netwire | 8c3515df37a219842450dd3fb91bbade7cf8d8ec7fe17427f37cb4b83a3a237a

General

Target

74fa65bdc2b30888cd6732f8ccf9c438.exe
Size

397KB
MD5

74fa65bdc2b30888cd6732f8ccf9c438
SHA1

a2aa0495113e0f9db4153fc087048b53fdb1e18d
SHA256

8c3515df37a219842450dd3fb91bbade7cf8d8ec7fe17427f37cb4b83a3a237a
SHA512

95048ef938c046348cf420cf9da70c30a21a1bb4bb56b507a856a224c552e4eb08acd463e574b79eeef3e9bcc374cc11fd6f7331cac239f16b84bc856ab8b4d3
SSDEEP

6144:mZFV6YJoVLIW91ILonX9buxDNae0rMAZZV8mS2vS+44kgQj1nKh/AY6PuqjDobEH:0T6eoVH91nnX84vS+4qQNUhqjDoIYof

Score

10^/10

netwire botnet persistence rat stealer upx

Malware Config

Extracted

Family

netwire

C2

155.94.198.169:9112

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
Corona-Virus
install_path
%AppData%\Install\offiice365.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Pounds
registry_autorun
true
startup_name
officeii365
use_mutex
false

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1460-16-0x0000000000400000-0x0000000000434000-memory.dmp	netwire
behavioral1/memory/2844-18-0x0000000000400000-0x0000000000434000-memory.dmp	netwire
behavioral1/memory/2844-20-0x0000000000400000-0x0000000000434000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

test.exeoffiice365.exe

pid process

1460 test.exe
2844 offiice365.exe
Loads dropped DLL 4 IoCs

Processes:

cmd.exetest.exe

pid process

1776 cmd.exe
1776 cmd.exe
1460 test.exe
1460 test.exe

pid	process
1460	test.exe
2844	offiice365.exe

pid	process
1776	cmd.exe
1776	cmd.exe
1460	test.exe
1460	test.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2236-0-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\test.exe	upx
behavioral1/memory/1460-7-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral1/memory/1460-16-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral1/memory/2844-18-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral1/memory/2236-19-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2844-20-0x0000000000400000-0x0000000000434000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

offiice365.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\officeii365 = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\offiice365.exe"	offiice365.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

74fa65bdc2b30888cd6732f8ccf9c438.execmd.exetest.exe

description	pid	process	target process
PID 2236 wrote to memory of 1776	2236	74fa65bdc2b30888cd6732f8ccf9c438.exe	cmd.exe
PID 2236 wrote to memory of 1776	2236	74fa65bdc2b30888cd6732f8ccf9c438.exe	cmd.exe
PID 2236 wrote to memory of 1776	2236	74fa65bdc2b30888cd6732f8ccf9c438.exe	cmd.exe
PID 2236 wrote to memory of 1776	2236	74fa65bdc2b30888cd6732f8ccf9c438.exe	cmd.exe
PID 1776 wrote to memory of 1460	1776	cmd.exe	test.exe
PID 1776 wrote to memory of 1460	1776	cmd.exe	test.exe
PID 1776 wrote to memory of 1460	1776	cmd.exe	test.exe
PID 1776 wrote to memory of 1460	1776	cmd.exe	test.exe
PID 1460 wrote to memory of 2844	1460	test.exe	offiice365.exe
PID 1460 wrote to memory of 2844	1460	test.exe	offiice365.exe
PID 1460 wrote to memory of 2844	1460	test.exe	offiice365.exe
PID 1460 wrote to memory of 2844	1460	test.exe	offiice365.exe

C:\Users\Admin\AppData\Local\Temp\74fa65bdc2b30888cd6732f8ccf9c438.exe
"C:\Users\Admin\AppData\Local\Temp\74fa65bdc2b30888cd6732f8ccf9c438.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c test.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1776

C:\Users\Admin\AppData\Local\Temp\test.exe
test.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1460

C:\Users\Admin\AppData\Roaming\Install\offiice365.exe
"C:\Users\Admin\AppData\Roaming\Install\offiice365.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\test.exe
Filesize
70KB

MD5
eacc8434d9ddd4c93ea0cb0283db90a6

SHA1
f60e1dc07f5238d688b22d8e46d9924b7a9d2872

SHA256
696063cab6b63873c298a5033e5be6b3b8213cc06df33221238d37cddd3c7187

SHA512
d96ba53db82185f00b787014fa12e45bb62f614f395b55354266499b9175a6710bcd312774cce41b6d7c4eab1361a4730b50ca5880cf82895be445821a0b5817

Download Submit
memory/1460-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1460-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1776-4-0x0000000000120000-0x0000000000154000-memory.dmp

Filesize
208KB

Download
memory/2236-0-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2236-19-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2844-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2844-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads