netwire | bc649578550eaf985a4f3432ee1d0f8f67098d0070956e6d2b3e72d327886be1

General

Target

PO 05252022.exe
Size

735KB
MD5

5d1a42f272e46d9df26b31f6251665c0
SHA1

bbbd7d531fec546873ff859f16ec1ac1a1699051
SHA256

c10214c2ddcb440aa1d8263790d22b4c2c1a48fafa5a2cb48e5192da5cf41fb4
SHA512

0d34adb08997cd2de0b86e228b7c12f575aa7379fb184b3eaed9e13e767b40c1e82f8dd524988c5cb0a6618a267c93d4e7f8707b8f4f2b81103d71b94d6cf883
SSDEEP

12288:/TGZFFOzoUoFUwzciEkJT5Nv4vdwv3c82QgZ31nl4DIKIFReKJxsviT3DmTZAt2S:/BoEk3OdSWFnl4DIKIF0K0veVKFq

Score

10^/10

netwire botnet discovery execution rat stealer

Malware Config

Extracted

Family

netwire

C2

nowancenorly.ddns.net:6969

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
lock_executable
false
mutex
pYeAqduB
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 6 IoCs

rat

resource	yara_rule
behavioral1/memory/660-31-0x0000000000400000-0x0000000000444000-memory.dmp	netwire
behavioral1/memory/660-39-0x0000000000400000-0x0000000000444000-memory.dmp	netwire
behavioral1/memory/660-38-0x0000000000400000-0x0000000000444000-memory.dmp	netwire
behavioral1/memory/660-35-0x0000000000400000-0x0000000000444000-memory.dmp	netwire
behavioral1/memory/660-33-0x0000000000400000-0x0000000000444000-memory.dmp	netwire
behavioral1/memory/660-29-0x0000000000400000-0x0000000000444000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Netwire family
netwire

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2792	powershell.exe
2952	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1352 set thread context of 660	1352	PO 05252022.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PO 05252022.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2624	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1352	PO 05252022.exe
1352	PO 05252022.exe
2792	powershell.exe
2952	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1352	PO 05252022.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 2792	1352	PO 05252022.exe	31
PID 1352 wrote to memory of 2792	1352	PO 05252022.exe	31
PID 1352 wrote to memory of 2792	1352	PO 05252022.exe	31
PID 1352 wrote to memory of 2792	1352	PO 05252022.exe	31
PID 1352 wrote to memory of 2952	1352	PO 05252022.exe	33
PID 1352 wrote to memory of 2952	1352	PO 05252022.exe	33
PID 1352 wrote to memory of 2952	1352	PO 05252022.exe	33
PID 1352 wrote to memory of 2952	1352	PO 05252022.exe	33
PID 1352 wrote to memory of 2624	1352	PO 05252022.exe	34
PID 1352 wrote to memory of 2624	1352	PO 05252022.exe	34
PID 1352 wrote to memory of 2624	1352	PO 05252022.exe	34
PID 1352 wrote to memory of 2624	1352	PO 05252022.exe	34
PID 1352 wrote to memory of 660	1352	PO 05252022.exe	37
PID 1352 wrote to memory of 660	1352	PO 05252022.exe	37
PID 1352 wrote to memory of 660	1352	PO 05252022.exe	37
PID 1352 wrote to memory of 660	1352	PO 05252022.exe	37
PID 1352 wrote to memory of 660	1352	PO 05252022.exe	37
PID 1352 wrote to memory of 660	1352	PO 05252022.exe	37
PID 1352 wrote to memory of 660	1352	PO 05252022.exe	37
PID 1352 wrote to memory of 660	1352	PO 05252022.exe	37
PID 1352 wrote to memory of 660	1352	PO 05252022.exe	37
PID 1352 wrote to memory of 660	1352	PO 05252022.exe	37
PID 1352 wrote to memory of 660	1352	PO 05252022.exe	37
PID 1352 wrote to memory of 660	1352	PO 05252022.exe	37
PID 1352 wrote to memory of 660	1352	PO 05252022.exe	37

C:\Users\Admin\AppData\Local\Temp\PO 05252022.exe
"C:\Users\Admin\AppData\Local\Temp\PO 05252022.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO 05252022.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fznsGCtf.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2952
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fznsGCtf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2E03.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2624
- C:\Users\Admin\AppData\Local\Temp\PO 05252022.exe
  "C:\Users\Admin\AppData\Local\Temp\PO 05252022.exe"
  2⤵
  PID:660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2E03.tmp

Filesize
1KB

MD5
a766dc6492afdc7fe517403089b9ba2d

SHA1
b7ab1fd66d135b6f6eda13955e231e87c9cc3f6f

SHA256
562713c72d7ec296fbf9fe1a59b68c524b8d43016e54ac84c95f5f0f748e46b2

SHA512
00d5f9df1fa7a8c4d9002a684faf84af78d4ebf91d7bdcb79ae96fd1e2c8c24070bce269a049e4785b38f6340bcb60cb9bdbbb7a64da59fb59e2e2d72ebc9c62

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\853I7FRPB9O71NFAV75R.temp

Filesize
7KB

MD5
87f805278c6a123714ac9430ee83aac9

SHA1
6341462ff447f48bded93a1ffa673c1044f3c9fe

SHA256
2809d0e9128efe996a739692ffb10bb7426adb8dfde0e75f027546134b6d5f2c

SHA512
cca09989f7f98350b4f71df38c970fe0adb7ada75b60b0dd578ead69397ff060a9aa884f1432047a1f1d35472e804f8f840f1c7ebc38063efbde757fdd59a62f

Download Submit
memory/660-35-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/660-27-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/660-29-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/660-33-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/660-39-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/660-25-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/660-23-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/660-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/660-38-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/660-21-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/660-31-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1352-5-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/1352-20-0x0000000005CB0000-0x0000000005CF8000-memory.dmp

Filesize
288KB

Download
memory/1352-19-0x0000000004BD0000-0x0000000004BD6000-memory.dmp

Filesize
24KB

Download
memory/1352-6-0x0000000005EB0000-0x0000000005F54000-memory.dmp

Filesize
656KB

Download
memory/1352-0-0x000000007494E000-0x000000007494F000-memory.dmp

Filesize
4KB

Download
memory/1352-4-0x000000007494E000-0x000000007494F000-memory.dmp

Filesize
4KB

Download
memory/1352-3-0x0000000000860000-0x0000000000876000-memory.dmp

Filesize
88KB

Download
memory/1352-2-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/1352-1-0x0000000000C70000-0x0000000000D2E000-memory.dmp

Filesize
760KB

Download
memory/1352-40-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads