netwire | 046bf1870416a2ea4108d3809fcdfda514663aa9fabd74b88f78c7e332eb397d

Analysis

max time kernel
105s
max time network
139s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
07-03-2023 08:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89468038.exe
Size

928KB
MD5

d616794167af5c88812aabaf65120fad
SHA1

ad1289875a05ba89cb6e10b08b95ee45bdf79d0f
SHA256

efc5c94996f4af7ae3a2d17dfc73dd7fe3f84269e73bb611e5806f2fd131a646
SHA512

8c2211e1472c53863d9c0bed2baf03c6ea2dd9b568480cee909a4fa157c229e3e651afc673168304bdfa875bf0eb056896dbb3906e1d66dcc8b23e4e075bceee
SSDEEP

24576:Jg7gUMoMnm9cU9VHb5Z763rs7u8BeV67s7nCrt8dB:vWMnGcU95nAsyTKug+

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

212.193.30.230:6826

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
lock_executable
false
offline_keylogger
false
password
kolabo123
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 13 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/556-71-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/556-72-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/556-73-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/556-75-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/556-77-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/556-87-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1808-94-0x0000000004EE0000-0x0000000004F20000-memory.dmp	netwire
behavioral1/memory/1964-113-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1964-114-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1964-115-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1964-116-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1964-117-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1964-119-0x0000000000400000-0x000000000044F000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 3 IoCs

Processes:

Host.exeHost.exeHost.exe

pid process

1808 Host.exe
1136 Host.exe
1964 Host.exe
Loads dropped DLL 2 IoCs

Processes:

89468038.exe

pid process

556 89468038.exe
556 89468038.exe

pid	process
1808	Host.exe
1136	Host.exe
1964	Host.exe

pid	process
556	89468038.exe
556	89468038.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

89468038.exeHost.exe

description	pid	process	target process
PID 884 set thread context of 556	884	89468038.exe	89468038.exe
PID 1808 set thread context of 1964	1808	Host.exe	Host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1452 schtasks.exe
1756 schtasks.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

89468038.exepowershell.exeHost.exepowershell.exe

pid process

884 89468038.exe
884 89468038.exe
1112 powershell.exe
1808 Host.exe
1272 powershell.exe
1808 Host.exe
1808 Host.exe

pid	process
1452	schtasks.exe
1756	schtasks.exe

pid	process
884	89468038.exe
884	89468038.exe
1112	powershell.exe
1808	Host.exe
1272	powershell.exe
1808	Host.exe
1808	Host.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

89468038.exepowershell.exeHost.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	884	89468038.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeDebugPrivilege	1808	Host.exe
Token: SeDebugPrivilege	1272	powershell.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

89468038.exe89468038.exeHost.exe

description	pid	process	target process
PID 884 wrote to memory of 1112	884	89468038.exe	powershell.exe
PID 884 wrote to memory of 1112	884	89468038.exe	powershell.exe
PID 884 wrote to memory of 1112	884	89468038.exe	powershell.exe
PID 884 wrote to memory of 1112	884	89468038.exe	powershell.exe
PID 884 wrote to memory of 1452	884	89468038.exe	schtasks.exe
PID 884 wrote to memory of 1452	884	89468038.exe	schtasks.exe
PID 884 wrote to memory of 1452	884	89468038.exe	schtasks.exe
PID 884 wrote to memory of 1452	884	89468038.exe	schtasks.exe
PID 884 wrote to memory of 556	884	89468038.exe	89468038.exe
PID 884 wrote to memory of 556	884	89468038.exe	89468038.exe
PID 884 wrote to memory of 556	884	89468038.exe	89468038.exe
PID 884 wrote to memory of 556	884	89468038.exe	89468038.exe
PID 884 wrote to memory of 556	884	89468038.exe	89468038.exe
PID 884 wrote to memory of 556	884	89468038.exe	89468038.exe
PID 884 wrote to memory of 556	884	89468038.exe	89468038.exe
PID 884 wrote to memory of 556	884	89468038.exe	89468038.exe
PID 884 wrote to memory of 556	884	89468038.exe	89468038.exe
PID 884 wrote to memory of 556	884	89468038.exe	89468038.exe
PID 884 wrote to memory of 556	884	89468038.exe	89468038.exe
PID 556 wrote to memory of 1808	556	89468038.exe	Host.exe
PID 556 wrote to memory of 1808	556	89468038.exe	Host.exe
PID 556 wrote to memory of 1808	556	89468038.exe	Host.exe
PID 556 wrote to memory of 1808	556	89468038.exe	Host.exe
PID 1808 wrote to memory of 1272	1808	Host.exe	powershell.exe
PID 1808 wrote to memory of 1272	1808	Host.exe	powershell.exe
PID 1808 wrote to memory of 1272	1808	Host.exe	powershell.exe
PID 1808 wrote to memory of 1272	1808	Host.exe	powershell.exe
PID 1808 wrote to memory of 1756	1808	Host.exe	schtasks.exe
PID 1808 wrote to memory of 1756	1808	Host.exe	schtasks.exe
PID 1808 wrote to memory of 1756	1808	Host.exe	schtasks.exe
PID 1808 wrote to memory of 1756	1808	Host.exe	schtasks.exe
PID 1808 wrote to memory of 1136	1808	Host.exe	Host.exe
PID 1808 wrote to memory of 1136	1808	Host.exe	Host.exe
PID 1808 wrote to memory of 1136	1808	Host.exe	Host.exe
PID 1808 wrote to memory of 1136	1808	Host.exe	Host.exe
PID 1808 wrote to memory of 1964	1808	Host.exe	Host.exe
PID 1808 wrote to memory of 1964	1808	Host.exe	Host.exe
PID 1808 wrote to memory of 1964	1808	Host.exe	Host.exe
PID 1808 wrote to memory of 1964	1808	Host.exe	Host.exe
PID 1808 wrote to memory of 1964	1808	Host.exe	Host.exe
PID 1808 wrote to memory of 1964	1808	Host.exe	Host.exe
PID 1808 wrote to memory of 1964	1808	Host.exe	Host.exe
PID 1808 wrote to memory of 1964	1808	Host.exe	Host.exe
PID 1808 wrote to memory of 1964	1808	Host.exe	Host.exe
PID 1808 wrote to memory of 1964	1808	Host.exe	Host.exe
PID 1808 wrote to memory of 1964	1808	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\89468038.exe
"C:\Users\Admin\AppData\Local\Temp\89468038.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vrlnli.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vrlnli" /XML "C:\Users\Admin\AppData\Local\Temp\tmp15D3.tmp"
2⤵
- Creates scheduled task(s)
PID:1452

C:\Users\Admin\AppData\Local\Temp\89468038.exe
"C:\Users\Admin\AppData\Local\Temp\89468038.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:556

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vrlnli.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vrlnli" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBC10.tmp"
4⤵
- Creates scheduled task(s)
PID:1756

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
PID:1136

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
PID:1964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp15D3.tmp
Filesize
1KB

MD5
5cd292e98ba3035e1967da4b0235115b

SHA1
dc042d19c5f4dbf32da45da0f4e75ce7804f9278

SHA256
90ebd3d94d62e3e7a8c48336555d158b3f9bdc81bde87f9c06d94c6a27a2af1b

SHA512
74c932cb779950046ac47ccb8ba04509fb5a1ddec1d2fcb853146c080ae69c8f0ba20edde2204978475fd292f5523f97d3cbb4569701f7d92866fea00c88a6ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBC10.tmp
Filesize
1KB

MD5
5cd292e98ba3035e1967da4b0235115b

SHA1
dc042d19c5f4dbf32da45da0f4e75ce7804f9278

SHA256
90ebd3d94d62e3e7a8c48336555d158b3f9bdc81bde87f9c06d94c6a27a2af1b

SHA512
74c932cb779950046ac47ccb8ba04509fb5a1ddec1d2fcb853146c080ae69c8f0ba20edde2204978475fd292f5523f97d3cbb4569701f7d92866fea00c88a6ee

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
928KB

MD5
d616794167af5c88812aabaf65120fad

SHA1
ad1289875a05ba89cb6e10b08b95ee45bdf79d0f

SHA256
efc5c94996f4af7ae3a2d17dfc73dd7fe3f84269e73bb611e5806f2fd131a646

SHA512
8c2211e1472c53863d9c0bed2baf03c6ea2dd9b568480cee909a4fa157c229e3e651afc673168304bdfa875bf0eb056896dbb3906e1d66dcc8b23e4e075bceee

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
928KB

MD5
d616794167af5c88812aabaf65120fad

SHA1
ad1289875a05ba89cb6e10b08b95ee45bdf79d0f

SHA256
efc5c94996f4af7ae3a2d17dfc73dd7fe3f84269e73bb611e5806f2fd131a646

SHA512
8c2211e1472c53863d9c0bed2baf03c6ea2dd9b568480cee909a4fa157c229e3e651afc673168304bdfa875bf0eb056896dbb3906e1d66dcc8b23e4e075bceee

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
928KB

MD5
d616794167af5c88812aabaf65120fad

SHA1
ad1289875a05ba89cb6e10b08b95ee45bdf79d0f

SHA256
efc5c94996f4af7ae3a2d17dfc73dd7fe3f84269e73bb611e5806f2fd131a646

SHA512
8c2211e1472c53863d9c0bed2baf03c6ea2dd9b568480cee909a4fa157c229e3e651afc673168304bdfa875bf0eb056896dbb3906e1d66dcc8b23e4e075bceee

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
928KB

MD5
d616794167af5c88812aabaf65120fad

SHA1
ad1289875a05ba89cb6e10b08b95ee45bdf79d0f

SHA256
efc5c94996f4af7ae3a2d17dfc73dd7fe3f84269e73bb611e5806f2fd131a646

SHA512
8c2211e1472c53863d9c0bed2baf03c6ea2dd9b568480cee909a4fa157c229e3e651afc673168304bdfa875bf0eb056896dbb3906e1d66dcc8b23e4e075bceee

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
928KB

MD5
d616794167af5c88812aabaf65120fad

SHA1
ad1289875a05ba89cb6e10b08b95ee45bdf79d0f

SHA256
efc5c94996f4af7ae3a2d17dfc73dd7fe3f84269e73bb611e5806f2fd131a646

SHA512
8c2211e1472c53863d9c0bed2baf03c6ea2dd9b568480cee909a4fa157c229e3e651afc673168304bdfa875bf0eb056896dbb3906e1d66dcc8b23e4e075bceee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4GH0JKQY26ZNYXM4611C.temp
Filesize
7KB

MD5
6200ed9687f1cb2a91f18e66358fc2af

SHA1
53a4f1c17ef9f78f80ecaa627b8cdb2fc8e40e1b

SHA256
464ab916505b46b3a7a3694e40c0a91baa3afeec20ad56069c31acbf6aac49ea

SHA512
41e902e83e4eece85d2935ef9dab88bbccbea0587d4a6a4bbb29ec77bec8361d336f09afbc83e0cc7d06f5f061816eeb98682dfb828cf1112e050e6df0371452

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
6200ed9687f1cb2a91f18e66358fc2af

SHA1
53a4f1c17ef9f78f80ecaa627b8cdb2fc8e40e1b

SHA256
464ab916505b46b3a7a3694e40c0a91baa3afeec20ad56069c31acbf6aac49ea

SHA512
41e902e83e4eece85d2935ef9dab88bbccbea0587d4a6a4bbb29ec77bec8361d336f09afbc83e0cc7d06f5f061816eeb98682dfb828cf1112e050e6df0371452

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
928KB

MD5
d616794167af5c88812aabaf65120fad

SHA1
ad1289875a05ba89cb6e10b08b95ee45bdf79d0f

SHA256
efc5c94996f4af7ae3a2d17dfc73dd7fe3f84269e73bb611e5806f2fd131a646

SHA512
8c2211e1472c53863d9c0bed2baf03c6ea2dd9b568480cee909a4fa157c229e3e651afc673168304bdfa875bf0eb056896dbb3906e1d66dcc8b23e4e075bceee

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
928KB

MD5
d616794167af5c88812aabaf65120fad

SHA1
ad1289875a05ba89cb6e10b08b95ee45bdf79d0f

SHA256
efc5c94996f4af7ae3a2d17dfc73dd7fe3f84269e73bb611e5806f2fd131a646

SHA512
8c2211e1472c53863d9c0bed2baf03c6ea2dd9b568480cee909a4fa157c229e3e651afc673168304bdfa875bf0eb056896dbb3906e1d66dcc8b23e4e075bceee

Download Submit
memory/556-73-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/556-87-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/556-69-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/556-74-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/556-75-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/556-77-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/556-71-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/556-68-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/556-70-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/556-72-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/884-65-0x0000000005600000-0x000000000564C000-memory.dmp

Filesize
304KB

Download
memory/884-59-0x0000000005540000-0x0000000005604000-memory.dmp

Filesize
784KB

Download
memory/884-55-0x0000000002190000-0x00000000021D0000-memory.dmp

Filesize
256KB

Download
memory/884-56-0x00000000003C0000-0x00000000003D6000-memory.dmp

Filesize
88KB

Download
memory/884-58-0x0000000000520000-0x000000000052C000-memory.dmp

Filesize
48KB

Download
memory/884-57-0x0000000002190000-0x00000000021D0000-memory.dmp

Filesize
256KB

Download
memory/884-54-0x0000000000870000-0x000000000095E000-memory.dmp

Filesize
952KB

Download
memory/1112-92-0x0000000002550000-0x0000000002590000-memory.dmp

Filesize
256KB

Download
memory/1112-93-0x0000000002550000-0x0000000002590000-memory.dmp

Filesize
256KB

Download
memory/1808-94-0x0000000004EE0000-0x0000000004F20000-memory.dmp

Filesize
256KB

Download
memory/1808-91-0x0000000004EE0000-0x0000000004F20000-memory.dmp

Filesize
256KB

Download
memory/1808-90-0x00000000002C0000-0x00000000002D6000-memory.dmp

Filesize
88KB

Download
memory/1808-89-0x0000000000D10000-0x0000000000DFE000-memory.dmp

Filesize
952KB

Download
memory/1964-109-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1964-113-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1964-114-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1964-115-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1964-116-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1964-117-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1964-119-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download