netwire | a9189b815c696214f9c7297e0ee9d6ecfff9bcf7e7064651dc3d64522d922b8d

Analysis

max time kernel
140s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26/02/2024, 22:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9189b815c696214f9c7297e0ee9d6ecfff9bcf7e7064651dc3d64522d922b8d.exe
Size

869KB
MD5

996fd0a78c7ca69f0f5e2beecb9fb1c4
SHA1

0c7a6da13a2e59fd9d1932f7c365a367a957745d
SHA256

a9189b815c696214f9c7297e0ee9d6ecfff9bcf7e7064651dc3d64522d922b8d
SHA512

e48e6cc71d9046c92fb092c843d38a107b951ba300941cf22f08c1bac4d553900312ef530a8110136349a39ccc3c99ddf036bde9de9951c42098d91b92f45621
SSDEEP

24576:QmRwOiAUVxhgnMtPRNT4eDc4Qv4n4DS0I2io2JYgR:QMfOxP7T4eo4K4n7AH4

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

saturdaylivecheckthisout.duckdns.org:3360

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
lock_executable
false
mutex
hPWLUfVE
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/3752-30-0x0000000000400000-0x0000000000444000-memory.dmp	netwire
behavioral2/memory/3752-37-0x0000000000400000-0x0000000000444000-memory.dmp	netwire
behavioral2/memory/3752-39-0x0000000000400000-0x0000000000444000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 3 IoCs

resource	yara_rule
behavioral2/memory/3752-30-0x0000000000400000-0x0000000000444000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/3752-37-0x0000000000400000-0x0000000000444000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/3752-39-0x0000000000400000-0x0000000000444000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	a9189b815c696214f9c7297e0ee9d6ecfff9bcf7e7064651dc3d64522d922b8d.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3212 set thread context of 3752	3212	a9189b815c696214f9c7297e0ee9d6ecfff9bcf7e7064651dc3d64522d922b8d.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3224	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4768	powershell.exe
4768	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4768	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3212 wrote to memory of 4768	3212	a9189b815c696214f9c7297e0ee9d6ecfff9bcf7e7064651dc3d64522d922b8d.exe	92
PID 3212 wrote to memory of 4768	3212	a9189b815c696214f9c7297e0ee9d6ecfff9bcf7e7064651dc3d64522d922b8d.exe	92
PID 3212 wrote to memory of 4768	3212	a9189b815c696214f9c7297e0ee9d6ecfff9bcf7e7064651dc3d64522d922b8d.exe	92
PID 3212 wrote to memory of 3224	3212	a9189b815c696214f9c7297e0ee9d6ecfff9bcf7e7064651dc3d64522d922b8d.exe	94
PID 3212 wrote to memory of 3224	3212	a9189b815c696214f9c7297e0ee9d6ecfff9bcf7e7064651dc3d64522d922b8d.exe	94
PID 3212 wrote to memory of 3224	3212	a9189b815c696214f9c7297e0ee9d6ecfff9bcf7e7064651dc3d64522d922b8d.exe	94
PID 3212 wrote to memory of 3752	3212	a9189b815c696214f9c7297e0ee9d6ecfff9bcf7e7064651dc3d64522d922b8d.exe	96
PID 3212 wrote to memory of 3752	3212	a9189b815c696214f9c7297e0ee9d6ecfff9bcf7e7064651dc3d64522d922b8d.exe	96
PID 3212 wrote to memory of 3752	3212	a9189b815c696214f9c7297e0ee9d6ecfff9bcf7e7064651dc3d64522d922b8d.exe	96
PID 3212 wrote to memory of 3752	3212	a9189b815c696214f9c7297e0ee9d6ecfff9bcf7e7064651dc3d64522d922b8d.exe	96
PID 3212 wrote to memory of 3752	3212	a9189b815c696214f9c7297e0ee9d6ecfff9bcf7e7064651dc3d64522d922b8d.exe	96
PID 3212 wrote to memory of 3752	3212	a9189b815c696214f9c7297e0ee9d6ecfff9bcf7e7064651dc3d64522d922b8d.exe	96
PID 3212 wrote to memory of 3752	3212	a9189b815c696214f9c7297e0ee9d6ecfff9bcf7e7064651dc3d64522d922b8d.exe	96
PID 3212 wrote to memory of 3752	3212	a9189b815c696214f9c7297e0ee9d6ecfff9bcf7e7064651dc3d64522d922b8d.exe	96
PID 3212 wrote to memory of 3752	3212	a9189b815c696214f9c7297e0ee9d6ecfff9bcf7e7064651dc3d64522d922b8d.exe	96
PID 3212 wrote to memory of 3752	3212	a9189b815c696214f9c7297e0ee9d6ecfff9bcf7e7064651dc3d64522d922b8d.exe	96
PID 3212 wrote to memory of 3752	3212	a9189b815c696214f9c7297e0ee9d6ecfff9bcf7e7064651dc3d64522d922b8d.exe	96
PID 3212 wrote to memory of 3752	3212	a9189b815c696214f9c7297e0ee9d6ecfff9bcf7e7064651dc3d64522d922b8d.exe	96

C:\Users\Admin\AppData\Local\Temp\a9189b815c696214f9c7297e0ee9d6ecfff9bcf7e7064651dc3d64522d922b8d.exe
"C:\Users\Admin\AppData\Local\Temp\a9189b815c696214f9c7297e0ee9d6ecfff9bcf7e7064651dc3d64522d922b8d.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3212
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kqAfbFGBwmS.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4768
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kqAfbFGBwmS" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE8F8.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:3224
- C:\Users\Admin\AppData\Local\Temp\a9189b815c696214f9c7297e0ee9d6ecfff9bcf7e7064651dc3d64522d922b8d.exe
  "C:\Users\Admin\AppData\Local\Temp\a9189b815c696214f9c7297e0ee9d6ecfff9bcf7e7064651dc3d64522d922b8d.exe"
  2⤵
  PID:3752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5zcdrraz.0fl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE8F8.tmp

Filesize
1KB

MD5
568f436db334c9ed41add88bd0d41564

SHA1
32b217376c95632f53ebeb00c6b1574255cc0aaa

SHA256
fe93854e0e6b0d0b83a8bcceec23d1f587ec333f85e4a9b2f2253370c311cab3

SHA512
ddd3262900716cba3e783c1ad49757ffffe7d900e86bdb01021fd68f7b367f1d4db824c1face4cfb389588b045d2c5f6199bf906370e4ca18106fb2f5da8a3f5

Download Submit
memory/3212-8-0x0000000005580000-0x0000000005590000-memory.dmp

Filesize
64KB

Download
memory/3212-9-0x0000000007E60000-0x0000000007EFC000-memory.dmp

Filesize
624KB

Download
memory/3212-4-0x0000000005580000-0x0000000005590000-memory.dmp

Filesize
64KB

Download
memory/3212-5-0x00000000053B0000-0x00000000053BA000-memory.dmp

Filesize
40KB

Download
memory/3212-6-0x0000000005670000-0x000000000568A000-memory.dmp

Filesize
104KB

Download
memory/3212-7-0x00000000743D0000-0x0000000074B80000-memory.dmp

Filesize
7.7MB

Download
memory/3212-24-0x00000000069B0000-0x00000000069F0000-memory.dmp

Filesize
256KB

Download
memory/3212-3-0x00000000053D0000-0x0000000005462000-memory.dmp

Filesize
584KB

Download
memory/3212-10-0x00000000081C0000-0x000000000827E000-memory.dmp

Filesize
760KB

Download
memory/3212-1-0x00000000743D0000-0x0000000074B80000-memory.dmp

Filesize
7.7MB

Download
memory/3212-40-0x00000000743D0000-0x0000000074B80000-memory.dmp

Filesize
7.7MB

Download
memory/3212-0-0x00000000008E0000-0x00000000009C0000-memory.dmp

Filesize
896KB

Download
memory/3212-2-0x00000000058E0000-0x0000000005E84000-memory.dmp

Filesize
5.6MB

Download
memory/3752-37-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3752-39-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3752-30-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4768-16-0x00000000743D0000-0x0000000074B80000-memory.dmp

Filesize
7.7MB

Download
memory/4768-45-0x0000000072EA0000-0x0000000072EEC000-memory.dmp

Filesize
304KB

Download
memory/4768-22-0x0000000006080000-0x00000000060E6000-memory.dmp

Filesize
408KB

Download
memory/4768-21-0x0000000005830000-0x0000000005852000-memory.dmp

Filesize
136KB

Download
memory/4768-18-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/4768-38-0x0000000006210000-0x0000000006564000-memory.dmp

Filesize
3.3MB

Download
memory/4768-19-0x00000000058A0000-0x0000000005EC8000-memory.dmp

Filesize
6.2MB

Download
memory/4768-17-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/4768-15-0x0000000005230000-0x0000000005266000-memory.dmp

Filesize
216KB

Download
memory/4768-41-0x00000000067E0000-0x00000000067FE000-memory.dmp

Filesize
120KB

Download
memory/4768-42-0x0000000006B50000-0x0000000006B9C000-memory.dmp

Filesize
304KB

Download
memory/4768-43-0x000000007F950000-0x000000007F960000-memory.dmp

Filesize
64KB

Download
memory/4768-44-0x0000000006DB0000-0x0000000006DE2000-memory.dmp

Filesize
200KB

Download
memory/4768-23-0x00000000061A0000-0x0000000006206000-memory.dmp

Filesize
408KB

Download
memory/4768-55-0x00000000079B0000-0x00000000079CE000-memory.dmp

Filesize
120KB

Download
memory/4768-57-0x00000000079D0000-0x0000000007A73000-memory.dmp

Filesize
652KB

Download
memory/4768-56-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/4768-58-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/4768-59-0x0000000008150000-0x00000000087CA000-memory.dmp

Filesize
6.5MB

Download
memory/4768-60-0x0000000007B10000-0x0000000007B2A000-memory.dmp

Filesize
104KB

Download
memory/4768-61-0x0000000007B80000-0x0000000007B8A000-memory.dmp

Filesize
40KB

Download
memory/4768-62-0x0000000007D90000-0x0000000007E26000-memory.dmp

Filesize
600KB

Download
memory/4768-63-0x0000000007D10000-0x0000000007D21000-memory.dmp

Filesize
68KB

Download
memory/4768-64-0x0000000007D40000-0x0000000007D4E000-memory.dmp

Filesize
56KB

Download
memory/4768-65-0x0000000007D50000-0x0000000007D64000-memory.dmp

Filesize
80KB

Download
memory/4768-66-0x0000000007E50000-0x0000000007E6A000-memory.dmp

Filesize
104KB

Download
memory/4768-67-0x0000000007E30000-0x0000000007E38000-memory.dmp

Filesize
32KB

Download
memory/4768-69-0x00000000743D0000-0x0000000074B80000-memory.dmp

Filesize
7.7MB

Download