632

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
PID:1948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3DEB.tmp
Filesize
1KB

MD5
f4a5cb82c555c2df62d2d35db95edec6

SHA1
fe6706a0ed27e519ce2ddf64306e02aadf7a1791

SHA256
e3122e0086bc2a17945dfdadf25d5a86927dd552abee708b2d741f75cfdd2aee

SHA512
745e2914769af645a320c469b1989768e704017d970ca4911fa31e25913d5420615a26e1325309b3a8e0b8e236a77d8c2d4dbd39a20a42c8f4e2ae97018df787

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9F7B.tmp
Filesize
1KB

MD5
f4a5cb82c555c2df62d2d35db95edec6

SHA1
fe6706a0ed27e519ce2ddf64306e02aadf7a1791

SHA256
e3122e0086bc2a17945dfdadf25d5a86927dd552abee708b2d741f75cfdd2aee

SHA512
745e2914769af645a320c469b1989768e704017d970ca4911fa31e25913d5420615a26e1325309b3a8e0b8e236a77d8c2d4dbd39a20a42c8f4e2ae97018df787

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
1001KB

MD5
84e792790474ec5d19a491b9ec553b3d

SHA1
25d20a249b0e1d38ecc0f368605ff39776645d1a

SHA256
1801a874e23097185c396dfcc625bebae49577d65a9177332b8f791810054b4e

SHA512
570126783e260cd4b638804cb19e27593019526f72aa0f64868dbc05a19905cedaaa27f2a40779d39297b96e973c5ef7a59b809082032c25adbf2dc6370282ba

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
1001KB

MD5
84e792790474ec5d19a491b9ec553b3d

SHA1
25d20a249b0e1d38ecc0f368605ff39776645d1a

SHA256
1801a874e23097185c396dfcc625bebae49577d65a9177332b8f791810054b4e

SHA512
570126783e260cd4b638804cb19e27593019526f72aa0f64868dbc05a19905cedaaa27f2a40779d39297b96e973c5ef7a59b809082032c25adbf2dc6370282ba

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
1001KB

MD5
84e792790474ec5d19a491b9ec553b3d

SHA1
25d20a249b0e1d38ecc0f368605ff39776645d1a

SHA256
1801a874e23097185c396dfcc625bebae49577d65a9177332b8f791810054b4e

SHA512
570126783e260cd4b638804cb19e27593019526f72aa0f64868dbc05a19905cedaaa27f2a40779d39297b96e973c5ef7a59b809082032c25adbf2dc6370282ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
9a52ad96b57ab74f91dfb9b762cdf987

SHA1
cccb31684c2768f15579e0bcbf8fa2530c8f7f75

SHA256
c468a5295fec6a68cdf536cc41574e7248bd88afe873df13c01bf755584c8b3a

SHA512
ce2a0f257d590eafe62d79282876705f71d44005ab430bc97fb1665d4357ec8cdea613c71a4d33b6464b8b8dea73442216ae9e50e6f21ba291fca87d7ffbfb8f

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
1001KB

MD5
84e792790474ec5d19a491b9ec553b3d

SHA1
25d20a249b0e1d38ecc0f368605ff39776645d1a

SHA256
1801a874e23097185c396dfcc625bebae49577d65a9177332b8f791810054b4e

SHA512
570126783e260cd4b638804cb19e27593019526f72aa0f64868dbc05a19905cedaaa27f2a40779d39297b96e973c5ef7a59b809082032c25adbf2dc6370282ba

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
1001KB

MD5
84e792790474ec5d19a491b9ec553b3d

SHA1
25d20a249b0e1d38ecc0f368605ff39776645d1a

SHA256
1801a874e23097185c396dfcc625bebae49577d65a9177332b8f791810054b4e

SHA512
570126783e260cd4b638804cb19e27593019526f72aa0f64868dbc05a19905cedaaa27f2a40779d39297b96e973c5ef7a59b809082032c25adbf2dc6370282ba

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
1001KB

MD5
84e792790474ec5d19a491b9ec553b3d

SHA1
25d20a249b0e1d38ecc0f368605ff39776645d1a

SHA256
1801a874e23097185c396dfcc625bebae49577d65a9177332b8f791810054b4e

SHA512
570126783e260cd4b638804cb19e27593019526f72aa0f64868dbc05a19905cedaaa27f2a40779d39297b96e973c5ef7a59b809082032c25adbf2dc6370282ba

Download Submit
memory/472-60-0x0000000000000000-mapping.dmp

Download
memory/1212-65-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1212-69-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1212-71-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1212-72-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1212-74-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1212-75-0x000000000041AD7B-mapping.dmp

Download
memory/1212-78-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1212-67-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1212-64-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1212-83-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1632-91-0x0000000000000000-mapping.dmp

Download
memory/1752-85-0x0000000000BC0000-0x0000000000CC0000-memory.dmp

Filesize
1024KB

Download
memory/1752-87-0x00000000002C0000-0x00000000002D6000-memory.dmp

Filesize
88KB

Download
memory/1752-81-0x0000000000000000-mapping.dmp

Download
memory/1760-90-0x0000000000000000-mapping.dmp

Download
memory/1760-113-0x000000006EB50000-0x000000006F0FB000-memory.dmp

Filesize
5.7MB

Download
memory/1796-88-0x000000006E050000-0x000000006E5FB000-memory.dmp

Filesize
5.7MB

Download
memory/1796-89-0x000000006E050000-0x000000006E5FB000-memory.dmp

Filesize
5.7MB

Download
memory/1796-59-0x0000000000000000-mapping.dmp

Download
memory/1948-110-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1948-114-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1948-106-0x000000000041AD7B-mapping.dmp

Download
memory/2028-58-0x00000000056F0000-0x0000000005788000-memory.dmp

Filesize
608KB

Download
memory/2028-57-0x0000000000530000-0x000000000053A000-memory.dmp

Filesize
40KB

Download
memory/2028-56-0x0000000000410000-0x0000000000426000-memory.dmp

Filesize
88KB

Download
memory/2028-55-0x0000000075151000-0x0000000075153000-memory.dmp

Filesize
8KB

Download
memory/2028-63-0x0000000005150000-0x00000000051B0000-memory.dmp

Filesize
384KB

Download
memory/2028-54-0x0000000001020000-0x0000000001120000-memory.dmp

Filesize
1024KB

Download