netwire | 6595f0e12eb544f7a409a030dbdf5072a81b8d415c6d3295092d91ee8eb8566c

General

Target

d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81.exe
Size

171KB
MD5

7a6a6b35d4bc575897a1420134afc96a
SHA1

9c5e87ce87b70a52f57097172c2babde2021454b
SHA256

d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81
SHA512

b879c2bf81017f8f97d4db3b458d6f3ff6eb1acb6e28394d9a292d58e83194857c6c5981378170e81d383340eb3eff42d2d64ce54ebd7a3e7357988428da5d2e
SSDEEP

3072:k/0CVy40hsbOeOyupBfOP8S6Uj9Av0fEdiFxFXwElgdEA/fLpujDqTrk3mjcqfZ:kswhwyJLjzfiib53W/fLpsDq/k7qf

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

sosclient.duckdns.org:9002

Attributes

activex_autorun
true
activex_key
{OTGC73Q0-N4WA-4861-311L-BE075477ANH7}
copy_executable
false
delete_original
false
host_id
08-%Rand%
lock_executable
true
mutex
stostmDW
offline_keylogger
false
password
10203010Aa
registry_autorun
true
startup_name
Windows defender
use_mutex
true

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2752-24-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/2752-27-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/2752-31-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/2752-34-0x0000000000400000-0x0000000000420000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

AppLaunch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{OTGC73Q0-N4WA-4861-311L-BE075477ANH7}	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{OTGC73Q0-N4WA-4861-311L-BE075477ANH7}\StubPath = "\"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\AppLaunch.exe\""	AppLaunch.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81.exerundlll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	rundlll32.exe

Drops startup file 3 IoCs

Processes:

d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe	d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe	d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.tbgljov2.lnk	d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81.exe

Executes dropped EXE 2 IoCs

Processes:

rundlll32.exerundlll32.exe

pid process

2024 rundlll32.exe
456 rundlll32.exe

pid	process
2024	rundlll32.exe
456	rundlll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

AppLaunch.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows defender = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\AppLaunch.exe"	AppLaunch.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundlll32.exe

description pid process target process

PID 2024 set thread context of 2752 2024 rundlll32.exe AppLaunch.exe

description	pid	process	target process
PID 2024 set thread context of 2752	2024	rundlll32.exe	AppLaunch.exe

Drops file in Windows directory 3 IoCs

Processes:

AppLaunch.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\Settings.ini	AppLaunch.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe	AppLaunch.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\Settings.ini	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81.exerundlll32.exerundlll32.exe

description	pid	process
Token: SeDebugPrivilege	1600	d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81.exe
Token: SeDebugPrivilege	2024	rundlll32.exe
Token: SeDebugPrivilege	456	rundlll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81.exe

pid process

1600 d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81.exe

pid process

1600 d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81.exe

pid	process
1600	d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81.exe

pid	process
1600	d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81.exerundlll32.exe

description	pid	process	target process
PID 1600 wrote to memory of 2024	1600	d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81.exe	rundlll32.exe
PID 1600 wrote to memory of 2024	1600	d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81.exe	rundlll32.exe
PID 1600 wrote to memory of 2024	1600	d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81.exe	rundlll32.exe
PID 2024 wrote to memory of 456	2024	rundlll32.exe	rundlll32.exe
PID 2024 wrote to memory of 456	2024	rundlll32.exe	rundlll32.exe
PID 2024 wrote to memory of 456	2024	rundlll32.exe	rundlll32.exe
PID 2024 wrote to memory of 2752	2024	rundlll32.exe	AppLaunch.exe
PID 2024 wrote to memory of 2752	2024	rundlll32.exe	AppLaunch.exe
PID 2024 wrote to memory of 2752	2024	rundlll32.exe	AppLaunch.exe
PID 2024 wrote to memory of 2752	2024	rundlll32.exe	AppLaunch.exe
PID 2024 wrote to memory of 2752	2024	rundlll32.exe	AppLaunch.exe
PID 2024 wrote to memory of 2752	2024	rundlll32.exe	AppLaunch.exe
PID 2024 wrote to memory of 2752	2024	rundlll32.exe	AppLaunch.exe
PID 2024 wrote to memory of 2752	2024	rundlll32.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81.exe
"C:\Users\Admin\AppData\Local\Temp\d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1600

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:456

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
3⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
PID:2752

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe
Filesize
171KB

MD5
7a6a6b35d4bc575897a1420134afc96a

SHA1
9c5e87ce87b70a52f57097172c2babde2021454b

SHA256
d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81

SHA512
b879c2bf81017f8f97d4db3b458d6f3ff6eb1acb6e28394d9a292d58e83194857c6c5981378170e81d383340eb3eff42d2d64ce54ebd7a3e7357988428da5d2e

Download Submit
memory/456-22-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/456-33-0x0000000001300000-0x0000000001310000-memory.dmp

Filesize
64KB

Download
memory/456-32-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/456-21-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/456-23-0x0000000001300000-0x0000000001310000-memory.dmp

Filesize
64KB

Download
memory/1600-1-0x0000000001420000-0x0000000001430000-memory.dmp

Filesize
64KB

Download
memory/1600-2-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/1600-0-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/1600-19-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/2024-14-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/2024-25-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/2024-30-0x0000000001410000-0x0000000001420000-memory.dmp

Filesize
64KB

Download
memory/2024-17-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/2024-15-0x0000000001410000-0x0000000001420000-memory.dmp

Filesize
64KB

Download
memory/2752-24-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2752-27-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2752-31-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2752-34-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads