Malware Analysis Report

2025-01-18 16:51

Sample ID 230625-n6wp2sdh44
Target 91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.zip
SHA256 51a26615359fa83ea8687290e2141f753b6969e1905c5aa78bf2c1708904806c
Tags
netwire botnet persistence rat stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

51a26615359fa83ea8687290e2141f753b6969e1905c5aa78bf2c1708904806c

Threat Level: Known bad

The file 91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.zip was found to be: Known bad.

Malicious Activity Summary

netwire botnet persistence rat stealer upx

Netwire

NetWire RAT payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops startup file

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-25 12:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-25 12:01

Reported

2023-06-25 12:04

Platform

win7-20230621-en

Max time kernel

144s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 608 set thread context of 1168 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
PID 1724 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
PID 1724 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
PID 1724 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
PID 1724 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
PID 1724 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
PID 1724 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
PID 608 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
PID 608 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
PID 608 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
PID 608 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
PID 608 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
PID 608 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
PID 608 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
PID 608 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
PID 608 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
PID 268 wrote to memory of 1096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 268 wrote to memory of 1096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 268 wrote to memory of 1096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 268 wrote to memory of 1096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 268 wrote to memory of 1096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 268 wrote to memory of 1096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 268 wrote to memory of 1096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 608 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
PID 1096 wrote to memory of 1500 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1096 wrote to memory of 1500 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1096 wrote to memory of 1500 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1096 wrote to memory of 1500 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1096 wrote to memory of 1500 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1096 wrote to memory of 1500 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1096 wrote to memory of 1500 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 608 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
PID 608 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
PID 608 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
PID 608 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
PID 608 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
PID 608 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
PID 608 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
PID 1168 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Windows\SysWOW64\WerFault.exe
PID 1168 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Windows\SysWOW64\WerFault.exe
PID 1168 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Windows\SysWOW64\WerFault.exe
PID 1168 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Windows\SysWOW64\WerFault.exe
PID 1168 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Windows\SysWOW64\WerFault.exe
PID 1168 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Windows\SysWOW64\WerFault.exe
PID 1168 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe

"C:\Users\Admin\AppData\Local\Temp\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

C:\Windows\SysWOW64\cmd.exe

/c net stop MpsSvc

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz

C:\Windows\SysWOW64\net.exe

net stop MpsSvc

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MpsSvc

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 292

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz

MD5 b2af3b332d92fc09b79c4bf85263fd22
SHA1 cbb3c3a4b17ba2888cfd0b96f59a5bc454d4ef32
SHA256 b9dd8dfdb9a3fd61b2acffe0018cdf99b02c97025ae0d41a7aac7c9d76647b58
SHA512 b6d7271b1b0e7285bff25b8edb0f31cc7076bbbf611a4bfa9a457463c38ba7d0f5694f89b18a5b26b0f793e76dc0a0e5279dbf4cf976a6b52787157523e17932

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz

MD5 b2af3b332d92fc09b79c4bf85263fd22
SHA1 cbb3c3a4b17ba2888cfd0b96f59a5bc454d4ef32
SHA256 b9dd8dfdb9a3fd61b2acffe0018cdf99b02c97025ae0d41a7aac7c9d76647b58
SHA512 b6d7271b1b0e7285bff25b8edb0f31cc7076bbbf611a4bfa9a457463c38ba7d0f5694f89b18a5b26b0f793e76dc0a0e5279dbf4cf976a6b52787157523e17932

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz

MD5 b2af3b332d92fc09b79c4bf85263fd22
SHA1 cbb3c3a4b17ba2888cfd0b96f59a5bc454d4ef32
SHA256 b9dd8dfdb9a3fd61b2acffe0018cdf99b02c97025ae0d41a7aac7c9d76647b58
SHA512 b6d7271b1b0e7285bff25b8edb0f31cc7076bbbf611a4bfa9a457463c38ba7d0f5694f89b18a5b26b0f793e76dc0a0e5279dbf4cf976a6b52787157523e17932

\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz

MD5 b2af3b332d92fc09b79c4bf85263fd22
SHA1 cbb3c3a4b17ba2888cfd0b96f59a5bc454d4ef32
SHA256 b9dd8dfdb9a3fd61b2acffe0018cdf99b02c97025ae0d41a7aac7c9d76647b58
SHA512 b6d7271b1b0e7285bff25b8edb0f31cc7076bbbf611a4bfa9a457463c38ba7d0f5694f89b18a5b26b0f793e76dc0a0e5279dbf4cf976a6b52787157523e17932

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz

MD5 b2af3b332d92fc09b79c4bf85263fd22
SHA1 cbb3c3a4b17ba2888cfd0b96f59a5bc454d4ef32
SHA256 b9dd8dfdb9a3fd61b2acffe0018cdf99b02c97025ae0d41a7aac7c9d76647b58
SHA512 b6d7271b1b0e7285bff25b8edb0f31cc7076bbbf611a4bfa9a457463c38ba7d0f5694f89b18a5b26b0f793e76dc0a0e5279dbf4cf976a6b52787157523e17932

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xy_

MD5 4b28fc60df0738257092268a36fe321e
SHA1 f3440893908f4e59099664ce0abd323ada87e05c
SHA256 7b7170132465e0f87bf9a411324a07c27dd49268f4e9fd8f9d2b61e703b4bd29
SHA512 9335d367203da5d9cb452ca12eda00aa26ce451b0ed5d4fea3fbe1cee258b35b983ce96f25745855063fd35f065ed865cce9e9053c5bb29f1b97db6e31e5cb3e

C:\Users\Admin\AppData\Local\CSIDL_

MD5 4b28fc60df0738257092268a36fe321e
SHA1 f3440893908f4e59099664ce0abd323ada87e05c
SHA256 7b7170132465e0f87bf9a411324a07c27dd49268f4e9fd8f9d2b61e703b4bd29
SHA512 9335d367203da5d9cb452ca12eda00aa26ce451b0ed5d4fea3fbe1cee258b35b983ce96f25745855063fd35f065ed865cce9e9053c5bb29f1b97db6e31e5cb3e

memory/608-74-0x0000000000250000-0x0000000000255000-memory.dmp

memory/1168-76-0x0000000000300000-0x0000000000400000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz

MD5 b2af3b332d92fc09b79c4bf85263fd22
SHA1 cbb3c3a4b17ba2888cfd0b96f59a5bc454d4ef32
SHA256 b9dd8dfdb9a3fd61b2acffe0018cdf99b02c97025ae0d41a7aac7c9d76647b58
SHA512 b6d7271b1b0e7285bff25b8edb0f31cc7076bbbf611a4bfa9a457463c38ba7d0f5694f89b18a5b26b0f793e76dc0a0e5279dbf4cf976a6b52787157523e17932

memory/1168-77-0x0000000000400000-0x0000000001080000-memory.dmp

memory/1168-78-0x0000000000400000-0x0000000001080000-memory.dmp

memory/1168-79-0x0000000000400000-0x0000000001080000-memory.dmp

memory/1168-80-0x0000000000400000-0x0000000001080000-memory.dmp

memory/1168-81-0x0000000000400000-0x0000000001080000-memory.dmp

memory/1168-82-0x0000000000400000-0x0000000001080000-memory.dmp

memory/1168-83-0x0000000000400000-0x0000000001080000-memory.dmp

memory/1168-84-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1168-85-0x0000000000400000-0x0000000001080000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz

MD5 b2af3b332d92fc09b79c4bf85263fd22
SHA1 cbb3c3a4b17ba2888cfd0b96f59a5bc454d4ef32
SHA256 b9dd8dfdb9a3fd61b2acffe0018cdf99b02c97025ae0d41a7aac7c9d76647b58
SHA512 b6d7271b1b0e7285bff25b8edb0f31cc7076bbbf611a4bfa9a457463c38ba7d0f5694f89b18a5b26b0f793e76dc0a0e5279dbf4cf976a6b52787157523e17932

memory/1168-88-0x0000000000400000-0x0000000001080000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz

MD5 b2af3b332d92fc09b79c4bf85263fd22
SHA1 cbb3c3a4b17ba2888cfd0b96f59a5bc454d4ef32
SHA256 b9dd8dfdb9a3fd61b2acffe0018cdf99b02c97025ae0d41a7aac7c9d76647b58
SHA512 b6d7271b1b0e7285bff25b8edb0f31cc7076bbbf611a4bfa9a457463c38ba7d0f5694f89b18a5b26b0f793e76dc0a0e5279dbf4cf976a6b52787157523e17932

\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz

MD5 b2af3b332d92fc09b79c4bf85263fd22
SHA1 cbb3c3a4b17ba2888cfd0b96f59a5bc454d4ef32
SHA256 b9dd8dfdb9a3fd61b2acffe0018cdf99b02c97025ae0d41a7aac7c9d76647b58
SHA512 b6d7271b1b0e7285bff25b8edb0f31cc7076bbbf611a4bfa9a457463c38ba7d0f5694f89b18a5b26b0f793e76dc0a0e5279dbf4cf976a6b52787157523e17932

\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz

MD5 b2af3b332d92fc09b79c4bf85263fd22
SHA1 cbb3c3a4b17ba2888cfd0b96f59a5bc454d4ef32
SHA256 b9dd8dfdb9a3fd61b2acffe0018cdf99b02c97025ae0d41a7aac7c9d76647b58
SHA512 b6d7271b1b0e7285bff25b8edb0f31cc7076bbbf611a4bfa9a457463c38ba7d0f5694f89b18a5b26b0f793e76dc0a0e5279dbf4cf976a6b52787157523e17932

\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz

MD5 b2af3b332d92fc09b79c4bf85263fd22
SHA1 cbb3c3a4b17ba2888cfd0b96f59a5bc454d4ef32
SHA256 b9dd8dfdb9a3fd61b2acffe0018cdf99b02c97025ae0d41a7aac7c9d76647b58
SHA512 b6d7271b1b0e7285bff25b8edb0f31cc7076bbbf611a4bfa9a457463c38ba7d0f5694f89b18a5b26b0f793e76dc0a0e5279dbf4cf976a6b52787157523e17932

\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz

MD5 b2af3b332d92fc09b79c4bf85263fd22
SHA1 cbb3c3a4b17ba2888cfd0b96f59a5bc454d4ef32
SHA256 b9dd8dfdb9a3fd61b2acffe0018cdf99b02c97025ae0d41a7aac7c9d76647b58
SHA512 b6d7271b1b0e7285bff25b8edb0f31cc7076bbbf611a4bfa9a457463c38ba7d0f5694f89b18a5b26b0f793e76dc0a0e5279dbf4cf976a6b52787157523e17932

\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz

MD5 b2af3b332d92fc09b79c4bf85263fd22
SHA1 cbb3c3a4b17ba2888cfd0b96f59a5bc454d4ef32
SHA256 b9dd8dfdb9a3fd61b2acffe0018cdf99b02c97025ae0d41a7aac7c9d76647b58
SHA512 b6d7271b1b0e7285bff25b8edb0f31cc7076bbbf611a4bfa9a457463c38ba7d0f5694f89b18a5b26b0f793e76dc0a0e5279dbf4cf976a6b52787157523e17932

memory/1168-97-0x0000000000400000-0x0000000001080000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz

MD5 b2af3b332d92fc09b79c4bf85263fd22
SHA1 cbb3c3a4b17ba2888cfd0b96f59a5bc454d4ef32
SHA256 b9dd8dfdb9a3fd61b2acffe0018cdf99b02c97025ae0d41a7aac7c9d76647b58
SHA512 b6d7271b1b0e7285bff25b8edb0f31cc7076bbbf611a4bfa9a457463c38ba7d0f5694f89b18a5b26b0f793e76dc0a0e5279dbf4cf976a6b52787157523e17932

memory/608-99-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1168-100-0x0000000000400000-0x0000000000420000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-25 12:01

Reported

2023-06-25 12:04

Platform

win10v2004-20230621-en

Max time kernel

100s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2096 set thread context of 320 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3824 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
PID 3824 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
PID 3824 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
PID 2096 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
PID 2096 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
PID 2096 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
PID 2096 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
PID 2096 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
PID 2096 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
PID 2096 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
PID 2096 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
PID 2096 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
PID 2096 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
PID 2096 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
PID 2096 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
PID 2096 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
PID 212 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 212 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 212 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1824 wrote to memory of 1836 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1824 wrote to memory of 1836 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1824 wrote to memory of 1836 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2096 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz

Processes

C:\Users\Admin\AppData\Local\Temp\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe

"C:\Users\Admin\AppData\Local\Temp\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

C:\Windows\SysWOW64\cmd.exe

/c net stop MpsSvc

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz

C:\Windows\SysWOW64\net.exe

net stop MpsSvc

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MpsSvc

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 320 -ip 320

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 576

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
AU 104.46.162.226:443 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 203.151.224.20.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 192.229.221.95:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz

MD5 b2af3b332d92fc09b79c4bf85263fd22
SHA1 cbb3c3a4b17ba2888cfd0b96f59a5bc454d4ef32
SHA256 b9dd8dfdb9a3fd61b2acffe0018cdf99b02c97025ae0d41a7aac7c9d76647b58
SHA512 b6d7271b1b0e7285bff25b8edb0f31cc7076bbbf611a4bfa9a457463c38ba7d0f5694f89b18a5b26b0f793e76dc0a0e5279dbf4cf976a6b52787157523e17932

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz

MD5 b2af3b332d92fc09b79c4bf85263fd22
SHA1 cbb3c3a4b17ba2888cfd0b96f59a5bc454d4ef32
SHA256 b9dd8dfdb9a3fd61b2acffe0018cdf99b02c97025ae0d41a7aac7c9d76647b58
SHA512 b6d7271b1b0e7285bff25b8edb0f31cc7076bbbf611a4bfa9a457463c38ba7d0f5694f89b18a5b26b0f793e76dc0a0e5279dbf4cf976a6b52787157523e17932

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xy_

MD5 4b28fc60df0738257092268a36fe321e
SHA1 f3440893908f4e59099664ce0abd323ada87e05c
SHA256 7b7170132465e0f87bf9a411324a07c27dd49268f4e9fd8f9d2b61e703b4bd29
SHA512 9335d367203da5d9cb452ca12eda00aa26ce451b0ed5d4fea3fbe1cee258b35b983ce96f25745855063fd35f065ed865cce9e9053c5bb29f1b97db6e31e5cb3e

C:\Users\Admin\AppData\Local\CSIDL_

MD5 4b28fc60df0738257092268a36fe321e
SHA1 f3440893908f4e59099664ce0abd323ada87e05c
SHA256 7b7170132465e0f87bf9a411324a07c27dd49268f4e9fd8f9d2b61e703b4bd29
SHA512 9335d367203da5d9cb452ca12eda00aa26ce451b0ed5d4fea3fbe1cee258b35b983ce96f25745855063fd35f065ed865cce9e9053c5bb29f1b97db6e31e5cb3e

memory/2096-151-0x000000001A010000-0x000000001A015000-memory.dmp

memory/320-152-0x0000000000400000-0x0000000001080000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz

MD5 b2af3b332d92fc09b79c4bf85263fd22
SHA1 cbb3c3a4b17ba2888cfd0b96f59a5bc454d4ef32
SHA256 b9dd8dfdb9a3fd61b2acffe0018cdf99b02c97025ae0d41a7aac7c9d76647b58
SHA512 b6d7271b1b0e7285bff25b8edb0f31cc7076bbbf611a4bfa9a457463c38ba7d0f5694f89b18a5b26b0f793e76dc0a0e5279dbf4cf976a6b52787157523e17932

memory/320-155-0x0000000000400000-0x0000000001080000-memory.dmp

memory/320-156-0x0000000000400000-0x0000000001080000-memory.dmp

memory/320-157-0x0000000000400000-0x0000000001080000-memory.dmp

memory/320-158-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2096-159-0x0000000000400000-0x0000000001400000-memory.dmp