Malware Analysis Report

2025-01-18 16:51

Sample ID 230625-1f4desfg5x
Target HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe
SHA256 d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81
Tags
netwire botnet persistence rat stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81

Threat Level: Known bad

The file HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe was found to be: Known bad.

Malicious Activity Summary

netwire botnet persistence rat stealer

NetWire RAT payload

Netwire

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Drops startup file

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-25 21:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-25 21:36

Reported

2023-06-25 21:39

Platform

win7-20230621-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{OTGC73Q0-N4WA-4861-311L-BE075477ANH7} C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{OTGC73Q0-N4WA-4861-311L-BE075477ANH7}\StubPath = "\"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\AppLaunch.exe\"" C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.ge14qysk.lnk C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows defender = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\AppLaunch.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1052 set thread context of 548 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\Settings.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\Settings.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1092 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe
PID 1092 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe
PID 1092 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe
PID 1092 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe
PID 1052 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe
PID 1052 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe
PID 1052 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe
PID 1052 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe
PID 1052 wrote to memory of 548 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 1052 wrote to memory of 548 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 1052 wrote to memory of 548 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 1052 wrote to memory of 548 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 1052 wrote to memory of 548 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 1052 wrote to memory of 548 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 1052 wrote to memory of 548 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 1052 wrote to memory of 548 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 1052 wrote to memory of 548 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 1052 wrote to memory of 548 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 1052 wrote to memory of 548 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 1052 wrote to memory of 548 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe

"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 sosclient.duckdns.org udp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 8.8.8.8:53 sosclient.duckdns.org udp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 8.8.8.8:53 sosclient.duckdns.org udp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp

Files

memory/1092-54-0x00000000003B0000-0x00000000003F0000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe

MD5 7a6a6b35d4bc575897a1420134afc96a
SHA1 9c5e87ce87b70a52f57097172c2babde2021454b
SHA256 d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81
SHA512 b879c2bf81017f8f97d4db3b458d6f3ff6eb1acb6e28394d9a292d58e83194857c6c5981378170e81d383340eb3eff42d2d64ce54ebd7a3e7357988428da5d2e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe

MD5 7a6a6b35d4bc575897a1420134afc96a
SHA1 9c5e87ce87b70a52f57097172c2babde2021454b
SHA256 d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81
SHA512 b879c2bf81017f8f97d4db3b458d6f3ff6eb1acb6e28394d9a292d58e83194857c6c5981378170e81d383340eb3eff42d2d64ce54ebd7a3e7357988428da5d2e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe

MD5 7a6a6b35d4bc575897a1420134afc96a
SHA1 9c5e87ce87b70a52f57097172c2babde2021454b
SHA256 d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81
SHA512 b879c2bf81017f8f97d4db3b458d6f3ff6eb1acb6e28394d9a292d58e83194857c6c5981378170e81d383340eb3eff42d2d64ce54ebd7a3e7357988428da5d2e

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe

MD5 7a6a6b35d4bc575897a1420134afc96a
SHA1 9c5e87ce87b70a52f57097172c2babde2021454b
SHA256 d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81
SHA512 b879c2bf81017f8f97d4db3b458d6f3ff6eb1acb6e28394d9a292d58e83194857c6c5981378170e81d383340eb3eff42d2d64ce54ebd7a3e7357988428da5d2e

memory/1052-64-0x0000000000A50000-0x0000000000A90000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe

MD5 7a6a6b35d4bc575897a1420134afc96a
SHA1 9c5e87ce87b70a52f57097172c2babde2021454b
SHA256 d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81
SHA512 b879c2bf81017f8f97d4db3b458d6f3ff6eb1acb6e28394d9a292d58e83194857c6c5981378170e81d383340eb3eff42d2d64ce54ebd7a3e7357988428da5d2e

memory/1844-66-0x0000000000310000-0x0000000000350000-memory.dmp

memory/1844-67-0x0000000000310000-0x0000000000350000-memory.dmp

memory/548-68-0x0000000000400000-0x0000000000420000-memory.dmp

memory/548-70-0x0000000000400000-0x0000000000420000-memory.dmp

memory/548-74-0x0000000000400000-0x0000000000420000-memory.dmp

memory/548-75-0x0000000000400000-0x0000000000420000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-25 21:36

Reported

2023-06-25 21:39

Platform

win10v2004-20230621-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{OTGC73Q0-N4WA-4861-311L-BE075477ANH7} C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{OTGC73Q0-N4WA-4861-311L-BE075477ANH7}\StubPath = "\"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\AppLaunch.exe\"" C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.swbr22db.lnk C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows defender = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\AppLaunch.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3228 set thread context of 4268 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\Settings.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\Settings.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4796 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe
PID 4796 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe
PID 4796 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe
PID 3228 wrote to memory of 956 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe
PID 3228 wrote to memory of 956 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe
PID 3228 wrote to memory of 956 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe
PID 3228 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 3228 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 3228 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 3228 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 3228 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 3228 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 3228 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 3228 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe

"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 81.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 229.78.74.40.in-addr.arpa udp
US 8.8.8.8:53 sosclient.duckdns.org udp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 8.8.8.8:53 26.69.169.192.in-addr.arpa udp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
GB 23.44.233.195:443 tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 209.197.3.8:80 tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 8.8.8.8:53 sosclient.duckdns.org udp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 8.8.8.8:53 sosclient.duckdns.org udp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp

Files

memory/4796-133-0x0000000000A60000-0x0000000000A70000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe

MD5 7a6a6b35d4bc575897a1420134afc96a
SHA1 9c5e87ce87b70a52f57097172c2babde2021454b
SHA256 d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81
SHA512 b879c2bf81017f8f97d4db3b458d6f3ff6eb1acb6e28394d9a292d58e83194857c6c5981378170e81d383340eb3eff42d2d64ce54ebd7a3e7357988428da5d2e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe

MD5 7a6a6b35d4bc575897a1420134afc96a
SHA1 9c5e87ce87b70a52f57097172c2babde2021454b
SHA256 d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81
SHA512 b879c2bf81017f8f97d4db3b458d6f3ff6eb1acb6e28394d9a292d58e83194857c6c5981378170e81d383340eb3eff42d2d64ce54ebd7a3e7357988428da5d2e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe

MD5 7a6a6b35d4bc575897a1420134afc96a
SHA1 9c5e87ce87b70a52f57097172c2babde2021454b
SHA256 d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81
SHA512 b879c2bf81017f8f97d4db3b458d6f3ff6eb1acb6e28394d9a292d58e83194857c6c5981378170e81d383340eb3eff42d2d64ce54ebd7a3e7357988428da5d2e

memory/3228-147-0x00000000014D0000-0x00000000014E0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe

MD5 7a6a6b35d4bc575897a1420134afc96a
SHA1 9c5e87ce87b70a52f57097172c2babde2021454b
SHA256 d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81
SHA512 b879c2bf81017f8f97d4db3b458d6f3ff6eb1acb6e28394d9a292d58e83194857c6c5981378170e81d383340eb3eff42d2d64ce54ebd7a3e7357988428da5d2e

memory/956-149-0x00000000014C0000-0x00000000014D0000-memory.dmp

memory/3228-150-0x00000000014D0000-0x00000000014E0000-memory.dmp

memory/956-151-0x00000000014C0000-0x00000000014D0000-memory.dmp

memory/4268-152-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4268-154-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4268-157-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4268-158-0x0000000000400000-0x0000000000420000-memory.dmp