netwire | c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172

Analysis

max time kernel
68s
max time network
147s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
06-02-2023 11:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe
Size

902KB
MD5

aa63661edf36159a1d74f649cfec2c7d
SHA1

cc15fa8efcfb5ecdddc86b081788cfac888ce4fb
SHA256

c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172
SHA512

f47d647543a928d7619211269876aa4bc0cf150078a8a9dd0d28e4e30aa648d026c3538efa71b2f1b99441371953a9729c4f9dcd8b1e1f6c5bc2d8dd5551f589
SSDEEP

24576:JA37TnTIW2gpMxdDOZXtFccXMeaJXCrxN5IC54TWM:OPcW2txdDOZXf3Uytgi

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

156.96.113.208:7201

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
super%
lock_executable
false
mutex
vYtHuXLf
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/5096-257-0x000000000041AD7B-mapping.dmp	netwire
behavioral1/memory/5096-338-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/5096-599-0x0000000000400000-0x000000000044F000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Suspicious use of SetThreadContext 1 IoCs

Processes:

c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe

description	pid	process	target process
PID 4324 set thread context of 5096	4324	c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe	c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3772 schtasks.exe

pid	process
3772	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exepowershell.exe

pid	process
4324	c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe
4324	c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe
4324	c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe
4324	c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe
4324	c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe
3796	powershell.exe
3796	powershell.exe
3796	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4324	c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe
Token: SeDebugPrivilege	3796	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe

C:\Users\Admin\AppData\Local\Temp\c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe
"C:\Users\Admin\AppData\Local\Temp\c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4324

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KHzfPiW.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3796

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KHzfPiW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp497C.tmp"
2⤵
- Creates scheduled task(s)
PID:3772

C:\Users\Admin\AppData\Local\Temp\c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe
"C:\Users\Admin\AppData\Local\Temp\c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe"
2⤵
PID:3744

C:\Users\Admin\AppData\Local\Temp\c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe
"C:\Users\Admin\AppData\Local\Temp\c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe"
2⤵
PID:5096

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp497C.tmp
Filesize
1KB

MD5
08bb3920e5db8a98208e622bd372708d

SHA1
e3616b0ed44fa41a023cc32519d1813f626fe82e

SHA256
0a5743f15e4366982c2e523c4f891c742182246df63cb3b55306555020819aa9

SHA512
81d6019396bee4df7a88bcb9a08d0e9537848e1b15e3f33ada11369780b2d778338b04413029d1ac18a5cb6f064ae06e92019c4f62121354eac13a8697bfb5f7

Download Submit
memory/3772-201-0x0000000000000000-mapping.dmp

Download
memory/3796-199-0x0000000000000000-mapping.dmp

Download
memory/3796-259-0x0000000007240000-0x0000000007276000-memory.dmp

Filesize
216KB

Download
memory/3796-275-0x00000000079C0000-0x0000000007FE8000-memory.dmp

Filesize
6.2MB

Download
memory/3796-581-0x0000000007540000-0x0000000007548000-memory.dmp

Filesize
32KB

Download
memory/3796-576-0x0000000007550000-0x000000000756A000-memory.dmp

Filesize
104KB

Download
memory/3796-373-0x0000000009DB0000-0x0000000009E44000-memory.dmp

Filesize
592KB

Download
memory/3796-369-0x00000000099D0000-0x0000000009A75000-memory.dmp

Filesize
660KB

Download
memory/3796-360-0x0000000009870000-0x000000000988E000-memory.dmp

Filesize
120KB

Download
memory/3796-359-0x0000000009890000-0x00000000098C3000-memory.dmp

Filesize
204KB

Download
memory/3796-346-0x00000000089A0000-0x0000000008A16000-memory.dmp

Filesize
472KB

Download
memory/3796-340-0x0000000008750000-0x000000000879B000-memory.dmp

Filesize
300KB

Download
memory/3796-339-0x0000000008140000-0x000000000815C000-memory.dmp

Filesize
112KB

Download
memory/3796-329-0x0000000008380000-0x00000000086D0000-memory.dmp

Filesize
3.3MB

Download
memory/3796-324-0x0000000008060000-0x00000000080C6000-memory.dmp

Filesize
408KB

Download
memory/3796-326-0x00000000080D0000-0x0000000008136000-memory.dmp

Filesize
408KB

Download
memory/3796-320-0x0000000007930000-0x0000000007952000-memory.dmp

Filesize
136KB

Download
memory/4324-159-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-170-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-133-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-134-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-135-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-137-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-136-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-138-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-139-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-140-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-141-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-142-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-143-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-144-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-145-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-146-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-147-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-148-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-149-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-150-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-151-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-152-0x00000000008A0000-0x0000000000986000-memory.dmp

Filesize
920KB

Download
memory/4324-153-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-154-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-155-0x0000000005800000-0x0000000005CFE000-memory.dmp

Filesize
5.0MB

Download
memory/4324-156-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-157-0x00000000051B0000-0x0000000005242000-memory.dmp

Filesize
584KB

Download
memory/4324-158-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-131-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-160-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-161-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-162-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-163-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-164-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-165-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-166-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-167-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-168-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-169-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-132-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-171-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-172-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-173-0x0000000005250000-0x000000000525A000-memory.dmp

Filesize
40KB

Download
memory/4324-174-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-175-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-176-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-177-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-178-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-179-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-180-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-181-0x0000000005470000-0x0000000005484000-memory.dmp

Filesize
80KB

Download
memory/4324-182-0x0000000005620000-0x000000000562C000-memory.dmp

Filesize
48KB

Download
memory/4324-183-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-184-0x0000000008B30000-0x0000000008BDE000-memory.dmp

Filesize
696KB

Download
memory/4324-185-0x0000000008C80000-0x0000000008D1C000-memory.dmp

Filesize
624KB

Download
memory/4324-186-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-187-0x0000000009020000-0x0000000009370000-memory.dmp

Filesize
3.3MB

Download
memory/4324-188-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-189-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-190-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-130-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-129-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-128-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-127-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-249-0x0000000009380000-0x00000000093CC000-memory.dmp

Filesize
304KB

Download
memory/4324-118-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-119-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-126-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-125-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-124-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-123-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-122-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-121-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4324-120-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/5096-338-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5096-257-0x000000000041AD7B-mapping.dmp

Download
memory/5096-599-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download

description	pid	process	target process
PID 4324 wrote to memory of 3796	4324	c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe	powershell.exe
PID 4324 wrote to memory of 3796	4324	c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe	powershell.exe
PID 4324 wrote to memory of 3796	4324	c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe	powershell.exe
PID 4324 wrote to memory of 3772	4324	c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe	schtasks.exe
PID 4324 wrote to memory of 3772	4324	c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe	schtasks.exe
PID 4324 wrote to memory of 3772	4324	c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe	schtasks.exe
PID 4324 wrote to memory of 3744	4324	c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe	c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe
PID 4324 wrote to memory of 3744	4324	c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe	c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe
PID 4324 wrote to memory of 3744	4324	c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe	c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe
PID 4324 wrote to memory of 5096	4324	c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe	c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe
PID 4324 wrote to memory of 5096	4324	c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe	c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe
PID 4324 wrote to memory of 5096	4324	c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe	c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe
PID 4324 wrote to memory of 5096	4324	c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe	c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe
PID 4324 wrote to memory of 5096	4324	c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe	c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe
PID 4324 wrote to memory of 5096	4324	c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe	c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe
PID 4324 wrote to memory of 5096	4324	c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe	c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe
PID 4324 wrote to memory of 5096	4324	c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe	c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe
PID 4324 wrote to memory of 5096	4324	c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe	c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe
PID 4324 wrote to memory of 5096	4324	c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe	c8a9fa4307b87bcbb0091ba8541431367cbad068a092a6a8e968e1d26aab3172.exe