netwire | e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2024, 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe
Size

172KB
MD5

c77a42c1744c454e28d0b962eccf8951
SHA1

fb1ec7b8e7c234531df577787026e72d4ded1d40
SHA256

e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e
SHA512

d78d1f1a37451c176b0f0fb132ea581599f062c03a2a3806f27afe2ef4f5216aee3dab939d3ff0bfee4e246b27178bfdcf5e4c7b638e01a48d274e814dea6dfc
SSDEEP

3072:KAx0uG+7EKz3oNCWQpEk5Z2d3qsjgjoWqBddRG1bkfM23nyj6Rh7fNch:r3T7E6oNFQSd39jgEWSjRw2R7f

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

87.106.76.212:8081

glassmex.no-ip.org:8081

loopsoup.no-ip.org:8081

Attributes

activex_autorun
false
copy_executable
true
delete_original
true
host_id
HostId-%Rand%
install_path
%AppData%\Adobe\Components\armsvc.exe
keylogger_dir
C:\Users\Admin\AppData\Roaming\Microsoft\Office\
lock_executable
true
mutex
CfqTWdpW
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
Adobe
use_mutex
true

Signatures

NetWire RAT payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/4176-9-0x0000000000400000-0x0000000000417000-memory.dmp	netwire
behavioral2/memory/2972-22-0x0000000000400000-0x0000000000417000-memory.dmp	netwire
behavioral2/memory/3284-34-0x0000000001270000-0x0000000001280000-memory.dmp	netwire
behavioral2/memory/3476-41-0x0000000000400000-0x0000000000417000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	cscservice.exe

Executes dropped EXE 2 IoCs

pid	Process
3284	armsvc.exe
3476	armsvc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe"	e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3536 set thread context of 4176	3536	e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe	101
PID 4900 set thread context of 2972	4900	cscservice.exe	105
PID 3284 set thread context of 3476	3284	armsvc.exe	108

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3536	e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3536	e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe
Token: SeDebugPrivilege	4900	cscservice.exe
Token: SeDebugPrivilege	3284	armsvc.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3536 wrote to memory of 4176	3536	e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe	101
PID 3536 wrote to memory of 4176	3536	e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe	101
PID 3536 wrote to memory of 4176	3536	e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe	101
PID 3536 wrote to memory of 4176	3536	e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe	101
PID 3536 wrote to memory of 4176	3536	e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe	101
PID 3536 wrote to memory of 4176	3536	e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe	101
PID 3536 wrote to memory of 4176	3536	e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe	101
PID 3536 wrote to memory of 4176	3536	e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe	101
PID 3536 wrote to memory of 4900	3536	e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe	102
PID 3536 wrote to memory of 4900	3536	e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe	102
PID 3536 wrote to memory of 4900	3536	e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe	102
PID 4900 wrote to memory of 2972	4900	cscservice.exe	105
PID 4900 wrote to memory of 2972	4900	cscservice.exe	105
PID 4900 wrote to memory of 2972	4900	cscservice.exe	105
PID 4900 wrote to memory of 2972	4900	cscservice.exe	105
PID 4900 wrote to memory of 2972	4900	cscservice.exe	105
PID 4900 wrote to memory of 2972	4900	cscservice.exe	105
PID 4900 wrote to memory of 2972	4900	cscservice.exe	105
PID 4900 wrote to memory of 2972	4900	cscservice.exe	105
PID 2972 wrote to memory of 3284	2972	cscservice.exe	106
PID 2972 wrote to memory of 3284	2972	cscservice.exe	106
PID 2972 wrote to memory of 3284	2972	cscservice.exe	106
PID 3284 wrote to memory of 3476	3284	armsvc.exe	108
PID 3284 wrote to memory of 3476	3284	armsvc.exe	108
PID 3284 wrote to memory of 3476	3284	armsvc.exe	108
PID 3284 wrote to memory of 3476	3284	armsvc.exe	108
PID 3284 wrote to memory of 3476	3284	armsvc.exe	108
PID 3284 wrote to memory of 3476	3284	armsvc.exe	108
PID 3284 wrote to memory of 3476	3284	armsvc.exe	108
PID 3284 wrote to memory of 3476	3284	armsvc.exe	108

C:\Users\Admin\AppData\Local\Temp\e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe
"C:\Users\Admin\AppData\Local\Temp\e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3536
- C:\Users\Admin\AppData\Local\Temp\e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe
  "C:\Users\Admin\AppData\Local\Temp\e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe"
  2⤵
  - Adds Run key to start application
  PID:4176
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cscservice.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cscservice.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cscservice.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cscservice.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Users\Admin\AppData\Roaming\Adobe\Components\armsvc.exe
      "C:\Users\Admin\AppData\Roaming\Adobe\Components\armsvc.exe" -m C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cscservice.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3284
    - - C:\Users\Admin\AppData\Roaming\Adobe\Components\armsvc.exe
        
        "C:\Users\Admin\AppData\Roaming\Adobe\Components\armsvc.exe"
        5⤵
        Executes dropped EXE
        
        PID:3476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Components\armsvc.exe

Filesize
172KB

MD5
c77a42c1744c454e28d0b962eccf8951

SHA1
fb1ec7b8e7c234531df577787026e72d4ded1d40

SHA256
e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e

SHA512
d78d1f1a37451c176b0f0fb132ea581599f062c03a2a3806f27afe2ef4f5216aee3dab939d3ff0bfee4e246b27178bfdcf5e4c7b638e01a48d274e814dea6dfc

Download Submit
memory/2972-22-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3284-33-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/3284-34-0x0000000001270000-0x0000000001280000-memory.dmp

Filesize
64KB

Download
memory/3284-40-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/3476-41-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3536-3-0x0000000074B30000-0x00000000750E1000-memory.dmp

Filesize
5.7MB

Download
memory/3536-8-0x0000000074B30000-0x00000000750E1000-memory.dmp

Filesize
5.7MB

Download
memory/3536-0-0x0000000074B30000-0x00000000750E1000-memory.dmp

Filesize
5.7MB

Download
memory/3536-11-0x0000000074B30000-0x00000000750E1000-memory.dmp

Filesize
5.7MB

Download
memory/3536-4-0x00000000018A0000-0x00000000018B0000-memory.dmp

Filesize
64KB

Download
memory/3536-2-0x0000000074B30000-0x00000000750E1000-memory.dmp

Filesize
5.7MB

Download
memory/3536-1-0x00000000018A0000-0x00000000018B0000-memory.dmp

Filesize
64KB

Download
memory/4176-5-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4176-9-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4176-7-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4900-21-0x0000000074B30000-0x00000000750E1000-memory.dmp

Filesize
5.7MB

Download
memory/4900-20-0x0000000074B30000-0x00000000750E1000-memory.dmp

Filesize
5.7MB

Download
memory/4900-19-0x0000000001190000-0x00000000011A0000-memory.dmp

Filesize
64KB

Download
memory/4900-13-0x0000000001190000-0x00000000011A0000-memory.dmp

Filesize
64KB

Download
memory/4900-12-0x0000000074B30000-0x00000000750E1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads