netwire | efc5c94996f4af7ae3a2d17dfc73dd7fe3f84269e73bb611e5806f2fd131a646

Analysis

max time kernel
103s
max time network
136s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
07-03-2023 07:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89468038.EXE.exe
Size

928KB
MD5

d616794167af5c88812aabaf65120fad
SHA1

ad1289875a05ba89cb6e10b08b95ee45bdf79d0f
SHA256

efc5c94996f4af7ae3a2d17dfc73dd7fe3f84269e73bb611e5806f2fd131a646
SHA512

8c2211e1472c53863d9c0bed2baf03c6ea2dd9b568480cee909a4fa157c229e3e651afc673168304bdfa875bf0eb056896dbb3906e1d66dcc8b23e4e075bceee
SSDEEP

24576:Jg7gUMoMnm9cU9VHb5Z763rs7u8BeV67s7nCrt8dB:vWMnGcU95nAsyTKug+

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

212.193.30.230:6826

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
lock_executable
false
offline_keylogger
false
password
kolabo123
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 11 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/384-71-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/384-72-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/384-73-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/384-75-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/384-78-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/384-88-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1028-112-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1028-113-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1028-114-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1028-116-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1028-118-0x0000000000400000-0x000000000044F000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host.exeHost.exe

pid process

112 Host.exe
1028 Host.exe
Loads dropped DLL 2 IoCs

Processes:

89468038.EXE.exe

pid process

384 89468038.EXE.exe
384 89468038.EXE.exe

pid	process
112	Host.exe
1028	Host.exe

pid	process
384	89468038.EXE.exe
384	89468038.EXE.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

89468038.EXE.exeHost.exe

description	pid	process	target process
PID 2040 set thread context of 384	2040	89468038.EXE.exe	89468038.EXE.exe
PID 112 set thread context of 1028	112	Host.exe	Host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

460 schtasks.exe
964 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

89468038.EXE.exepowershell.exeHost.exepowershell.exe

pid process

2040 89468038.EXE.exe
2040 89468038.EXE.exe
1904 powershell.exe
112 Host.exe
112 Host.exe
240 powershell.exe

pid	process
460	schtasks.exe
964	schtasks.exe

pid	process
2040	89468038.EXE.exe
2040	89468038.EXE.exe
1904	powershell.exe
112	Host.exe
112	Host.exe
240	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

89468038.EXE.exepowershell.exeHost.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2040	89468038.EXE.exe
Token: SeDebugPrivilege	1904	powershell.exe
Token: SeDebugPrivilege	112	Host.exe
Token: SeDebugPrivilege	240	powershell.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

89468038.EXE.exe89468038.EXE.exeHost.exe

description	pid	process	target process
PID 2040 wrote to memory of 1904	2040	89468038.EXE.exe	powershell.exe
PID 2040 wrote to memory of 1904	2040	89468038.EXE.exe	powershell.exe
PID 2040 wrote to memory of 1904	2040	89468038.EXE.exe	powershell.exe
PID 2040 wrote to memory of 1904	2040	89468038.EXE.exe	powershell.exe
PID 2040 wrote to memory of 460	2040	89468038.EXE.exe	schtasks.exe
PID 2040 wrote to memory of 460	2040	89468038.EXE.exe	schtasks.exe
PID 2040 wrote to memory of 460	2040	89468038.EXE.exe	schtasks.exe
PID 2040 wrote to memory of 460	2040	89468038.EXE.exe	schtasks.exe
PID 2040 wrote to memory of 384	2040	89468038.EXE.exe	89468038.EXE.exe
PID 2040 wrote to memory of 384	2040	89468038.EXE.exe	89468038.EXE.exe
PID 2040 wrote to memory of 384	2040	89468038.EXE.exe	89468038.EXE.exe
PID 2040 wrote to memory of 384	2040	89468038.EXE.exe	89468038.EXE.exe
PID 2040 wrote to memory of 384	2040	89468038.EXE.exe	89468038.EXE.exe
PID 2040 wrote to memory of 384	2040	89468038.EXE.exe	89468038.EXE.exe
PID 2040 wrote to memory of 384	2040	89468038.EXE.exe	89468038.EXE.exe
PID 2040 wrote to memory of 384	2040	89468038.EXE.exe	89468038.EXE.exe
PID 2040 wrote to memory of 384	2040	89468038.EXE.exe	89468038.EXE.exe
PID 2040 wrote to memory of 384	2040	89468038.EXE.exe	89468038.EXE.exe
PID 2040 wrote to memory of 384	2040	89468038.EXE.exe	89468038.EXE.exe
PID 384 wrote to memory of 112	384	89468038.EXE.exe	Host.exe
PID 384 wrote to memory of 112	384	89468038.EXE.exe	Host.exe
PID 384 wrote to memory of 112	384	89468038.EXE.exe	Host.exe
PID 384 wrote to memory of 112	384	89468038.EXE.exe	Host.exe
PID 112 wrote to memory of 240	112	Host.exe	powershell.exe
PID 112 wrote to memory of 240	112	Host.exe	powershell.exe
PID 112 wrote to memory of 240	112	Host.exe	powershell.exe
PID 112 wrote to memory of 240	112	Host.exe	powershell.exe
PID 112 wrote to memory of 964	112	Host.exe	schtasks.exe
PID 112 wrote to memory of 964	112	Host.exe	schtasks.exe
PID 112 wrote to memory of 964	112	Host.exe	schtasks.exe
PID 112 wrote to memory of 964	112	Host.exe	schtasks.exe
PID 112 wrote to memory of 1028	112	Host.exe	Host.exe
PID 112 wrote to memory of 1028	112	Host.exe	Host.exe
PID 112 wrote to memory of 1028	112	Host.exe	Host.exe
PID 112 wrote to memory of 1028	112	Host.exe	Host.exe
PID 112 wrote to memory of 1028	112	Host.exe	Host.exe
PID 112 wrote to memory of 1028	112	Host.exe	Host.exe
PID 112 wrote to memory of 1028	112	Host.exe	Host.exe
PID 112 wrote to memory of 1028	112	Host.exe	Host.exe
PID 112 wrote to memory of 1028	112	Host.exe	Host.exe
PID 112 wrote to memory of 1028	112	Host.exe	Host.exe
PID 112 wrote to memory of 1028	112	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\89468038.EXE.exe
"C:\Users\Admin\AppData\Local\Temp\89468038.EXE.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vrlnli.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vrlnli" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAD60.tmp"
2⤵
- Creates scheduled task(s)
PID:460

C:\Users\Admin\AppData\Local\Temp\89468038.EXE.exe
"C:\Users\Admin\AppData\Local\Temp\89468038.EXE.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:384

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:112

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vrlnli.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:240

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vrlnli" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5497.tmp"
4⤵
- Creates scheduled task(s)
PID:964

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
PID:1028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5497.tmp
Filesize
1KB

MD5
d839533822aa138a924a1c9d63632c5e

SHA1
c842a27728e149035998e93ae37938b9e7b89261

SHA256
48dfaa32883f341668c8ab52562dcbf3b322284b71e12ce871038886aef180e3

SHA512
5a6046eff0765d0454ae906c391d3d7434c2f82346542d77071eabc25a2b948e9520c080846de5446fce3f7bd9e25bacfe595f05fd1870538621fb578375126c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAD60.tmp
Filesize
1KB

MD5
d839533822aa138a924a1c9d63632c5e

SHA1
c842a27728e149035998e93ae37938b9e7b89261

SHA256
48dfaa32883f341668c8ab52562dcbf3b322284b71e12ce871038886aef180e3

SHA512
5a6046eff0765d0454ae906c391d3d7434c2f82346542d77071eabc25a2b948e9520c080846de5446fce3f7bd9e25bacfe595f05fd1870538621fb578375126c

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
928KB

MD5
d616794167af5c88812aabaf65120fad

SHA1
ad1289875a05ba89cb6e10b08b95ee45bdf79d0f

SHA256
efc5c94996f4af7ae3a2d17dfc73dd7fe3f84269e73bb611e5806f2fd131a646

SHA512
8c2211e1472c53863d9c0bed2baf03c6ea2dd9b568480cee909a4fa157c229e3e651afc673168304bdfa875bf0eb056896dbb3906e1d66dcc8b23e4e075bceee

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
928KB

MD5
d616794167af5c88812aabaf65120fad

SHA1
ad1289875a05ba89cb6e10b08b95ee45bdf79d0f

SHA256
efc5c94996f4af7ae3a2d17dfc73dd7fe3f84269e73bb611e5806f2fd131a646

SHA512
8c2211e1472c53863d9c0bed2baf03c6ea2dd9b568480cee909a4fa157c229e3e651afc673168304bdfa875bf0eb056896dbb3906e1d66dcc8b23e4e075bceee

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
928KB

MD5
d616794167af5c88812aabaf65120fad

SHA1
ad1289875a05ba89cb6e10b08b95ee45bdf79d0f

SHA256
efc5c94996f4af7ae3a2d17dfc73dd7fe3f84269e73bb611e5806f2fd131a646

SHA512
8c2211e1472c53863d9c0bed2baf03c6ea2dd9b568480cee909a4fa157c229e3e651afc673168304bdfa875bf0eb056896dbb3906e1d66dcc8b23e4e075bceee

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
928KB

MD5
d616794167af5c88812aabaf65120fad

SHA1
ad1289875a05ba89cb6e10b08b95ee45bdf79d0f

SHA256
efc5c94996f4af7ae3a2d17dfc73dd7fe3f84269e73bb611e5806f2fd131a646

SHA512
8c2211e1472c53863d9c0bed2baf03c6ea2dd9b568480cee909a4fa157c229e3e651afc673168304bdfa875bf0eb056896dbb3906e1d66dcc8b23e4e075bceee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\R72TA39CYBIUMZOJ2SPJ.temp
Filesize
7KB

MD5
efb692ac8eb9a81ffc27461387b67976

SHA1
cf866a34e31696cea475b1ddcd112c9933d6cdcd

SHA256
dfcb80ef44f5f4f54c1e5a75706e93cf5fd64cb92afda27236953c34ea86c97d

SHA512
435431a2af8d2bd2133f02e94a2538800cc7182a3fbfd2c087ec43df5ed871590a9014dd702e23200257d8b706695d03884352d4f24ddd655be443a139d296fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
efb692ac8eb9a81ffc27461387b67976

SHA1
cf866a34e31696cea475b1ddcd112c9933d6cdcd

SHA256
dfcb80ef44f5f4f54c1e5a75706e93cf5fd64cb92afda27236953c34ea86c97d

SHA512
435431a2af8d2bd2133f02e94a2538800cc7182a3fbfd2c087ec43df5ed871590a9014dd702e23200257d8b706695d03884352d4f24ddd655be443a139d296fd

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
928KB

MD5
d616794167af5c88812aabaf65120fad

SHA1
ad1289875a05ba89cb6e10b08b95ee45bdf79d0f

SHA256
efc5c94996f4af7ae3a2d17dfc73dd7fe3f84269e73bb611e5806f2fd131a646

SHA512
8c2211e1472c53863d9c0bed2baf03c6ea2dd9b568480cee909a4fa157c229e3e651afc673168304bdfa875bf0eb056896dbb3906e1d66dcc8b23e4e075bceee

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
928KB

MD5
d616794167af5c88812aabaf65120fad

SHA1
ad1289875a05ba89cb6e10b08b95ee45bdf79d0f

SHA256
efc5c94996f4af7ae3a2d17dfc73dd7fe3f84269e73bb611e5806f2fd131a646

SHA512
8c2211e1472c53863d9c0bed2baf03c6ea2dd9b568480cee909a4fa157c229e3e651afc673168304bdfa875bf0eb056896dbb3906e1d66dcc8b23e4e075bceee

Download Submit
memory/112-94-0x0000000004860000-0x00000000048A0000-memory.dmp

Filesize
256KB

Download
memory/112-91-0x0000000004860000-0x00000000048A0000-memory.dmp

Filesize
256KB

Download
memory/112-90-0x00000000010E0000-0x00000000011CE000-memory.dmp

Filesize
952KB

Download
memory/384-69-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/384-66-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/384-75-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/384-74-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/384-78-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/384-73-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/384-72-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/384-88-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/384-71-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/384-70-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1028-108-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1028-118-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1028-116-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1028-114-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1028-113-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1028-112-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1904-77-0x00000000024B0000-0x00000000024F0000-memory.dmp

Filesize
256KB

Download
memory/1904-92-0x00000000024B0000-0x00000000024F0000-memory.dmp

Filesize
256KB

Download
memory/1904-93-0x00000000024B0000-0x00000000024F0000-memory.dmp

Filesize
256KB

Download
memory/2040-57-0x0000000004EA0000-0x0000000004EE0000-memory.dmp

Filesize
256KB

Download
memory/2040-55-0x0000000004EA0000-0x0000000004EE0000-memory.dmp

Filesize
256KB

Download
memory/2040-56-0x0000000000570000-0x0000000000586000-memory.dmp

Filesize
88KB

Download
memory/2040-54-0x0000000000BA0000-0x0000000000C8E000-memory.dmp

Filesize
952KB

Download
memory/2040-58-0x0000000000590000-0x000000000059C000-memory.dmp

Filesize
48KB

Download
memory/2040-59-0x00000000055D0000-0x0000000005694000-memory.dmp

Filesize
784KB

Download
memory/2040-65-0x0000000004900000-0x000000000494C000-memory.dmp

Filesize
304KB

Download