netwire | e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/03/2024, 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe
Size

172KB
MD5

c77a42c1744c454e28d0b962eccf8951
SHA1

fb1ec7b8e7c234531df577787026e72d4ded1d40
SHA256

e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e
SHA512

d78d1f1a37451c176b0f0fb132ea581599f062c03a2a3806f27afe2ef4f5216aee3dab939d3ff0bfee4e246b27178bfdcf5e4c7b638e01a48d274e814dea6dfc
SSDEEP

3072:KAx0uG+7EKz3oNCWQpEk5Z2d3qsjgjoWqBddRG1bkfM23nyj6Rh7fNch:r3T7E6oNFQSd39jgEWSjRw2R7f

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

87.106.76.212:8081

glassmex.no-ip.org:8081

loopsoup.no-ip.org:8081

Attributes

activex_autorun
false
copy_executable
true
delete_original
true
host_id
HostId-%Rand%
install_path
%AppData%\Adobe\Components\armsvc.exe
keylogger_dir
C:\Users\Admin\AppData\Roaming\Microsoft\Office\
lock_executable
true
mutex
CfqTWdpW
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
Adobe
use_mutex
true

Signatures

NetWire RAT payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/2584-18-0x0000000000400000-0x0000000000417000-memory.dmp	netwire
behavioral1/memory/2584-21-0x0000000000400000-0x0000000000417000-memory.dmp	netwire
behavioral1/memory/1248-39-0x0000000000400000-0x0000000000417000-memory.dmp	netwire
behavioral1/memory/780-58-0x0000000000400000-0x0000000000417000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Executes dropped EXE 2 IoCs

pid	Process
2688	armsvc.exe
780	armsvc.exe

Loads dropped DLL 1 IoCs

pid	Process
1248	cscservice.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe"	e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1628 set thread context of 2584	1628	e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe	28
PID 2528 set thread context of 1248	2528	cscservice.exe	32
PID 2688 set thread context of 780	2688	armsvc.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1628	e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1628	e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe
Token: SeDebugPrivilege	2528	cscservice.exe
Token: SeDebugPrivilege	2688	armsvc.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 2584	1628	e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe	28
PID 1628 wrote to memory of 2584	1628	e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe	28
PID 1628 wrote to memory of 2584	1628	e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe	28
PID 1628 wrote to memory of 2584	1628	e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe	28
PID 1628 wrote to memory of 2584	1628	e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe	28
PID 1628 wrote to memory of 2584	1628	e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe	28
PID 1628 wrote to memory of 2584	1628	e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe	28
PID 1628 wrote to memory of 2584	1628	e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe	28
PID 1628 wrote to memory of 2584	1628	e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe	28
PID 1628 wrote to memory of 2528	1628	e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe	29
PID 1628 wrote to memory of 2528	1628	e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe	29
PID 1628 wrote to memory of 2528	1628	e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe	29
PID 1628 wrote to memory of 2528	1628	e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe	29
PID 2528 wrote to memory of 1248	2528	cscservice.exe	32
PID 2528 wrote to memory of 1248	2528	cscservice.exe	32
PID 2528 wrote to memory of 1248	2528	cscservice.exe	32
PID 2528 wrote to memory of 1248	2528	cscservice.exe	32
PID 2528 wrote to memory of 1248	2528	cscservice.exe	32
PID 2528 wrote to memory of 1248	2528	cscservice.exe	32
PID 2528 wrote to memory of 1248	2528	cscservice.exe	32
PID 2528 wrote to memory of 1248	2528	cscservice.exe	32
PID 2528 wrote to memory of 1248	2528	cscservice.exe	32
PID 1248 wrote to memory of 2688	1248	cscservice.exe	33
PID 1248 wrote to memory of 2688	1248	cscservice.exe	33
PID 1248 wrote to memory of 2688	1248	cscservice.exe	33
PID 1248 wrote to memory of 2688	1248	cscservice.exe	33
PID 2688 wrote to memory of 780	2688	armsvc.exe	34
PID 2688 wrote to memory of 780	2688	armsvc.exe	34
PID 2688 wrote to memory of 780	2688	armsvc.exe	34
PID 2688 wrote to memory of 780	2688	armsvc.exe	34
PID 2688 wrote to memory of 780	2688	armsvc.exe	34
PID 2688 wrote to memory of 780	2688	armsvc.exe	34
PID 2688 wrote to memory of 780	2688	armsvc.exe	34
PID 2688 wrote to memory of 780	2688	armsvc.exe	34
PID 2688 wrote to memory of 780	2688	armsvc.exe	34

C:\Users\Admin\AppData\Local\Temp\e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe
"C:\Users\Admin\AppData\Local\Temp\e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Admin\AppData\Local\Temp\e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe
  "C:\Users\Admin\AppData\Local\Temp\e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe"
  2⤵
  - Adds Run key to start application
  PID:2584
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cscservice.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cscservice.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cscservice.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cscservice.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Users\Admin\AppData\Roaming\Adobe\Components\armsvc.exe
      "C:\Users\Admin\AppData\Roaming\Adobe\Components\armsvc.exe" -m C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cscservice.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Users\Admin\AppData\Roaming\Adobe\Components\armsvc.exe
        
        "C:\Users\Admin\AppData\Roaming\Adobe\Components\armsvc.exe"
        5⤵
        Executes dropped EXE
        
        PID:780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Components\armsvc.exe

Filesize
8KB

MD5
3137981d30bcc0f2d2238e498932bc48

SHA1
cef81ed14ed48e0a0a45e16d469f244ab7259cd3

SHA256
b61a82dff7c4ae70b37235884892408c4070d8bdff042bc698f8d04846995d0d

SHA512
b4d7f60a5235ca6ce7085d5a4bc696af5615f2d929b1b74de00e9e8d080232bf21f026fb2f0d184e09571a9e0507b921166e9e05868160aa7e3ac1eed5eae038

Download Submit
\Users\Admin\AppData\Roaming\Adobe\Components\armsvc.exe

Filesize
172KB

MD5
c77a42c1744c454e28d0b962eccf8951

SHA1
fb1ec7b8e7c234531df577787026e72d4ded1d40

SHA256
e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e

SHA512
d78d1f1a37451c176b0f0fb132ea581599f062c03a2a3806f27afe2ef4f5216aee3dab939d3ff0bfee4e246b27178bfdcf5e4c7b638e01a48d274e814dea6dfc

Download Submit
memory/780-58-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/780-51-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1248-39-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1628-17-0x0000000000570000-0x00000000005B0000-memory.dmp

Filesize
256KB

Download
memory/1628-19-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/1628-2-0x0000000000570000-0x00000000005B0000-memory.dmp

Filesize
256KB

Download
memory/1628-1-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/1628-3-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/1628-0-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/2528-37-0x00000000001D0000-0x0000000000210000-memory.dmp

Filesize
256KB

Download
memory/2528-36-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/2528-20-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/2584-18-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2584-21-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2584-8-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2584-6-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2584-4-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2584-16-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2584-10-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2584-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2584-14-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2688-46-0x0000000002320000-0x0000000002360000-memory.dmp

Filesize
256KB

Download
memory/2688-45-0x0000000074730000-0x0000000074CDB000-memory.dmp

Filesize
5.7MB

Download
memory/2688-56-0x0000000074730000-0x0000000074CDB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads