netwire | 3756ac8f01c9c6d1c1a2e9b51edff7deca0540f8954950200daae8b4c28a9888

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3756ac8f01c9c6d1c1a2e9b51edff7deca0540f8954950200daae8b4c28a9888.exe
Size

1.1MB
MD5

3a2f2086ac104d71f450b30ab47e36d5
SHA1

3c29394856e86bf4d1d255e70b51929011f4c75a
SHA256

3756ac8f01c9c6d1c1a2e9b51edff7deca0540f8954950200daae8b4c28a9888
SHA512

f81309eab8b1249edb563e99d83527276ae163e89cf8fbc6da1f096fd1453ec7cd1839be0e0cc5594d2a4a2b9ecd0ed102d4b14b05330290224d3a0d352bb9d2
SSDEEP

24576:o2O/GlJt+uxqlvm+QEoHTj9ShwLPQNBMHxLY:i6++lTj9ShwTCBMRs

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

knudandersen.zapto.org:21000

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
07.03.17
keylogger_dir
C:\NVIDIA\profile\
lock_executable
false
offline_keylogger
true
password
1@wi%252ReNd5y0576Z*
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2556-16-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral1/memory/2556-19-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral1/memory/2556-21-0x0000000000400000-0x0000000000420000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Executes dropped EXE 1 IoCs

pid	Process
2608	Confirmation.exe

Loads dropped DLL 2 IoCs

pid	Process
1228	WScript.exe
1228	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2528	2556	WerFault.exe	34

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3052	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2608	Confirmation.exe
2608	Confirmation.exe
2608	Confirmation.exe
2608	Confirmation.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2044	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2044	AcroRd32.exe
2044	AcroRd32.exe
2044	AcroRd32.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2044	2348	3756ac8f01c9c6d1c1a2e9b51edff7deca0540f8954950200daae8b4c28a9888.exe	28
PID 2348 wrote to memory of 2044	2348	3756ac8f01c9c6d1c1a2e9b51edff7deca0540f8954950200daae8b4c28a9888.exe	28
PID 2348 wrote to memory of 2044	2348	3756ac8f01c9c6d1c1a2e9b51edff7deca0540f8954950200daae8b4c28a9888.exe	28
PID 2348 wrote to memory of 2044	2348	3756ac8f01c9c6d1c1a2e9b51edff7deca0540f8954950200daae8b4c28a9888.exe	28
PID 2348 wrote to memory of 2044	2348	3756ac8f01c9c6d1c1a2e9b51edff7deca0540f8954950200daae8b4c28a9888.exe	28
PID 2348 wrote to memory of 2044	2348	3756ac8f01c9c6d1c1a2e9b51edff7deca0540f8954950200daae8b4c28a9888.exe	28
PID 2348 wrote to memory of 2044	2348	3756ac8f01c9c6d1c1a2e9b51edff7deca0540f8954950200daae8b4c28a9888.exe	28
PID 2348 wrote to memory of 1228	2348	3756ac8f01c9c6d1c1a2e9b51edff7deca0540f8954950200daae8b4c28a9888.exe	29
PID 2348 wrote to memory of 1228	2348	3756ac8f01c9c6d1c1a2e9b51edff7deca0540f8954950200daae8b4c28a9888.exe	29
PID 2348 wrote to memory of 1228	2348	3756ac8f01c9c6d1c1a2e9b51edff7deca0540f8954950200daae8b4c28a9888.exe	29
PID 2348 wrote to memory of 1228	2348	3756ac8f01c9c6d1c1a2e9b51edff7deca0540f8954950200daae8b4c28a9888.exe	29
PID 2348 wrote to memory of 1228	2348	3756ac8f01c9c6d1c1a2e9b51edff7deca0540f8954950200daae8b4c28a9888.exe	29
PID 2348 wrote to memory of 1228	2348	3756ac8f01c9c6d1c1a2e9b51edff7deca0540f8954950200daae8b4c28a9888.exe	29
PID 2348 wrote to memory of 1228	2348	3756ac8f01c9c6d1c1a2e9b51edff7deca0540f8954950200daae8b4c28a9888.exe	29
PID 1228 wrote to memory of 2608	1228	WScript.exe	30
PID 1228 wrote to memory of 2608	1228	WScript.exe	30
PID 1228 wrote to memory of 2608	1228	WScript.exe	30
PID 1228 wrote to memory of 2608	1228	WScript.exe	30
PID 1228 wrote to memory of 2608	1228	WScript.exe	30
PID 1228 wrote to memory of 2608	1228	WScript.exe	30
PID 1228 wrote to memory of 2608	1228	WScript.exe	30
PID 1228 wrote to memory of 2696	1228	WScript.exe	31
PID 1228 wrote to memory of 2696	1228	WScript.exe	31
PID 1228 wrote to memory of 2696	1228	WScript.exe	31
PID 1228 wrote to memory of 2696	1228	WScript.exe	31
PID 1228 wrote to memory of 2696	1228	WScript.exe	31
PID 1228 wrote to memory of 2696	1228	WScript.exe	31
PID 1228 wrote to memory of 2696	1228	WScript.exe	31
PID 2696 wrote to memory of 3052	2696	cmd.exe	33
PID 2696 wrote to memory of 3052	2696	cmd.exe	33
PID 2696 wrote to memory of 3052	2696	cmd.exe	33
PID 2696 wrote to memory of 3052	2696	cmd.exe	33
PID 2696 wrote to memory of 3052	2696	cmd.exe	33
PID 2696 wrote to memory of 3052	2696	cmd.exe	33
PID 2696 wrote to memory of 3052	2696	cmd.exe	33
PID 2608 wrote to memory of 2556	2608	Confirmation.exe	34
PID 2608 wrote to memory of 2556	2608	Confirmation.exe	34
PID 2608 wrote to memory of 2556	2608	Confirmation.exe	34
PID 2608 wrote to memory of 2556	2608	Confirmation.exe	34
PID 2608 wrote to memory of 2556	2608	Confirmation.exe	34
PID 2608 wrote to memory of 2556	2608	Confirmation.exe	34
PID 2608 wrote to memory of 2556	2608	Confirmation.exe	34
PID 2608 wrote to memory of 2556	2608	Confirmation.exe	34
PID 2608 wrote to memory of 2556	2608	Confirmation.exe	34
PID 2608 wrote to memory of 2556	2608	Confirmation.exe	34
PID 2608 wrote to memory of 2556	2608	Confirmation.exe	34
PID 2608 wrote to memory of 2556	2608	Confirmation.exe	34
PID 2608 wrote to memory of 2556	2608	Confirmation.exe	34
PID 2608 wrote to memory of 2556	2608	Confirmation.exe	34
PID 2608 wrote to memory of 2556	2608	Confirmation.exe	34
PID 2556 wrote to memory of 2528	2556	svchost.exe	35
PID 2556 wrote to memory of 2528	2556	svchost.exe	35
PID 2556 wrote to memory of 2528	2556	svchost.exe	35
PID 2556 wrote to memory of 2528	2556	svchost.exe	35
PID 2556 wrote to memory of 2528	2556	svchost.exe	35
PID 2556 wrote to memory of 2528	2556	svchost.exe	35
PID 2556 wrote to memory of 2528	2556	svchost.exe	35

C:\Users\Admin\AppData\Local\Temp\3756ac8f01c9c6d1c1a2e9b51edff7deca0540f8954950200daae8b4c28a9888.exe
"C:\Users\Admin\AppData\Local\Temp\3756ac8f01c9c6d1c1a2e9b51edff7deca0540f8954950200daae8b4c28a9888.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Certificates\Missing of Pakistani Hujjaj during0001.pdf"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2044
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Certificates\Metallicanew.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Certificates\Confirmation.exe
    "C:\Certificates\Confirmation.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2556
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 220
        5⤵
        Program crash
        
        PID:2528
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /MO 1 /TN NH2003 /TR C:\Certificates\Metallicanew.vbs
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /MO 1 /TN NH2003 /TR C:\Certificates\Metallicanew.vbs
      4⤵
      Creates scheduled task(s)
      PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Certificates\Confirmation.exe

Filesize
168KB

MD5
cdc613712ac2ab85d6a0d314bb95a082

SHA1
b1ad7a99fe7c1cc93de3543b9c8e298d471bee75

SHA256
11cb794c0f015148172ac5cac54acdb87769a16e8a93be62ab953008b1d26bb2

SHA512
f48f37872186ef8644e76339e2b3f523e0bbe53381abfc464639e6bc0bc3224ff85c20fca1e9e1e7faf1a5e83623156b1bee0bb26109a5ae575f37353ce9795e

Download Submit
C:\Certificates\Metallicanew.vbs

Filesize
165KB

MD5
5047080930303d63185b7360c4378c9d

SHA1
f99c5303d011039ba4c292c4fd77eb4d4299d847

SHA256
57c61e561fd7731c630c649984e3392cc95a30f2257ef3a4ff3fcb0b05a5ca87

SHA512
3b3ac18cc73028cc74ba64251e87cecfb7598631e40fa95840555380c7157960c01d20724a79fc308b5fff96edbc05f078a4916df7c081bb0e4791681607cc69

Download Submit
C:\Certificates\Missing of Pakistani Hujjaj during0001.pdf

Filesize
708KB

MD5
c2e3f3d9fc006cd26682fb8623652c3b

SHA1
56acebff1f3ea7dba1f9f39877c97fb0756d7693

SHA256
b5865366283db9f3accf36d5445d9701b7bff87601f8161327ae175759de0c4b

SHA512
73ab29b70b8ee9b766c00f659d5c0f350f5202898b5f3e5e472d833ca2d9f53260c5237de81eb6e44523715f2f9d3d9d57dcb3e8564fab35584070a65e8ff2a1

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
0d16ff4bd4cc0829db19fa02e523ff25

SHA1
b461b22f74dc93de47616b8b1df41ba977966c39

SHA256
6a82c2d46f3bb136a95bf9c4adc62def67c83a60d08de4c308b3e4aa86f761b9

SHA512
1e244ca4d5ced20d4315efc0be79dbfd3e99a70fda56b9c5ccff7b4c2daa9ea9ea4756adae1099105073d0ef2f68b5df9da92c3c709c53beb5a543d10b7f07fc

Download Submit
memory/2556-18-0x0000000077A1F000-0x0000000077A20000-memory.dmp

Filesize
4KB

Download
memory/2556-16-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2556-19-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2556-21-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2556-22-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2608-14-0x0000000000430000-0x00000000004AB000-memory.dmp

Filesize
492KB

Download
memory/2608-15-0x0000000077A1F000-0x0000000077A20000-memory.dmp

Filesize
4KB

Download
memory/2608-17-0x0000000000430000-0x00000000004AB000-memory.dmp

Filesize
492KB

Download