netwire | e0143cf54d109163f0f807816907b3e375170dd9ce576164a519efba66983459

General

Target

e0143cf54d109163f0f807816907b3e375170dd9ce576164a519efba66983459_timedlll.exe
Size

484KB
MD5

8f18d06bd4d22a313565373d9e638ebc
SHA1

9e83aa2284e2c2094d649b909d50b885c4193fe5
SHA256

e0143cf54d109163f0f807816907b3e375170dd9ce576164a519efba66983459
SHA512

efd124190ccef60f2826e0a608dbc5d2c5f9d75a57c0eb2dec874592e6bc8f5a38155e6b81590c038a6a1009fa93e410daa5cb01f15a1f2ee4340ab98a9702c8
SSDEEP

6144:ql41F6zaFhj4pgKTmUK5vN5vdKrV1T8xt2+ilHsPerH6inevq4Wl:ql46Qhj4prSpVRduVJ8++9mrLevzWl

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

185.145.45.41:3368

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
fuwqWcrJ
offline_keylogger
true
password
Gentle123
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/240-73-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

kinglike.exe

pid process

240 kinglike.exe

pid	process
240	kinglike.exe

Drops file in Windows directory 2 IoCs

Processes:

e0143cf54d109163f0f807816907b3e375170dd9ce576164a519efba66983459_timedlll.exekinglike.exe

description	ioc	process
File opened for modification	C:\Windows\win.ini	e0143cf54d109163f0f807816907b3e375170dd9ce576164a519efba66983459_timedlll.exe
File opened for modification	C:\Windows\win.ini	kinglike.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

872 schtasks.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

e0143cf54d109163f0f807816907b3e375170dd9ce576164a519efba66983459_timedlll.exekinglike.exe

pid process

1356 e0143cf54d109163f0f807816907b3e375170dd9ce576164a519efba66983459_timedlll.exe
240 kinglike.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

kinglike.exe

pid process

240 kinglike.exe

pid	process
872	schtasks.exe

pid	process
1356	e0143cf54d109163f0f807816907b3e375170dd9ce576164a519efba66983459_timedlll.exe
240	kinglike.exe

pid	process
240	kinglike.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

e0143cf54d109163f0f807816907b3e375170dd9ce576164a519efba66983459_timedlll.exetaskeng.exe

description	pid	process	target process
PID 1356 wrote to memory of 872	1356	e0143cf54d109163f0f807816907b3e375170dd9ce576164a519efba66983459_timedlll.exe	schtasks.exe
PID 1356 wrote to memory of 872	1356	e0143cf54d109163f0f807816907b3e375170dd9ce576164a519efba66983459_timedlll.exe	schtasks.exe
PID 1356 wrote to memory of 872	1356	e0143cf54d109163f0f807816907b3e375170dd9ce576164a519efba66983459_timedlll.exe	schtasks.exe
PID 1356 wrote to memory of 872	1356	e0143cf54d109163f0f807816907b3e375170dd9ce576164a519efba66983459_timedlll.exe	schtasks.exe
PID 1356 wrote to memory of 964	1356	e0143cf54d109163f0f807816907b3e375170dd9ce576164a519efba66983459_timedlll.exe	schtasks.exe
PID 1356 wrote to memory of 964	1356	e0143cf54d109163f0f807816907b3e375170dd9ce576164a519efba66983459_timedlll.exe	schtasks.exe
PID 1356 wrote to memory of 964	1356	e0143cf54d109163f0f807816907b3e375170dd9ce576164a519efba66983459_timedlll.exe	schtasks.exe
PID 1356 wrote to memory of 964	1356	e0143cf54d109163f0f807816907b3e375170dd9ce576164a519efba66983459_timedlll.exe	schtasks.exe
PID 1712 wrote to memory of 240	1712	taskeng.exe	kinglike.exe
PID 1712 wrote to memory of 240	1712	taskeng.exe	kinglike.exe
PID 1712 wrote to memory of 240	1712	taskeng.exe	kinglike.exe
PID 1712 wrote to memory of 240	1712	taskeng.exe	kinglike.exe

C:\Users\Admin\AppData\Local\Temp\e0143cf54d109163f0f807816907b3e375170dd9ce576164a519efba66983459_timedlll.exe
"C:\Users\Admin\AppData\Local\Temp\e0143cf54d109163f0f807816907b3e375170dd9ce576164a519efba66983459_timedlll.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1356

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN "Belgningsstuens" /TR "C:\Users\Admin\AppData\Roaming\kinglike.exe"
2⤵
- Creates scheduled task(s)
PID:872

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /run /tn "Belgningsstuens"
2⤵
PID:964

C:\Windows\system32\taskeng.exe
taskeng.exe {7F547DCF-AB6D-4DC1-A657-A53599CDC312} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1712

C:\Users\Admin\AppData\Roaming\kinglike.exe
C:\Users\Admin\AppData\Roaming\kinglike.exe
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
PID:240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\kinglike.exe

Filesize
484KB

MD5
ea40ee2956af9027022020b83c67eaeb

SHA1
0e5f3811b06f6d6a6147d06f0eeec4fb1d1afcc1

SHA256
eb62ceaf85055120714d9b82b8da39e7d08a95ebb1763b03009511532c40c7d3

SHA512
8c0cc4840ae0b32dfa71ac9dbdb175fe8ec541636e1470ff324cc26265c5aef8ac1e796f0d505d8e37dff0efea7913a0072a2ebdb205ec3aed92bba40ba0d25e

Download Submit
C:\Users\Admin\AppData\Roaming\kinglike.exe

Filesize
484KB

MD5
ea40ee2956af9027022020b83c67eaeb

SHA1
0e5f3811b06f6d6a6147d06f0eeec4fb1d1afcc1

SHA256
eb62ceaf85055120714d9b82b8da39e7d08a95ebb1763b03009511532c40c7d3

SHA512
8c0cc4840ae0b32dfa71ac9dbdb175fe8ec541636e1470ff324cc26265c5aef8ac1e796f0d505d8e37dff0efea7913a0072a2ebdb205ec3aed92bba40ba0d25e

Download Submit
C:\Windows\win.ini

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/240-71-0x0000000077D40000-0x0000000077EC0000-memory.dmp

Filesize
1.5MB

Download
memory/240-63-0x0000000000000000-mapping.dmp

Download
memory/240-68-0x0000000003590000-0x0000000003690000-memory.dmp

Filesize
1024KB

Download
memory/240-69-0x0000000003590000-0x0000000003690000-memory.dmp

Filesize
1024KB

Download
memory/240-73-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/240-79-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/240-80-0x0000000077D40000-0x0000000077EC0000-memory.dmp

Filesize
1.5MB

Download
memory/872-58-0x0000000000000000-mapping.dmp

Download
memory/964-60-0x0000000000000000-mapping.dmp

Download
memory/1356-61-0x0000000077D40000-0x0000000077EC0000-memory.dmp

Filesize
1.5MB

Download
memory/1356-59-0x0000000077D40000-0x0000000077EC0000-memory.dmp

Filesize
1.5MB

Download
memory/1356-57-0x0000000076711000-0x0000000076713000-memory.dmp

Filesize
8KB

Download
memory/1356-56-0x0000000002610000-0x0000000002710000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads