netwire | c964e2f4c8334fa8a54f30ac9db0a883e9e93bc93e6d532f451f9b7f41295986

Analysis

max time kernel
142s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 14:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c964e2f4c8334fa8a54f30ac9db0a883e9e93bc93e6d532f451f9b7f41295986.exe
Size

356KB
MD5

a77833d689be13eae622d48f8a5a8b12
SHA1

0e96529a4ed136cd24602d074e7d70e8ae73a143
SHA256

c964e2f4c8334fa8a54f30ac9db0a883e9e93bc93e6d532f451f9b7f41295986
SHA512

83e9ce66e5aee43b514d7d2a2b92c9fe3dc261ba250c94a0788066c7cf85bbed15f24f841e4d4e65ae9ce6cb2636f6933f7ed067b721a7a51e53b49f42f46652
SSDEEP

6144:Bz+92mhAMJ/cPl3i8/oYt9AHvjcQxV8uqtxazGoygDNO4PIurw0+Rfjr5:BK2mhAMJ/cPlJp9AblH/2KBMurUf5

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

knudandersen.zapto.org:21000

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
UD.28.02.17
keylogger_dir
C:\NVIDIA\profile\
lock_executable
false
offline_keylogger
true
password
1@wi%252ReNd5y0576Z*
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2616-30-0x0000000000400000-0x0000000000420000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Executes dropped EXE 2 IoCs

pid	Process
2656	avenue.exe
2616	avenue.exe

Loads dropped DLL 10 IoCs

pid	Process
2800	WScript.exe
2800	WScript.exe
2656	avenue.exe
2676	WerFault.exe
2676	WerFault.exe
2676	WerFault.exe
2676	WerFault.exe
2676	WerFault.exe
2676	WerFault.exe
2676	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2676	2616	WerFault.exe	33

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2588	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2656	avenue.exe
2656	avenue.exe
2656	avenue.exe
2656	avenue.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2840	DllHost.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 2800	1364	c964e2f4c8334fa8a54f30ac9db0a883e9e93bc93e6d532f451f9b7f41295986.exe	28
PID 1364 wrote to memory of 2800	1364	c964e2f4c8334fa8a54f30ac9db0a883e9e93bc93e6d532f451f9b7f41295986.exe	28
PID 1364 wrote to memory of 2800	1364	c964e2f4c8334fa8a54f30ac9db0a883e9e93bc93e6d532f451f9b7f41295986.exe	28
PID 1364 wrote to memory of 2800	1364	c964e2f4c8334fa8a54f30ac9db0a883e9e93bc93e6d532f451f9b7f41295986.exe	28
PID 1364 wrote to memory of 2800	1364	c964e2f4c8334fa8a54f30ac9db0a883e9e93bc93e6d532f451f9b7f41295986.exe	28
PID 1364 wrote to memory of 2800	1364	c964e2f4c8334fa8a54f30ac9db0a883e9e93bc93e6d532f451f9b7f41295986.exe	28
PID 1364 wrote to memory of 2800	1364	c964e2f4c8334fa8a54f30ac9db0a883e9e93bc93e6d532f451f9b7f41295986.exe	28
PID 2800 wrote to memory of 2656	2800	WScript.exe	30
PID 2800 wrote to memory of 2656	2800	WScript.exe	30
PID 2800 wrote to memory of 2656	2800	WScript.exe	30
PID 2800 wrote to memory of 2656	2800	WScript.exe	30
PID 2800 wrote to memory of 2656	2800	WScript.exe	30
PID 2800 wrote to memory of 2656	2800	WScript.exe	30
PID 2800 wrote to memory of 2656	2800	WScript.exe	30
PID 2800 wrote to memory of 2588	2800	WScript.exe	31
PID 2800 wrote to memory of 2588	2800	WScript.exe	31
PID 2800 wrote to memory of 2588	2800	WScript.exe	31
PID 2800 wrote to memory of 2588	2800	WScript.exe	31
PID 2800 wrote to memory of 2588	2800	WScript.exe	31
PID 2800 wrote to memory of 2588	2800	WScript.exe	31
PID 2800 wrote to memory of 2588	2800	WScript.exe	31
PID 2656 wrote to memory of 2616	2656	avenue.exe	33
PID 2656 wrote to memory of 2616	2656	avenue.exe	33
PID 2656 wrote to memory of 2616	2656	avenue.exe	33
PID 2656 wrote to memory of 2616	2656	avenue.exe	33
PID 2656 wrote to memory of 2616	2656	avenue.exe	33
PID 2656 wrote to memory of 2616	2656	avenue.exe	33
PID 2656 wrote to memory of 2616	2656	avenue.exe	33
PID 2656 wrote to memory of 2616	2656	avenue.exe	33
PID 2656 wrote to memory of 2616	2656	avenue.exe	33
PID 2656 wrote to memory of 2616	2656	avenue.exe	33
PID 2656 wrote to memory of 2616	2656	avenue.exe	33
PID 2656 wrote to memory of 2616	2656	avenue.exe	33
PID 2656 wrote to memory of 2616	2656	avenue.exe	33
PID 2656 wrote to memory of 2616	2656	avenue.exe	33
PID 2656 wrote to memory of 2616	2656	avenue.exe	33
PID 2656 wrote to memory of 2616	2656	avenue.exe	33
PID 2616 wrote to memory of 2676	2616	avenue.exe	34
PID 2616 wrote to memory of 2676	2616	avenue.exe	34
PID 2616 wrote to memory of 2676	2616	avenue.exe	34
PID 2616 wrote to memory of 2676	2616	avenue.exe	34
PID 2616 wrote to memory of 2676	2616	avenue.exe	34
PID 2616 wrote to memory of 2676	2616	avenue.exe	34
PID 2616 wrote to memory of 2676	2616	avenue.exe	34

C:\Users\Admin\AppData\Local\Temp\c964e2f4c8334fa8a54f30ac9db0a883e9e93bc93e6d532f451f9b7f41295986.exe
"C:\Users\Admin\AppData\Local\Temp\c964e2f4c8334fa8a54f30ac9db0a883e9e93bc93e6d532f451f9b7f41295986.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Broaddus\Broaddus.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Broaddus\avenue.exe
    "C:\Broaddus\avenue.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Broaddus\avenue.exe
      "C:\Broaddus\avenue.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 220
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2676
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /SC HOURLY /MO 1 /TN PolicyPKNH2802 /TR C:\Broaddus\avenue.exe
    3⤵
    - Creates scheduled task(s)
    PID:2588

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Broaddus\Broaddus.vbs

Filesize
228B

MD5
6daef254236afbd19f2e53660ad33ef4

SHA1
8fb01eebaacdffb8de36e4a9501c6fff61fe98d6

SHA256
1d33ec86a713895d13d1f0d3f268744814890d9042fad9bd1abef0015f8efa37

SHA512
f76b917f4a0d8100b31d70a75a36d93d928fc0f0c437d9719c6fadd04a0636fcec6701f779a9e8a5f9dd48ac5d9daf37f6494a589a9e32afe2b48a317f3773a0

Download Submit
C:\Broaddus\Rubina02.jpg

Filesize
86KB

MD5
c6d17380a0888604a50cd7be317a0e75

SHA1
77b049e4a892fc8b6227c66b3f5e8dbb4ecfecec

SHA256
459ec27a41c760c7da63404934c27aad39958f3498cc1e44cf41230c12ead7e7

SHA512
da7ba79ebc8f7cc7fc5f1fba47ef1dd6be9121a5d5f343131c46c4af6508b216b88ca43e2ee0923255bb513766166198fb8943233a6d7c8e074e0b0f9d903d84

Download Submit
C:\Broaddus\avenue.exe

Filesize
724KB

MD5
93bed674dacbf3959c103711164747bf

SHA1
a9cc783a41ed3af7d51f0567ae3fc6f7bf6de087

SHA256
315f7c6e7ad4ffd96acfa73d4c196e32214ed2aa4182e8cfbb518c7981d971ef

SHA512
93609b20c6b8eb37e3f306b45a4c735a1a9b802198d3a22c792a7737f37b0975aef655ecd4db727a069916c8237e651f6d6ca38a53d4c1faeb1100dd25ddccf5

Download Submit
memory/2616-21-0x0000000077D8F000-0x0000000077D90000-memory.dmp

Filesize
4KB

Download
memory/2616-22-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2616-30-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2656-15-0x0000000000380000-0x00000000003FB000-memory.dmp

Filesize
492KB

Download
memory/2656-17-0x0000000077D8F000-0x0000000077D90000-memory.dmp

Filesize
4KB

Download
memory/2656-20-0x0000000000380000-0x00000000003FB000-memory.dmp

Filesize
492KB

Download
memory/2800-9-0x0000000000490000-0x0000000000492000-memory.dmp

Filesize
8KB

Download
memory/2840-10-0x00000000000E0000-0x00000000000E2000-memory.dmp

Filesize
8KB

Download