netwire | 282e441b58eed38ce5b5aeae04ad6d174ff23b8c7a6ced664c54b683f8cfc8ab

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
19/01/2024, 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66ae237c1680a6c0194d4a5ef883a146.exe
Size

1.5MB
MD5

66ae237c1680a6c0194d4a5ef883a146
SHA1

7c37067d047caae8b5ca9127a6b89845e833c520
SHA256

282e441b58eed38ce5b5aeae04ad6d174ff23b8c7a6ced664c54b683f8cfc8ab
SHA512

894d8f621a240f99bf9914c2efe2205b61cedf16573a559020616e26dc47f8cdf9fc4f063ed8a1b46e6ca51baa4f5cda317d60aa3649f0af90abdbc88ddca5a0
SSDEEP

24576:AAOcZwdf+OD0+5PYjasPw5X1WelwB1rABQ8iHX0eFpPFbKi6FGxGIsDCabnd:ef5wja2ayfmgpPFbKi6kxxK1bnd

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

harold.ns01.info:3606

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
Netwir
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
pHJVBoFH
offline_keylogger
true
password
master12
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2160-93-0x0000000000310000-0x0000000000852000-memory.dmp	netwire
behavioral1/memory/2160-95-0x0000000000310000-0x0000000000852000-memory.dmp	netwire
behavioral1/memory/2160-96-0x0000000000310000-0x0000000000852000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Executes dropped EXE 1 IoCs

pid	Process
2480	lqilwl.pif

Loads dropped DLL 4 IoCs

pid	Process
1476	66ae237c1680a6c0194d4a5ef883a146.exe
1476	66ae237c1680a6c0194d4a5ef883a146.exe
1476	66ae237c1680a6c0194d4a5ef883a146.exe
1476	66ae237c1680a6c0194d4a5ef883a146.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\40791675\\lqilwl.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\40791675\\wmrvmdcs.ije"	lqilwl.pif

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2480 set thread context of 2160	2480	lqilwl.pif	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2796	DllHost.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 2480	1476	66ae237c1680a6c0194d4a5ef883a146.exe	29
PID 1476 wrote to memory of 2480	1476	66ae237c1680a6c0194d4a5ef883a146.exe	29
PID 1476 wrote to memory of 2480	1476	66ae237c1680a6c0194d4a5ef883a146.exe	29
PID 1476 wrote to memory of 2480	1476	66ae237c1680a6c0194d4a5ef883a146.exe	29
PID 2480 wrote to memory of 2160	2480	lqilwl.pif	30
PID 2480 wrote to memory of 2160	2480	lqilwl.pif	30
PID 2480 wrote to memory of 2160	2480	lqilwl.pif	30
PID 2480 wrote to memory of 2160	2480	lqilwl.pif	30
PID 2480 wrote to memory of 2160	2480	lqilwl.pif	30
PID 2480 wrote to memory of 2160	2480	lqilwl.pif	30
PID 2480 wrote to memory of 2160	2480	lqilwl.pif	30
PID 2480 wrote to memory of 2160	2480	lqilwl.pif	30
PID 2480 wrote to memory of 2160	2480	lqilwl.pif	30

C:\Users\Admin\AppData\Local\Temp\66ae237c1680a6c0194d4a5ef883a146.exe
"C:\Users\Admin\AppData\Local\Temp\66ae237c1680a6c0194d4a5ef883a146.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\AppData\Local\Temp\40791675\lqilwl.pif
  "C:\Users\Admin\AppData\Local\Temp\40791675\lqilwl.pif" wmrvmdcs.ije
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:2160

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\40791675\Windovert POP Deposit.jpg

Filesize
307KB

MD5
b3b59bb99846e645f1cf4ffc3a70deb0

SHA1
9e8a9b321360465d3929194196308c422c1cad22

SHA256
4c85c5fdd12e47095e039943043ebd5caf4f09b1d4fa523525e36234a26279cf

SHA512
ca3d0d6f5ac5540e5d80d36972eb6f67f241b7aa47ac8e852d20a4f9c105c3b298e78a6cab2587309e5bf25e6c0c9d3077220046270e414e785249b75cf6f848

Download Submit
C:\Users\Admin\AppData\Local\Temp\40791675\lqilwl.pif

Filesize
460KB

MD5
0373ca367d946b00a8305f5e586bc6c8

SHA1
099aba63a496b4b40ce368154bb95f8e37eedb9d

SHA256
d84d215afae636541029a0d12c2634b617fe45a7db6a73ba1ca012e64bbb6fd0

SHA512
b472b9c19f5637dd6ebcd4d7c53f0a8798ff66ed5e2769a6b0314eb4acc1b72adc343d9ab05a130fb1f9323a3c43fd2f2aa0aa9478e32ac68830ad6e7043d0c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\40791675\lqilwl.pif

Filesize
649KB

MD5
e423fa6f72ef1a0d63ef5f85380657d6

SHA1
83114ec1db55867fde6d249352fcb3c52ef53af2

SHA256
4c38d6dc99e8219ccc923bddc94c9298f6b5aee6b4b42323d924cffdeafd356e

SHA512
687407a6354547f11faf190472e5fa5c50c0d01d911823b372d80029054e2e830c08b2a9100f5f1b1a742d0755bddfb784854bd7431f98b6b352010e2d01dac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\40791675\mird.xml

Filesize
377KB

MD5
744295ad3e845c00badb2c4701521e8b

SHA1
039c5c54de34eb8a8fbb29d8ba0912d355e1293f

SHA256
b8cc7d152ee42023207babb9ea6511fea1565b7e5a4f43bbeb27d3f028c1e4c0

SHA512
1236d0dd7078064e7c4a1fe88e8696b53bef794fe754878c2d362a2ef418facbb5e386076912905ce611f6d12d9a95c0a20f4a8b699a3e412be5729a59f8362e

Download Submit
C:\Users\Admin\AppData\Local\Temp\40791675\wmrvmdcs.ije

Filesize
595KB

MD5
62a4c42ee4213c29367d3472f37942ee

SHA1
281c785699c47a5adc7a5bef89dac87649f5c866

SHA256
e9aa7bcf2feaa6446a2110183b518d7e3caf9c6dee6b63a48fd7b316fe1bb53f

SHA512
cd00df20e4d13ec1213ff639f261d534d3f23fa07b93975c17bd9188a84b8dab7a0bc57cbca71dee0cba43643ed9e8666ba03eb468bcd0d0ac25000b448bface

Download Submit
\Users\Admin\AppData\Local\Temp\40791675\lqilwl.pif

Filesize
584KB

MD5
52cdfc1b1254cedb094d7ee5081cff39

SHA1
2471f7eaa32ca95d9ff535f3e7e720c4aed9609c

SHA256
1f3ba5a05c7197e103ebcd368fd37ec539f31c68e2569f943984e42082ed53d7

SHA512
37aad59b0aa8e323c37ca4dc209e506f14b8fd857573836a5cc26787acb37d9a702c580bf4b9aad6e526581553276c44437e063be0ada6fbbb21445bff4921be

Download Submit
\Users\Admin\AppData\Local\Temp\40791675\lqilwl.pif

Filesize
511KB

MD5
31cff14783e59cec467ccc839e39986b

SHA1
761a28515bd65a0602c4757e8626626ea58cd92a

SHA256
12975b1d90ebf94d94a6a5c2a7ac5fb0fdda8cbd03000089ff88804e8f7468b5

SHA512
38eedb317a66240c4440954ca762b5d620e6559af03e97d0799c369cf2ddc305b4050d64e8e122d5c06a1f25eed55c363a877a2278866baf8f87e1187dfdba6f

Download Submit
\Users\Admin\AppData\Local\Temp\40791675\lqilwl.pif

Filesize
556KB

MD5
64c9f078d93610fa332e1abe1d35bc4a

SHA1
32331db8a0cccf8c9d5c6c5330cc5962540817a1

SHA256
9c7985160ca80d605b338b988cee1b2ca95358658bcf66c8e9d10c6751f2e33e

SHA512
e9ff5ffec817a7292b12edc04cd8f05d08a481b28ff4f053459439f4e3f8f8548f77b9b6b1a1a310002135019be3e7841224db2086e15f4c46cd47b7b43c44af

Download Submit
\Users\Admin\AppData\Local\Temp\40791675\lqilwl.pif

Filesize
531KB

MD5
18809e0216ea0391efe45dcaebb5e4ad

SHA1
f82167c7ae840087699655a91cb3339c10ebf601

SHA256
52ba7c93c15a00d22b404e919d7a549e0d039d62d92ba98a65453dd61454bfa9

SHA512
5715d03c9343768071e0625197544364dfb73792d152ed5b53cc0fb86ae02ae4e767485b181a7de3ffca3ac1b5a40b9354b5df73afca99ba1ff463cc5eacbf29

Download Submit
memory/1476-68-0x0000000000710000-0x0000000000712000-memory.dmp

Filesize
8KB

Download
memory/2160-91-0x0000000000310000-0x0000000000852000-memory.dmp

Filesize
5.3MB

Download
memory/2160-92-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2160-93-0x0000000000310000-0x0000000000852000-memory.dmp

Filesize
5.3MB

Download
memory/2160-95-0x0000000000310000-0x0000000000852000-memory.dmp

Filesize
5.3MB

Download
memory/2160-96-0x0000000000310000-0x0000000000852000-memory.dmp

Filesize
5.3MB

Download
memory/2796-71-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/2796-69-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/2796-97-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads