netwire | 1801a874e23097185c396dfcc625bebae49577d65a9177332b8f791810054b4e

General

Target

INQ 80469046 DBT.exe
Size

1001KB
MD5

84e792790474ec5d19a491b9ec553b3d
SHA1

25d20a249b0e1d38ecc0f368605ff39776645d1a
SHA256

1801a874e23097185c396dfcc625bebae49577d65a9177332b8f791810054b4e
SHA512

570126783e260cd4b638804cb19e27593019526f72aa0f64868dbc05a19905cedaaa27f2a40779d39297b96e973c5ef7a59b809082032c25adbf2dc6370282ba
SSDEEP

24576:7gPD5Nb3ewHdqoXpDLycm6AP+nYWUP4tFd8vHX6E/VhL:7gPD5Nb/Jycm62+neP4tF6360VhL

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

212.193.30.230:6063

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
TestLink.lnk
lock_executable
false
offline_keylogger
false
password
Password123@
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1772-143-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral2/memory/1772-145-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral2/memory/1772-148-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral2/memory/1772-152-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral2/memory/1120-171-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral2/memory/1120-172-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral2/memory/1120-174-0x0000000000400000-0x000000000044F000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host.exeHost.exe

pid process

3516 Host.exe
1120 Host.exe

pid	process
3516	Host.exe
1120	Host.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

INQ 80469046 DBT.exeINQ 80469046 DBT.exeHost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	INQ 80469046 DBT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	INQ 80469046 DBT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Host.exe

Drops startup file 1 IoCs

Processes:

Host.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TestLink.lnk Host.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TestLink.lnk	Host.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vÀÙá=ëÏþ½Pe… = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

INQ 80469046 DBT.exeHost.exe

description	pid	process	target process
PID 976 set thread context of 1772	976	INQ 80469046 DBT.exe	INQ 80469046 DBT.exe
PID 3516 set thread context of 1120	3516	Host.exe	Host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1636 schtasks.exe
3348 schtasks.exe

pid	process
1636	schtasks.exe
3348	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

INQ 80469046 DBT.exepowershell.exeHost.exepowershell.exe

pid	process
976	INQ 80469046 DBT.exe
4452	powershell.exe
976	INQ 80469046 DBT.exe
4452	powershell.exe
3516	Host.exe
4356	powershell.exe
3516	Host.exe
4356	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

INQ 80469046 DBT.exepowershell.exeHost.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	976	INQ 80469046 DBT.exe
Token: SeDebugPrivilege	4452	powershell.exe
Token: SeDebugPrivilege	3516	Host.exe
Token: SeDebugPrivilege	4356	powershell.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

INQ 80469046 DBT.exeINQ 80469046 DBT.exeHost.exe

description	pid	process	target process
PID 976 wrote to memory of 4452	976	INQ 80469046 DBT.exe	powershell.exe
PID 976 wrote to memory of 4452	976	INQ 80469046 DBT.exe	powershell.exe
PID 976 wrote to memory of 4452	976	INQ 80469046 DBT.exe	powershell.exe
PID 976 wrote to memory of 1636	976	INQ 80469046 DBT.exe	schtasks.exe
PID 976 wrote to memory of 1636	976	INQ 80469046 DBT.exe	schtasks.exe
PID 976 wrote to memory of 1636	976	INQ 80469046 DBT.exe	schtasks.exe
PID 976 wrote to memory of 1772	976	INQ 80469046 DBT.exe	INQ 80469046 DBT.exe
PID 976 wrote to memory of 1772	976	INQ 80469046 DBT.exe	INQ 80469046 DBT.exe
PID 976 wrote to memory of 1772	976	INQ 80469046 DBT.exe	INQ 80469046 DBT.exe
PID 976 wrote to memory of 1772	976	INQ 80469046 DBT.exe	INQ 80469046 DBT.exe
PID 976 wrote to memory of 1772	976	INQ 80469046 DBT.exe	INQ 80469046 DBT.exe
PID 976 wrote to memory of 1772	976	INQ 80469046 DBT.exe	INQ 80469046 DBT.exe
PID 976 wrote to memory of 1772	976	INQ 80469046 DBT.exe	INQ 80469046 DBT.exe
PID 976 wrote to memory of 1772	976	INQ 80469046 DBT.exe	INQ 80469046 DBT.exe
PID 976 wrote to memory of 1772	976	INQ 80469046 DBT.exe	INQ 80469046 DBT.exe
PID 976 wrote to memory of 1772	976	INQ 80469046 DBT.exe	INQ 80469046 DBT.exe
PID 1772 wrote to memory of 3516	1772	INQ 80469046 DBT.exe	Host.exe
PID 1772 wrote to memory of 3516	1772	INQ 80469046 DBT.exe	Host.exe
PID 1772 wrote to memory of 3516	1772	INQ 80469046 DBT.exe	Host.exe
PID 3516 wrote to memory of 4356	3516	Host.exe	powershell.exe
PID 3516 wrote to memory of 4356	3516	Host.exe	powershell.exe
PID 3516 wrote to memory of 4356	3516	Host.exe	powershell.exe
PID 3516 wrote to memory of 3348	3516	Host.exe	schtasks.exe
PID 3516 wrote to memory of 3348	3516	Host.exe	schtasks.exe
PID 3516 wrote to memory of 3348	3516	Host.exe	schtasks.exe
PID 3516 wrote to memory of 1120	3516	Host.exe	Host.exe
PID 3516 wrote to memory of 1120	3516	Host.exe	Host.exe
PID 3516 wrote to memory of 1120	3516	Host.exe	Host.exe
PID 3516 wrote to memory of 1120	3516	Host.exe	Host.exe
PID 3516 wrote to memory of 1120	3516	Host.exe	Host.exe
PID 3516 wrote to memory of 1120	3516	Host.exe	Host.exe
PID 3516 wrote to memory of 1120	3516	Host.exe	Host.exe
PID 3516 wrote to memory of 1120	3516	Host.exe	Host.exe
PID 3516 wrote to memory of 1120	3516	Host.exe	Host.exe
PID 3516 wrote to memory of 1120	3516	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\INQ 80469046 DBT.exe
"C:\Users\Admin\AppData\Local\Temp\INQ 80469046 DBT.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qKcaUVIbG.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qKcaUVIbG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp34DB.tmp"
2⤵
- Creates scheduled task(s)
PID:1636

C:\Users\Admin\AppData\Local\Temp\INQ 80469046 DBT.exe
"C:\Users\Admin\AppData\Local\Temp\INQ 80469046 DBT.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1772

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3516

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qKcaUVIbG.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4356

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qKcaUVIbG" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCDFE.tmp"
4⤵
- Creates scheduled task(s)
PID:3348

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
PID:1120

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
b98963e957fbf41e3bbc7c24959263cb

SHA1
7def12782ebf0012d19e92dcb76a78941ab31eda

SHA256
a9250bb435ab63fcfc77ad6e5a0b1bc1836a4db891a40d0b7943c35592108a6b

SHA512
ccc833db9fa1516edb789b3898a636d8ddbdf5a5aaaaa5f83f01a0ee995a8550a55794b638544431d5e196f63a60de7253428e96f812470a5d4d64a4852805ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp34DB.tmp
Filesize
1KB

MD5
19cd3f34f0a326d8a0f2e23b3eb56bb6

SHA1
2f38566ca8c8bc55c8088b21cf51601b3e2ae836

SHA256
2c857ecdc20cb690c2830b47d7cd32c067953082dd956625f917a3617653f3b3

SHA512
36fdb6e2f20a01b4aa4270671c43799051dae91ee6948ea5ba657ff6e19bb60ed2e030958c19f77dce7d09e4db8358fa24f168142af92bcf1fc51f91fcca41c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCDFE.tmp
Filesize
1KB

MD5
19cd3f34f0a326d8a0f2e23b3eb56bb6

SHA1
2f38566ca8c8bc55c8088b21cf51601b3e2ae836

SHA256
2c857ecdc20cb690c2830b47d7cd32c067953082dd956625f917a3617653f3b3

SHA512
36fdb6e2f20a01b4aa4270671c43799051dae91ee6948ea5ba657ff6e19bb60ed2e030958c19f77dce7d09e4db8358fa24f168142af92bcf1fc51f91fcca41c0

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
1001KB

MD5
84e792790474ec5d19a491b9ec553b3d

SHA1
25d20a249b0e1d38ecc0f368605ff39776645d1a

SHA256
1801a874e23097185c396dfcc625bebae49577d65a9177332b8f791810054b4e

SHA512
570126783e260cd4b638804cb19e27593019526f72aa0f64868dbc05a19905cedaaa27f2a40779d39297b96e973c5ef7a59b809082032c25adbf2dc6370282ba

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
1001KB

MD5
84e792790474ec5d19a491b9ec553b3d

SHA1
25d20a249b0e1d38ecc0f368605ff39776645d1a

SHA256
1801a874e23097185c396dfcc625bebae49577d65a9177332b8f791810054b4e

SHA512
570126783e260cd4b638804cb19e27593019526f72aa0f64868dbc05a19905cedaaa27f2a40779d39297b96e973c5ef7a59b809082032c25adbf2dc6370282ba

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
1001KB

MD5
84e792790474ec5d19a491b9ec553b3d

SHA1
25d20a249b0e1d38ecc0f368605ff39776645d1a

SHA256
1801a874e23097185c396dfcc625bebae49577d65a9177332b8f791810054b4e

SHA512
570126783e260cd4b638804cb19e27593019526f72aa0f64868dbc05a19905cedaaa27f2a40779d39297b96e973c5ef7a59b809082032c25adbf2dc6370282ba

Download Submit
memory/976-136-0x0000000004FF0000-0x000000000508C000-memory.dmp

Filesize
624KB

Download
memory/976-135-0x0000000004CF0000-0x0000000004CFA000-memory.dmp

Filesize
40KB

Download
memory/976-134-0x0000000004D70000-0x0000000004E02000-memory.dmp

Filesize
584KB

Download
memory/976-132-0x0000000000260000-0x0000000000360000-memory.dmp

Filesize
1024KB

Download
memory/976-133-0x0000000005320000-0x00000000058C4000-memory.dmp

Filesize
5.6MB

Download
memory/1120-174-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1120-172-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1120-171-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1120-168-0x0000000000000000-mapping.dmp

Download
memory/1636-138-0x0000000000000000-mapping.dmp

Download
memory/1772-142-0x0000000000000000-mapping.dmp

Download
memory/1772-152-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1772-148-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1772-145-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1772-143-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3348-165-0x0000000000000000-mapping.dmp

Download
memory/3516-149-0x0000000000000000-mapping.dmp

Download
memory/4356-164-0x0000000000000000-mapping.dmp

Download
memory/4356-175-0x0000000070C40000-0x0000000070C8C000-memory.dmp

Filesize
304KB

Download
memory/4452-160-0x0000000007BD0000-0x0000000007C66000-memory.dmp

Filesize
600KB

Download
memory/4452-153-0x0000000006650000-0x000000000666E000-memory.dmp

Filesize
120KB

Download
memory/4452-156-0x0000000006C00000-0x0000000006C1E000-memory.dmp

Filesize
120KB

Download
memory/4452-161-0x0000000007B80000-0x0000000007B8E000-memory.dmp

Filesize
56KB

Download
memory/4452-162-0x0000000007C90000-0x0000000007CAA000-memory.dmp

Filesize
104KB

Download
memory/4452-163-0x0000000007C70000-0x0000000007C78000-memory.dmp

Filesize
32KB

Download
memory/4452-158-0x0000000007950000-0x000000000796A000-memory.dmp

Filesize
104KB

Download
memory/4452-155-0x0000000072160000-0x00000000721AC000-memory.dmp

Filesize
304KB

Download
memory/4452-154-0x0000000006C20000-0x0000000006C52000-memory.dmp

Filesize
200KB

Download
memory/4452-159-0x00000000079C0000-0x00000000079CA000-memory.dmp

Filesize
40KB

Download
memory/4452-147-0x0000000006010000-0x0000000006076000-memory.dmp

Filesize
408KB

Download
memory/4452-146-0x0000000005FA0000-0x0000000006006000-memory.dmp

Filesize
408KB

Download
memory/4452-144-0x0000000005560000-0x0000000005582000-memory.dmp

Filesize
136KB

Download
memory/4452-141-0x0000000005770000-0x0000000005D98000-memory.dmp

Filesize
6.2MB

Download
memory/4452-139-0x0000000005090000-0x00000000050C6000-memory.dmp

Filesize
216KB

Download
memory/4452-137-0x0000000000000000-mapping.dmp

Download
memory/4452-157-0x0000000007FA0000-0x000000000861A000-memory.dmp

Filesize
6.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads