netwire | 503b1aff23f00a7a668cc8213199a78ac5a66704f375f198b9d41514753cefc8

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-11-2024 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

i dunno i think its crysis ransom.exe
Size

382KB
MD5

c552a3083cae175ce2cf1b272236ee52
SHA1

4fbbaed1224d55a19aa8a2993ae6d567478f77cb
SHA256

310b24120390c6b8d7dac7cfe94259aa7bb03f75b2bea08b8c62fe78efcbe2e0
SHA512

40cabef46fcf76b1eb2aa510fd77c129bb1d67d0e87da273c03abb91c631545e193522dd393da8563d3654562b02d14fd991eb1ec00f8b570336f9b9da4668e5
SSDEEP

6144:uCdYss/E7IOEE39kr9HC/CRNkqq3S8213/jMtdH/pDhXdrAV16V0olOWyQw:ts/E8Oj39y9HC/Ab82mtdfpFxAbstlzZ

Score

10^/10

netwire botnet defense_evasion discovery persistence rat stealer

Malware Config

Extracted

Family

netwire

fdghfghdfghjhgjkgfgjh234569.ru:6974

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
a2nw
lock_executable
false
mutex
NrPiWfVe
offline_keylogger
false
password
rdfs34df32sdf
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 5 IoCs

rat

resource	yara_rule
behavioral6/memory/1172-24-0x0000000000400000-0x0000000000425000-memory.dmp	netwire
behavioral6/memory/1172-26-0x0000000000400000-0x0000000000425000-memory.dmp	netwire
behavioral6/memory/1172-28-0x0000000000400000-0x0000000000425000-memory.dmp	netwire
behavioral6/memory/1172-31-0x0000000000400000-0x0000000000425000-memory.dmp	netwire
behavioral6/memory/1172-32-0x0000000000400000-0x0000000000425000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Netwire family
netwire

Executes dropped EXE 1 IoCs

pid	Process
2680	svcs.exe

Loads dropped DLL 1 IoCs

pid	Process
2628	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\svcs = "C:\\Users\\Admin\\AppData\\Local\\svcs.exe -boot"	svcs.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2680 set thread context of 1172	2680	svcs.exe	44

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 4 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\i dunno i think its crysis ransom.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\i dunno i think its crysis ransom.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\svcs.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\svcs.exe:Zone.Identifier	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i dunno i think its crysis ransom.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\svcs.exe:Zone.Identifier	cmd.exe
File created	C:\Users\Admin\AppData\Local\Temp\i dunno i think its crysis ransom.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\i dunno i think its crysis ransom.exe:Zone.Identifier	cmd.exe
File created	C:\Users\Admin\AppData\Local\svcs.exe\:Zone.Identifier:$DATA	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\svcs.exe:Zone.Identifier	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1920	i dunno i think its crysis ransom.exe
Token: SeDebugPrivilege	2680	svcs.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 2876	1920	i dunno i think its crysis ransom.exe	31
PID 1920 wrote to memory of 2876	1920	i dunno i think its crysis ransom.exe	31
PID 1920 wrote to memory of 2876	1920	i dunno i think its crysis ransom.exe	31
PID 1920 wrote to memory of 2876	1920	i dunno i think its crysis ransom.exe	31
PID 1920 wrote to memory of 2476	1920	i dunno i think its crysis ransom.exe	33
PID 1920 wrote to memory of 2476	1920	i dunno i think its crysis ransom.exe	33
PID 1920 wrote to memory of 2476	1920	i dunno i think its crysis ransom.exe	33
PID 1920 wrote to memory of 2476	1920	i dunno i think its crysis ransom.exe	33
PID 1920 wrote to memory of 2864	1920	i dunno i think its crysis ransom.exe	35
PID 1920 wrote to memory of 2864	1920	i dunno i think its crysis ransom.exe	35
PID 1920 wrote to memory of 2864	1920	i dunno i think its crysis ransom.exe	35
PID 1920 wrote to memory of 2864	1920	i dunno i think its crysis ransom.exe	35
PID 1920 wrote to memory of 2628	1920	i dunno i think its crysis ransom.exe	37
PID 1920 wrote to memory of 2628	1920	i dunno i think its crysis ransom.exe	37
PID 1920 wrote to memory of 2628	1920	i dunno i think its crysis ransom.exe	37
PID 1920 wrote to memory of 2628	1920	i dunno i think its crysis ransom.exe	37
PID 2628 wrote to memory of 2680	2628	cmd.exe	39
PID 2628 wrote to memory of 2680	2628	cmd.exe	39
PID 2628 wrote to memory of 2680	2628	cmd.exe	39
PID 2628 wrote to memory of 2680	2628	cmd.exe	39
PID 2680 wrote to memory of 2276	2680	svcs.exe	40
PID 2680 wrote to memory of 2276	2680	svcs.exe	40
PID 2680 wrote to memory of 2276	2680	svcs.exe	40
PID 2680 wrote to memory of 2276	2680	svcs.exe	40
PID 2680 wrote to memory of 640	2680	svcs.exe	42
PID 2680 wrote to memory of 640	2680	svcs.exe	42
PID 2680 wrote to memory of 640	2680	svcs.exe	42
PID 2680 wrote to memory of 640	2680	svcs.exe	42
PID 2680 wrote to memory of 1172	2680	svcs.exe	44
PID 2680 wrote to memory of 1172	2680	svcs.exe	44
PID 2680 wrote to memory of 1172	2680	svcs.exe	44
PID 2680 wrote to memory of 1172	2680	svcs.exe	44
PID 2680 wrote to memory of 1172	2680	svcs.exe	44
PID 2680 wrote to memory of 1172	2680	svcs.exe	44
PID 2680 wrote to memory of 1172	2680	svcs.exe	44
PID 2680 wrote to memory of 1172	2680	svcs.exe	44
PID 2680 wrote to memory of 1172	2680	svcs.exe	44
PID 2680 wrote to memory of 1172	2680	svcs.exe	44
PID 2680 wrote to memory of 1172	2680	svcs.exe	44

C:\Users\Admin\AppData\Local\Temp\i dunno i think its crysis ransom.exe
"C:\Users\Admin\AppData\Local\Temp\i dunno i think its crysis ransom.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\i dunno i think its crysis ransom.exe:Zone.Identifier"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:2876
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\i dunno i think its crysis ransom.exe:Zone.Identifier"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:2476
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\i dunno i think its crysis ransom.exe" "C:\Users\Admin\AppData\Local\svcs.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:2864
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\svcs.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Users\Admin\AppData\Local\svcs.exe
    "C:\Users\Admin\AppData\Local\svcs.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\svcs.exe:Zone.Identifier"
      4⤵
      Subvert Trust Controls: Mark-of-the-Web Bypass
      System Location Discovery: System Language Discovery
      NTFS ADS
      PID:2276
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\svcs.exe:Zone.Identifier"
      4⤵
      Subvert Trust Controls: Mark-of-the-Web Bypass
      System Location Discovery: System Language Discovery
      NTFS ADS
      PID:640
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\system32\svchost.exe"
      4⤵
      PID:1172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\svcs.exe

Filesize
382KB

MD5
c552a3083cae175ce2cf1b272236ee52

SHA1
4fbbaed1224d55a19aa8a2993ae6d567478f77cb

SHA256
310b24120390c6b8d7dac7cfe94259aa7bb03f75b2bea08b8c62fe78efcbe2e0

SHA512
40cabef46fcf76b1eb2aa510fd77c129bb1d67d0e87da273c03abb91c631545e193522dd393da8563d3654562b02d14fd991eb1ec00f8b570336f9b9da4668e5

Download Submit
memory/1172-18-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1172-32-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1172-31-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1172-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1172-28-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1172-26-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1172-24-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1172-22-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1172-20-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1920-5-0x00000000004F0000-0x00000000004FA000-memory.dmp

Filesize
40KB

Download
memory/1920-15-0x0000000074C60000-0x000000007534E000-memory.dmp

Filesize
6.9MB

Download
memory/1920-8-0x0000000074C60000-0x000000007534E000-memory.dmp

Filesize
6.9MB

Download
memory/1920-7-0x0000000001FD0000-0x0000000001FD6000-memory.dmp

Filesize
24KB

Download
memory/1920-6-0x0000000000650000-0x000000000065C000-memory.dmp

Filesize
48KB

Download
memory/1920-0-0x0000000074C6E000-0x0000000074C6F000-memory.dmp

Filesize
4KB

Download
memory/1920-4-0x0000000074C60000-0x000000007534E000-memory.dmp

Filesize
6.9MB

Download
memory/1920-3-0x00000000002E0000-0x000000000030A000-memory.dmp

Filesize
168KB

Download
memory/1920-2-0x0000000074C6E000-0x0000000074C6F000-memory.dmp

Filesize
4KB

Download
memory/1920-1-0x0000000000120000-0x0000000000184000-memory.dmp

Filesize
400KB

Download
memory/2680-16-0x0000000000150000-0x00000000001B4000-memory.dmp

Filesize
400KB

Download
memory/2680-17-0x0000000004190000-0x000000000419C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads