netwire | f59268ac976b85521c5e2279d14f57a8d6b3926d710b1853963db0cbd6c4d3c2

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
29-08-2024 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

333e76fb70bd934d7360c555ac40a370N.exe
Size

188KB
MD5

333e76fb70bd934d7360c555ac40a370
SHA1

3dbd4e9ecf56efc70515746b51af447191e32239
SHA256

f59268ac976b85521c5e2279d14f57a8d6b3926d710b1853963db0cbd6c4d3c2
SHA512

7e8b9f101b9fa326ea68519da2991d1717a968d7ed46418efe331d1c4067d10edaec7746a2158c749276e1c8fbfe926500342037e74fbab4e3a4a711af0a77a5
SSDEEP

3072:o030XCIscLlj+cM45KzxKwrKdvZz+7DzVX4++RC7AUBTBqzqdTFzILwrK:oje/NGv1+T2PDUCmdTFzIc

Score

10^/10

netwire botnet discovery persistence rat stealer

Malware Config

Extracted

Family

netwire

127.0.0.1:3380

manpower123.sytes.net:3380

Attributes

activex_autorun
true
activex_key
{SU60632U-NH5E-B175-1B86-J7K6RBN22VI8}
copy_executable
true
delete_original
true
host_id
ID1
install_path
%AppData%\Install\1day
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
cPSdeemG
offline_keylogger
true
password
c5dcq70o
registry_autorun
true
startup_name
Java
use_mutex
true

Signatures

NetWire RAT payload 6 IoCs

rat

resource	yara_rule
behavioral1/memory/1888-7-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral1/memory/1888-9-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral1/memory/1888-11-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral1/memory/2220-31-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral1/memory/2220-34-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral1/memory/2220-41-0x0000000000400000-0x0000000000420000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{SU60632U-NH5E-B175-1B86-J7K6RBN22VI8}	1day
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{SU60632U-NH5E-B175-1B86-J7K6RBN22VI8}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\1day\""	1day

Executes dropped EXE 2 IoCs

pid	Process
2188	1day
2220	1day

Loads dropped DLL 3 IoCs

pid	Process
2688	333e76fb70bd934d7360c555ac40a370N.exe
1888	333e76fb70bd934d7360c555ac40a370N.exe
2188	1day

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\1day"	1day

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2688 set thread context of 1888	2688	333e76fb70bd934d7360c555ac40a370N.exe	31
PID 2188 set thread context of 2220	2188	1day	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2360	2688	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	333e76fb70bd934d7360c555ac40a370N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	333e76fb70bd934d7360c555ac40a370N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1day
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1day

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x00060000000194c4-12.dat	nsis_installer_1
behavioral1/files/0x00060000000194c4-12.dat	nsis_installer_2

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2688	333e76fb70bd934d7360c555ac40a370N.exe
2188	1day

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 1888	2688	333e76fb70bd934d7360c555ac40a370N.exe	31
PID 2688 wrote to memory of 1888	2688	333e76fb70bd934d7360c555ac40a370N.exe	31
PID 2688 wrote to memory of 1888	2688	333e76fb70bd934d7360c555ac40a370N.exe	31
PID 2688 wrote to memory of 1888	2688	333e76fb70bd934d7360c555ac40a370N.exe	31
PID 2688 wrote to memory of 1888	2688	333e76fb70bd934d7360c555ac40a370N.exe	31
PID 2688 wrote to memory of 2360	2688	333e76fb70bd934d7360c555ac40a370N.exe	32
PID 2688 wrote to memory of 2360	2688	333e76fb70bd934d7360c555ac40a370N.exe	32
PID 2688 wrote to memory of 2360	2688	333e76fb70bd934d7360c555ac40a370N.exe	32
PID 2688 wrote to memory of 2360	2688	333e76fb70bd934d7360c555ac40a370N.exe	32
PID 1888 wrote to memory of 2188	1888	333e76fb70bd934d7360c555ac40a370N.exe	33
PID 1888 wrote to memory of 2188	1888	333e76fb70bd934d7360c555ac40a370N.exe	33
PID 1888 wrote to memory of 2188	1888	333e76fb70bd934d7360c555ac40a370N.exe	33
PID 1888 wrote to memory of 2188	1888	333e76fb70bd934d7360c555ac40a370N.exe	33
PID 2188 wrote to memory of 2220	2188	1day	34
PID 2188 wrote to memory of 2220	2188	1day	34
PID 2188 wrote to memory of 2220	2188	1day	34
PID 2188 wrote to memory of 2220	2188	1day	34
PID 2188 wrote to memory of 2220	2188	1day	34

C:\Users\Admin\AppData\Local\Temp\333e76fb70bd934d7360c555ac40a370N.exe
"C:\Users\Admin\AppData\Local\Temp\333e76fb70bd934d7360c555ac40a370N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Users\Admin\AppData\Local\Temp\333e76fb70bd934d7360c555ac40a370N.exe
  "C:\Users\Admin\AppData\Local\Temp\333e76fb70bd934d7360c555ac40a370N.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Users\Admin\AppData\Roaming\Install\1day
    -m "C:\Users\Admin\AppData\Local\Temp\333e76fb70bd934d7360c555ac40a370N.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2188
  - - C:\Users\Admin\AppData\Roaming\Install\1day
      -m "C:\Users\Admin\AppData\Local\Temp\333e76fb70bd934d7360c555ac40a370N.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2220
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 452
  2⤵
  - Program crash
  PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\539762303

Filesize
102KB

MD5
369f55c968e66ad9dc6f4f6516b1c590

SHA1
b857f8c5b85e5721acfdecfbc6f0b92615ea2f06

SHA256
fa3c41bf4ab3f29dea50574ff3fe2e20b31354264a6c99569ed1509538b4ca20

SHA512
6e3ca4781bba3f0ce9d200101c44fe26a6606d4fd791fee083e019dc52b7b44ba0cc55a833d7bd58797be1f5a551b7148dce7176487a80df29a18d0e3258d834

Download Submit
\Users\Admin\AppData\Local\Temp\nsyD431.tmp\System.dll

Filesize
11KB

MD5
55a26d7800446f1373056064c64c3ce8

SHA1
80256857e9a0a9c8897923b717f3435295a76002

SHA256
904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8

SHA512
04b8ab7a85c26f188c0a06f524488d6f2ac2884bf107c860c82e94ae12c3859f825133d78338fd2b594dfc48f7dc9888ae76fee786c6252a5c77c88755128a5b

Download Submit
\Users\Admin\AppData\Roaming\Install\1day

Filesize
188KB

MD5
333e76fb70bd934d7360c555ac40a370

SHA1
3dbd4e9ecf56efc70515746b51af447191e32239

SHA256
f59268ac976b85521c5e2279d14f57a8d6b3926d710b1853963db0cbd6c4d3c2

SHA512
7e8b9f101b9fa326ea68519da2991d1717a968d7ed46418efe331d1c4067d10edaec7746a2158c749276e1c8fbfe926500342037e74fbab4e3a4a711af0a77a5

Download Submit
memory/1888-7-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1888-9-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1888-11-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2220-31-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2220-34-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2220-41-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads