netwire | 322d2fdb6bdefc516d4be643bce9f464abdaf8aa24d50ac30bcf9d59d084c8a1

General

Target

Quotation CTT5684.exe
Size

577KB
MD5

870937bfc582473b8b55263cdd9de6c2
SHA1

53ef5972b622a434b1fe5e4697445a54e8b387b1
SHA256

5e9b3af8cce827e801b56da7dcacf0453baeea54f5df0c66607d9cffa2e76886
SHA512

9b883059a465f8d4d468bbb1b17b1020f7fc5874d42176f3ce1682a29ff1841709dcd44502ef8bd411807b12084ead57e02f12db01b151cbf5c7d012acb250d6
SSDEEP

12288:vUWcNPJg+MO3/vSLDrw32Zl1zLbHWEpPmB+Rm4mXN4HJUCePad0VL6lwP0FzWSgk:/cJArl1zLbHWEpPmB+Q4mXKHKCePad0w

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

iammrjeff00.duckdns.org:1181

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
MR-J
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password1
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1920-82-0x0000000000400000-0x0000000000495000-memory.dmp	netwire
behavioral1/memory/1920-83-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

svchost64.exesvchost64.exe

pid process

1356 svchost64.exe
1920 svchost64.exe
Loads dropped DLL 3 IoCs

Processes:

Quotation CTT5684.exesvchost64.exe

pid process

1684 Quotation CTT5684.exe
1684 Quotation CTT5684.exe
1356 svchost64.exe

pid	process
1356	svchost64.exe
1920	svchost64.exe

pid	process
1684	Quotation CTT5684.exe
1684	Quotation CTT5684.exe
1356	svchost64.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Intel (r) = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tem64\\svchost64.vbs -rb"	WScript.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

svchost64.exe

description pid process target process

PID 1356 set thread context of 1920 1356 svchost64.exe svchost64.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Quotation CTT5684.exesvchost64.exe

pid process

1684 Quotation CTT5684.exe
1356 svchost64.exe

description	pid	process	target process
PID 1356 set thread context of 1920	1356	svchost64.exe	svchost64.exe

pid	process
1684	Quotation CTT5684.exe
1356	svchost64.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Quotation CTT5684.exesvchost64.exe

description	pid	process	target process
PID 1684 wrote to memory of 1900	1684	Quotation CTT5684.exe	WScript.exe
PID 1684 wrote to memory of 1900	1684	Quotation CTT5684.exe	WScript.exe
PID 1684 wrote to memory of 1900	1684	Quotation CTT5684.exe	WScript.exe
PID 1684 wrote to memory of 1900	1684	Quotation CTT5684.exe	WScript.exe
PID 1684 wrote to memory of 1356	1684	Quotation CTT5684.exe	svchost64.exe
PID 1684 wrote to memory of 1356	1684	Quotation CTT5684.exe	svchost64.exe
PID 1684 wrote to memory of 1356	1684	Quotation CTT5684.exe	svchost64.exe
PID 1684 wrote to memory of 1356	1684	Quotation CTT5684.exe	svchost64.exe
PID 1356 wrote to memory of 1920	1356	svchost64.exe	svchost64.exe
PID 1356 wrote to memory of 1920	1356	svchost64.exe	svchost64.exe
PID 1356 wrote to memory of 1920	1356	svchost64.exe	svchost64.exe
PID 1356 wrote to memory of 1920	1356	svchost64.exe	svchost64.exe

C:\Users\Admin\AppData\Local\Temp\Quotation CTT5684.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation CTT5684.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem64\svchost64.vbs"
2⤵
- Adds Run key to start application
PID:1900

C:\Users\Admin\AppData\Local\Temp\tem64\svchost64.exe
"C:\Users\Admin\AppData\Local\Temp\tem64\svchost64.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1356

C:\Users\Admin\AppData\Local\Temp\tem64\svchost64.exe
C:\Users\Admin\AppData\Local\Temp\tem64\svchost64.exe"
3⤵
- Executes dropped EXE
PID:1920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tem64\svchost64.exe
Filesize
577KB

MD5
870937bfc582473b8b55263cdd9de6c2

SHA1
53ef5972b622a434b1fe5e4697445a54e8b387b1

SHA256
5e9b3af8cce827e801b56da7dcacf0453baeea54f5df0c66607d9cffa2e76886

SHA512
9b883059a465f8d4d468bbb1b17b1020f7fc5874d42176f3ce1682a29ff1841709dcd44502ef8bd411807b12084ead57e02f12db01b151cbf5c7d012acb250d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tem64\svchost64.exe
Filesize
577KB

MD5
870937bfc582473b8b55263cdd9de6c2

SHA1
53ef5972b622a434b1fe5e4697445a54e8b387b1

SHA256
5e9b3af8cce827e801b56da7dcacf0453baeea54f5df0c66607d9cffa2e76886

SHA512
9b883059a465f8d4d468bbb1b17b1020f7fc5874d42176f3ce1682a29ff1841709dcd44502ef8bd411807b12084ead57e02f12db01b151cbf5c7d012acb250d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tem64\svchost64.exe
Filesize
577KB

MD5
870937bfc582473b8b55263cdd9de6c2

SHA1
53ef5972b622a434b1fe5e4697445a54e8b387b1

SHA256
5e9b3af8cce827e801b56da7dcacf0453baeea54f5df0c66607d9cffa2e76886

SHA512
9b883059a465f8d4d468bbb1b17b1020f7fc5874d42176f3ce1682a29ff1841709dcd44502ef8bd411807b12084ead57e02f12db01b151cbf5c7d012acb250d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tem64\svchost64.vbs
Filesize
1024B

MD5
2d3de8adf3832d6c998e092032247281

SHA1
93a20449e135b41abe7d46b7501483137d28d27b

SHA256
d6caced3aa684b19a440facdb71f93777aad35e43cb44e252597a9db8243ec30

SHA512
a362410b958687437b636876fb36f71065f9ab4949ed3b18d7ecfeca95dfc65dd7f2091253d3c62f8e0132efdd6b593f22a23f4db520ba70e4b388614e11da5d

Download Submit
\Users\Admin\AppData\Local\Temp\tem64\svchost64.exe
Filesize
577KB

MD5
870937bfc582473b8b55263cdd9de6c2

SHA1
53ef5972b622a434b1fe5e4697445a54e8b387b1

SHA256
5e9b3af8cce827e801b56da7dcacf0453baeea54f5df0c66607d9cffa2e76886

SHA512
9b883059a465f8d4d468bbb1b17b1020f7fc5874d42176f3ce1682a29ff1841709dcd44502ef8bd411807b12084ead57e02f12db01b151cbf5c7d012acb250d6

Download Submit
\Users\Admin\AppData\Local\Temp\tem64\svchost64.exe
Filesize
577KB

MD5
870937bfc582473b8b55263cdd9de6c2

SHA1
53ef5972b622a434b1fe5e4697445a54e8b387b1

SHA256
5e9b3af8cce827e801b56da7dcacf0453baeea54f5df0c66607d9cffa2e76886

SHA512
9b883059a465f8d4d468bbb1b17b1020f7fc5874d42176f3ce1682a29ff1841709dcd44502ef8bd411807b12084ead57e02f12db01b151cbf5c7d012acb250d6

Download Submit
\Users\Admin\AppData\Local\Temp\tem64\svchost64.exe
Filesize
577KB

MD5
870937bfc582473b8b55263cdd9de6c2

SHA1
53ef5972b622a434b1fe5e4697445a54e8b387b1

SHA256
5e9b3af8cce827e801b56da7dcacf0453baeea54f5df0c66607d9cffa2e76886

SHA512
9b883059a465f8d4d468bbb1b17b1020f7fc5874d42176f3ce1682a29ff1841709dcd44502ef8bd411807b12084ead57e02f12db01b151cbf5c7d012acb250d6

Download Submit
memory/1356-71-0x0000000000640000-0x0000000000647000-memory.dmp

Filesize
28KB

Download
memory/1356-79-0x0000000077CD0000-0x0000000077E50000-memory.dmp

Filesize
1.5MB

Download
memory/1356-62-0x0000000000000000-mapping.dmp

Download
memory/1356-77-0x0000000000640000-0x0000000000647000-memory.dmp

Filesize
28KB

Download
memory/1356-78-0x0000000077AF0000-0x0000000077C99000-memory.dmp

Filesize
1.7MB

Download
memory/1684-66-0x00000000003D0000-0x00000000003D7000-memory.dmp

Filesize
28KB

Download
memory/1684-70-0x0000000077CD0000-0x0000000077E50000-memory.dmp

Filesize
1.5MB

Download
memory/1684-56-0x00000000003D0000-0x00000000003D7000-memory.dmp

Filesize
28KB

Download
memory/1684-63-0x0000000077AF0000-0x0000000077C99000-memory.dmp

Filesize
1.7MB

Download
memory/1684-57-0x0000000076401000-0x0000000076403000-memory.dmp

Filesize
8KB

Download
memory/1684-64-0x0000000077CD0000-0x0000000077E50000-memory.dmp

Filesize
1.5MB

Download
memory/1900-58-0x0000000000000000-mapping.dmp

Download
memory/1920-75-0x0000000000485EA4-mapping.dmp

Download
memory/1920-80-0x00000000002A0000-0x00000000002A7000-memory.dmp

Filesize
28KB

Download
memory/1920-82-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1920-83-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1920-89-0x0000000077AF0000-0x0000000077C99000-memory.dmp

Filesize
1.7MB

Download
memory/1920-90-0x00000000002A0000-0x00000000002A7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads