netwire | 3526c74a22a6a7ff285bddc4a055d22e443bd2d9ceb47aa7bc20240256084787

Analysis

max time kernel
1559s
max time network
1563s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-03-2024 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MyxaH.exe
Size

286KB
MD5

86d543779889aa512f7395edece0d852
SHA1

9b657e8ee0075ebf0cd48cea54b4628f06cdfd1c
SHA256

e6087745223ce9ce7de8b4c18c2d141ed9057d9088b7faf77473953a921cbb73
SHA512

51310d932e8eacba62c2647a39394c33427044d907bffdf3c63c982b49048848d3e77bdf9e5500a64d52b0cc93e447a9b7ba70ebbc97ad4713fc3d80f1bba76b
SSDEEP

6144:smGIhLaUrYyu2Pcyl+lxnHFCGcjN+c+iUri27J5P/Xj2qQ:73bzuPHj5Hria7z2qQ

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

nsa.read-books.org:3300

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral19/memory/1992-10045-0x0000000000090000-0x00000000000B5000-memory.dmp	netwire
behavioral19/memory/1992-10048-0x0000000000090000-0x00000000000B5000-memory.dmp	netwire
behavioral19/memory/1992-10052-0x0000000000090000-0x00000000000B5000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Loads dropped DLL 2 IoCs

Processes:

MyxaH.exe

pid process

2248 MyxaH.exe
2248 MyxaH.exe
Drops file in Windows directory 1 IoCs

Processes:

MyxaH.exe

description ioc process

File opened for modification C:\Windows\win.ini MyxaH.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2332 1992 WerFault.exe cmd.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

MyxaH.exe

pid process

2248 MyxaH.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

MyxaH.exe

pid process

2248 MyxaH.exe
2248 MyxaH.exe

pid	process
2248	MyxaH.exe
2248	MyxaH.exe

description	ioc	process
File opened for modification	C:\Windows\win.ini	MyxaH.exe

pid	pid_target	process	target process
2332	1992	WerFault.exe	cmd.exe

pid	process
2248	MyxaH.exe

pid	process
2248	MyxaH.exe
2248	MyxaH.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

MyxaH.execmd.exe

description	pid	process	target process
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 1992 wrote to memory of 2332	1992	cmd.exe	WerFault.exe
PID 1992 wrote to memory of 2332	1992	cmd.exe	WerFault.exe
PID 1992 wrote to memory of 2332	1992	cmd.exe	WerFault.exe
PID 1992 wrote to memory of 2332	1992	cmd.exe	WerFault.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	MyxaH.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\MyxaH.exe
"C:\Users\Admin\AppData\Local\Temp\MyxaH.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2248

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 140
3⤵
- Program crash
PID:2332

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\win.ini
Filesize
517B

MD5
893cae59ab5945a94a7da007d47a1255

SHA1
d4cfd81c6647ca64022bd307c08a7fb4bbbd4c06

SHA256
edfa0f2d3bea9f737e0315971c6f81d3d8e7d460b60a19351ada0316a093c938

SHA512
d66e454781f54f45df814ad32d687b0f100578c2a4ffca62de81add04281fb881a550702bd2d058933d3736d14e88624af268a86ce24b0c3935242b206ffdcc9

Download Submit
\Users\Admin\AppData\Local\Temp\cadi.dll
Filesize
34KB

MD5
76c9c0f008457a74d2b693759ad127a6

SHA1
76974f7fc4f2f97ceaf146ea48c186f0e8ed87e3

SHA256
9642ab0f3e7f107e83f64492abd111f90c8fd80a668e1f3fbea429a7645f20f7

SHA512
7c63d8b3895d7c1ab7699ef2342c8f5d9d7447c533db4b8db995d60ebcf9aadd6e44ce6f05a98c85bb2ef8f61bdcffc1a42ec85880683821ff83d25aec7c6e66

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3E39.tmp\System.dll
Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
memory/1992-10045-0x0000000000090000-0x00000000000B5000-memory.dmp

Filesize
148KB

Download
memory/1992-10048-0x0000000000090000-0x00000000000B5000-memory.dmp

Filesize
148KB

Download
memory/1992-10052-0x0000000000090000-0x00000000000B5000-memory.dmp

Filesize
148KB

Download
memory/1992-10053-0x0000000076EC0000-0x0000000077069000-memory.dmp

Filesize
1.7MB

Download
memory/2248-35-0x00000000003D0000-0x00000000003D2000-memory.dmp

Filesize
8KB

Download
memory/2248-34-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download
memory/2248-37-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2248-10043-0x0000000001E70000-0x0000000001E8F000-memory.dmp

Filesize
124KB

Download
memory/2248-10044-0x0000000076EC0000-0x0000000077069000-memory.dmp

Filesize
1.7MB

Download