netwire | d44987e731d424763550dc9fff1fe5717591376162cb3e1aabd1820e71e78122

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2024 00:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1517ebc8b397e2dd6734146c98eb3052_JaffaCakes118.exe
Size

177KB
MD5

1517ebc8b397e2dd6734146c98eb3052
SHA1

9cdd6b2532227f40337035c9b5877934e5933024
SHA256

d44987e731d424763550dc9fff1fe5717591376162cb3e1aabd1820e71e78122
SHA512

4a7e2d1df8bd4b8778686f1f96fcb3a14937c59395ff7e70dfa735942f884e80e4b8a6326c2ce8ba10393e19d7a4b414d5e016edd8f7909cd038d689abbb0d3d
SSDEEP

3072:7JxMcrKT7SlP/baNKZrDDwzW57X2Dv1LVg1Y7TGC6IaHyvVVmG3DT:dtqjNKBDDbo161WiD0DD3

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

clients.enigmasolutions.xyz:54579

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
Client-%Rand%
install_path
%AppData%\Microsoft\MMC\rock.exe
keylogger_dir
%AppData%\msr\
lock_executable
false
offline_keylogger
true
password
\tx>N(6H`Om2k/cWJBp,""bUbAd1-0Mg
registry_autorun
true
startup_name
rocker
use_mutex
false

Signatures

NetWire RAT payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/1944-3-0x0000000000990000-0x00000000009BD000-memory.dmp	netwire
behavioral2/memory/1944-4-0x0000000000990000-0x00000000009BD000-memory.dmp	netwire
behavioral2/memory/3588-13-0x0000000000990000-0x00000000009BD000-memory.dmp	netwire
behavioral2/memory/3588-14-0x0000000000990000-0x00000000009BD000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Executes dropped EXE 1 IoCs

pid	Process
3588	rock.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rocker = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\MMC\\rock.exe"	rock.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 3588	1944	1517ebc8b397e2dd6734146c98eb3052_JaffaCakes118.exe	100
PID 1944 wrote to memory of 3588	1944	1517ebc8b397e2dd6734146c98eb3052_JaffaCakes118.exe	100
PID 1944 wrote to memory of 3588	1944	1517ebc8b397e2dd6734146c98eb3052_JaffaCakes118.exe	100

C:\Users\Admin\AppData\Local\Temp\1517ebc8b397e2dd6734146c98eb3052_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1517ebc8b397e2dd6734146c98eb3052_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Users\Admin\AppData\Roaming\Microsoft\MMC\rock.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\MMC\rock.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3524 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\MMC\rock.exe

Filesize
177KB

MD5
1517ebc8b397e2dd6734146c98eb3052

SHA1
9cdd6b2532227f40337035c9b5877934e5933024

SHA256
d44987e731d424763550dc9fff1fe5717591376162cb3e1aabd1820e71e78122

SHA512
4a7e2d1df8bd4b8778686f1f96fcb3a14937c59395ff7e70dfa735942f884e80e4b8a6326c2ce8ba10393e19d7a4b414d5e016edd8f7909cd038d689abbb0d3d

Download Submit
memory/1944-0-0x0000000000460000-0x0000000000464000-memory.dmp

Filesize
16KB

Download
memory/1944-2-0x0000000000840000-0x0000000000951000-memory.dmp

Filesize
1.1MB

Download
memory/1944-3-0x0000000000990000-0x00000000009BD000-memory.dmp

Filesize
180KB

Download
memory/1944-4-0x0000000000990000-0x00000000009BD000-memory.dmp

Filesize
180KB

Download
memory/3588-9-0x0000000000540000-0x0000000000544000-memory.dmp

Filesize
16KB

Download
memory/3588-11-0x0000000000870000-0x0000000000981000-memory.dmp

Filesize
1.1MB

Download
memory/3588-13-0x0000000000990000-0x00000000009BD000-memory.dmp

Filesize
180KB

Download
memory/3588-14-0x0000000000990000-0x00000000009BD000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads