netwire | bc7663c89073cebc93986a508b544590df0d10658fe349e8504490101fc7e5cd

Analysis

max time kernel
96s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe
Size

1.2MB
MD5

29b108e40acb05c3c9c2fa8c19b166e3
SHA1

892c676275a723822d2d47dc1a48defec8bde643
SHA256

4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5
SHA512

9cee10259615c90ea51710fd119dc9c8899b8bf4363513ecbc79aa3a69351c68625f5ca5e7c521d2346a54640358eb2deba0fd6db08a7ade5d2970304ad5beb2
SSDEEP

24576:peW/uHyRLqHJ/wAmDZtRauPvqz6WQ5YQ9kXRGjr:peW/uSRLeJ4AmDZtPPvqzs5Y+kXRG

Score

10^/10

netwire botnet discovery rat stealer

Malware Config

Extracted

Family

netwire

37.0.14.206:3384

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
lock_executable
false
offline_keylogger
false
password
Password234
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 6 IoCs

rat

resource	yara_rule
behavioral2/memory/2716-16-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral2/memory/2716-17-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral2/memory/2716-19-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral2/memory/2716-21-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral2/memory/2716-33-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral2/memory/4040-40-0x0000000000400000-0x000000000044F000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Netwire family
netwire

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Host.exe

Executes dropped EXE 2 IoCs

pid	Process
2376	Host.exe
4040	Host.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3164 set thread context of 2716	3164	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	101
PID 2376 set thread context of 4040	2376	Host.exe	107

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Host.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Host.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3024	schtasks.exe
1580	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3164	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe
2376	Host.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3164	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe
Token: SeDebugPrivilege	2376	Host.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3164 wrote to memory of 3024	3164	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	99
PID 3164 wrote to memory of 3024	3164	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	99
PID 3164 wrote to memory of 3024	3164	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	99
PID 3164 wrote to memory of 2716	3164	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	101
PID 3164 wrote to memory of 2716	3164	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	101
PID 3164 wrote to memory of 2716	3164	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	101
PID 3164 wrote to memory of 2716	3164	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	101
PID 3164 wrote to memory of 2716	3164	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	101
PID 3164 wrote to memory of 2716	3164	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	101
PID 3164 wrote to memory of 2716	3164	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	101
PID 3164 wrote to memory of 2716	3164	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	101
PID 3164 wrote to memory of 2716	3164	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	101
PID 3164 wrote to memory of 2716	3164	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	101
PID 2716 wrote to memory of 2376	2716	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	102
PID 2716 wrote to memory of 2376	2716	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	102
PID 2716 wrote to memory of 2376	2716	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	102
PID 2376 wrote to memory of 1580	2376	Host.exe	105
PID 2376 wrote to memory of 1580	2376	Host.exe	105
PID 2376 wrote to memory of 1580	2376	Host.exe	105
PID 2376 wrote to memory of 4040	2376	Host.exe	107
PID 2376 wrote to memory of 4040	2376	Host.exe	107
PID 2376 wrote to memory of 4040	2376	Host.exe	107
PID 2376 wrote to memory of 4040	2376	Host.exe	107
PID 2376 wrote to memory of 4040	2376	Host.exe	107
PID 2376 wrote to memory of 4040	2376	Host.exe	107
PID 2376 wrote to memory of 4040	2376	Host.exe	107
PID 2376 wrote to memory of 4040	2376	Host.exe	107
PID 2376 wrote to memory of 4040	2376	Host.exe	107
PID 2376 wrote to memory of 4040	2376	Host.exe	107

C:\Users\Admin\AppData\Local\Temp\4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe
"C:\Users\Admin\AppData\Local\Temp\4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3164
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NSopOOoiUVq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1940.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3024
- C:\Users\Admin\AppData\Local\Temp\4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe
  "{path}"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Users\Admin\AppData\Roaming\Install\Host.exe
    "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2376
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NSopOOoiUVq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp944C.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1580
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "{path}"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1940.tmp

Filesize
1KB

MD5
da0062615aae6e8da1fdd78692ab53bf

SHA1
4c4acb380967bdee4f0ca24efdf21af5d6e35814

SHA256
4b5fb2ec1b14ee6fe5ed6b9703caa071f5ab882464a89278957beb9e8f3828f1

SHA512
322e3a891ae9dde88169db2df839e51723c9f07f6b14fb2d00a7f35bda849a197c3cfe1d702a83ef406ca3a4d524448621de15c75534e6c4d3a702efab498d46

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
1.2MB

MD5
29b108e40acb05c3c9c2fa8c19b166e3

SHA1
892c676275a723822d2d47dc1a48defec8bde643

SHA256
4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5

SHA512
9cee10259615c90ea51710fd119dc9c8899b8bf4363513ecbc79aa3a69351c68625f5ca5e7c521d2346a54640358eb2deba0fd6db08a7ade5d2970304ad5beb2

Download Submit
memory/2376-35-0x000000007432E000-0x000000007432F000-memory.dmp

Filesize
4KB

Download
memory/2376-34-0x000000007432E000-0x000000007432F000-memory.dmp

Filesize
4KB

Download
memory/2716-33-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2716-21-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2716-19-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2716-17-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2716-16-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3164-12-0x000000000ABA0000-0x000000000AC2C000-memory.dmp

Filesize
560KB

Download
memory/3164-6-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/3164-11-0x0000000008730000-0x0000000008806000-memory.dmp

Filesize
856KB

Download
memory/3164-0-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

Filesize
4KB

Download
memory/3164-9-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

Filesize
4KB

Download
memory/3164-8-0x0000000004EE0000-0x0000000004F00000-memory.dmp

Filesize
128KB

Download
memory/3164-7-0x0000000005740000-0x0000000005796000-memory.dmp

Filesize
344KB

Download
memory/3164-10-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/3164-5-0x0000000005400000-0x000000000540A000-memory.dmp

Filesize
40KB

Download
memory/3164-22-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/3164-4-0x0000000005510000-0x00000000055A2000-memory.dmp

Filesize
584KB

Download
memory/3164-3-0x0000000005AC0000-0x0000000006064000-memory.dmp

Filesize
5.6MB

Download
memory/3164-2-0x0000000005470000-0x000000000550C000-memory.dmp

Filesize
624KB

Download
memory/3164-1-0x00000000008F0000-0x0000000000A1E000-memory.dmp

Filesize
1.2MB

Download
memory/4040-40-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download