netwire | 40cbbf504a6af3b5ad0d25cb02f4dc9544596d6978468b708c9f2248953a4e6c

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2024, 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
Size

1.0MB
MD5

47ed26d0a0f4d8a98d743f23a6e36c22
SHA1

bfa384cb2680435f734eb1913611ebe19231a609
SHA256

40cbbf504a6af3b5ad0d25cb02f4dc9544596d6978468b708c9f2248953a4e6c
SHA512

2c54ccef260bf5dc24a81bfb0de7bc38f1f0308fc62f275ff839713d03e860619a3b491a6d2463b33d341d6a448df0bb3a62738c487c678d4557be496473f401
SSDEEP

24576:VAHnh+eWsN3skA4RV1Hom2KXFmIaYx0tZVO55:Eh+ZkldoPK1XaYxcZVc

Score

10^/10

netwire botnet discovery persistence rat stealer

Malware Config

Extracted

Family

netwire

95.167.151.235:8973

Attributes

activex_autorun
true
activex_key
{N0R5BAW8-0Q5K-W773-0566-88UJFGBT8MC5}
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
true
startup_name
windows
use_mutex
false

Signatures

NetWire RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/684-4-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/684-13-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{N0R5BAW8-0Q5K-W773-0566-88UJFGBT8MC5}	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{N0R5BAW8-0Q5K-W773-0566-88UJFGBT8MC5}\StubPath = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe\""	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{N0R5BAW8-0Q5K-W773-0566-88UJFGBT8MC5}	Host.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{N0R5BAW8-0Q5K-W773-0566-88UJFGBT8MC5}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe\""	Host.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\manage-bde.url	Host.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\manage-bde.url	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3996	Host.exe
4692	Host.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Local\\Temp\\47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe"	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x005200000002332b-16.dat	autoit_exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 884 set thread context of 684	884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe	94
PID 884 set thread context of 3524	884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe	96
PID 3996 set thread context of 4692	3996	Host.exe	98

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Host.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Host.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
3996	Host.exe
3996	Host.exe
3996	Host.exe
3996	Host.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
3996	Host.exe
3996	Host.exe
3996	Host.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
3996	Host.exe
3996	Host.exe
3996	Host.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 884 wrote to memory of 684	884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe	94
PID 884 wrote to memory of 684	884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe	94
PID 884 wrote to memory of 684	884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe	94
PID 884 wrote to memory of 684	884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe	94
PID 884 wrote to memory of 684	884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe	94
PID 684 wrote to memory of 3996	684	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe	95
PID 684 wrote to memory of 3996	684	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe	95
PID 684 wrote to memory of 3996	684	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe	95
PID 884 wrote to memory of 3524	884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe	96
PID 884 wrote to memory of 3524	884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe	96
PID 884 wrote to memory of 3524	884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe	96
PID 884 wrote to memory of 3524	884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe	96
PID 884 wrote to memory of 3524	884	47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe	96
PID 3996 wrote to memory of 4692	3996	Host.exe	98
PID 3996 wrote to memory of 4692	3996	Host.exe	98
PID 3996 wrote to memory of 4692	3996	Host.exe	98
PID 3996 wrote to memory of 4692	3996	Host.exe	98
PID 3996 wrote to memory of 4692	3996	Host.exe	98

C:\Users\Admin\AppData\Local\Temp\47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:884
- C:\Users\Admin\AppData\Local\Temp\47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Users\Admin\AppData\Roaming\Install\Host.exe
    "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3996
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:4692
- C:\Users\Admin\AppData\Local\Temp\47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe"
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
1.0MB

MD5
47ed26d0a0f4d8a98d743f23a6e36c22

SHA1
bfa384cb2680435f734eb1913611ebe19231a609

SHA256
40cbbf504a6af3b5ad0d25cb02f4dc9544596d6978468b708c9f2248953a4e6c

SHA512
2c54ccef260bf5dc24a81bfb0de7bc38f1f0308fc62f275ff839713d03e860619a3b491a6d2463b33d341d6a448df0bb3a62738c487c678d4557be496473f401

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\manage-bde.url

Filesize
77B

MD5
2bc950d2636bbc190dd77672c1e15a84

SHA1
320443a43c8b8c214b395ee77c235c014f36da96

SHA256
caf506185b1378b2b4a856eb87943343b65ff59baf284c0ab8caa14630ea6b5c

SHA512
8c993cbd5b7edcb83067017eace023d6659e99d5654e79e057d881fdb698eda2bfda506623aa41e562d6592fbce3fc8fa4f9b651f5482032cf776b3dd8dbe585

Download Submit
C:\Users\Admin\AppData\Roaming\manage-bde.vbs

Filesize
105B

MD5
30b5c4918ac6f3f79d60c4cbccb66564

SHA1
62a4c67b3e56edb117f1382ee7cb805ed226ebc4

SHA256
a107b661fde8b745b4b6e831b0fd7413dc39d628beec8e04e28e968c7e37fbda

SHA512
8010b56dc271a50dae0e85d50d820dc8f74f662187cb5d9f5fffab02666619d2fe15daa5c86e9bcec0f2e3f331f57304f1ea0f995626483bd2d37fdd7f8f7c5d

Download Submit
memory/684-4-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/684-13-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/884-3-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/884-31-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/3996-43-0x0000000003870000-0x0000000003871000-memory.dmp

Filesize
4KB

Download