netwire | f3287a6edd21a00a2b5c85cdf0dd9917567dea86fc2eed207f2fa63e19d7b27f

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d9bb96b136079089c40410575d02edb_JaffaCakes118.exe
Size

443KB
MD5

7d9bb96b136079089c40410575d02edb
SHA1

189f477ab2fd0129254543c1b141b9c2b38a138b
SHA256

f3287a6edd21a00a2b5c85cdf0dd9917567dea86fc2eed207f2fa63e19d7b27f
SHA512

ce82415b7fc877a2cb1485fa7f4caf1ed01daf07ce062b18736cef3fad93e256c4a8da282a10c2805e8615e587b479f3de13099d217457324df24a2d534060ad
SSDEEP

12288:pmPZVKvYtrdi9aDZSmlTb9blmRWwK/gH6quir:0PiqZkoTlf9dgHfuir

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

chriswork999.ddns.net:3366

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
19032020
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4620-9-0x0000000000400000-0x0000000000430000-memory.dmp	netwire
behavioral2/memory/4620-13-0x0000000000400000-0x0000000000430000-memory.dmp	netwire
behavioral2/memory/4620-15-0x0000000000400000-0x0000000000430000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7d9bb96b136079089c40410575d02edb_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HkmdR = "C:\\OAILVCNY\\HkmdRv\\HkmdRvqvl.vbs"	7d9bb96b136079089c40410575d02edb_JaffaCakes118.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

7d9bb96b136079089c40410575d02edb_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	7d9bb96b136079089c40410575d02edb_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	7d9bb96b136079089c40410575d02edb_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

7d9bb96b136079089c40410575d02edb_JaffaCakes118.exe

description pid process target process

PID 452 set thread context of 4620 452 7d9bb96b136079089c40410575d02edb_JaffaCakes118.exe RegSvcs.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

7d9bb96b136079089c40410575d02edb_JaffaCakes118.exe

pid process

452 7d9bb96b136079089c40410575d02edb_JaffaCakes118.exe

description	pid	process	target process
PID 452 set thread context of 4620	452	7d9bb96b136079089c40410575d02edb_JaffaCakes118.exe	RegSvcs.exe

pid	process
452	7d9bb96b136079089c40410575d02edb_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

7d9bb96b136079089c40410575d02edb_JaffaCakes118.exe

description	pid	process	target process
PID 452 wrote to memory of 4620	452	7d9bb96b136079089c40410575d02edb_JaffaCakes118.exe	RegSvcs.exe
PID 452 wrote to memory of 4620	452	7d9bb96b136079089c40410575d02edb_JaffaCakes118.exe	RegSvcs.exe
PID 452 wrote to memory of 4620	452	7d9bb96b136079089c40410575d02edb_JaffaCakes118.exe	RegSvcs.exe
PID 452 wrote to memory of 4620	452	7d9bb96b136079089c40410575d02edb_JaffaCakes118.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\7d9bb96b136079089c40410575d02edb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7d9bb96b136079089c40410575d02edb_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\RegSvcs.exe"
2⤵
PID:4620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4456 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
1⤵
PID:716

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

memory/452-0-0x00000000747DE000-0x00000000747DF000-memory.dmp

Filesize
4KB

Download
memory/452-1-0x0000000000C90000-0x0000000000D04000-memory.dmp

Filesize
464KB

Download
memory/452-2-0x00000000747D0000-0x0000000074F80000-memory.dmp

Filesize
7.7MB

Download
memory/452-3-0x00000000030C0000-0x00000000030F8000-memory.dmp

Filesize
224KB

Download
memory/452-4-0x0000000005D20000-0x00000000062C4000-memory.dmp

Filesize
5.6MB

Download
memory/452-5-0x00000000747DE000-0x00000000747DF000-memory.dmp

Filesize
4KB

Download
memory/452-6-0x00000000747D0000-0x0000000074F80000-memory.dmp

Filesize
7.7MB

Download
memory/452-11-0x00000000747D0000-0x0000000074F80000-memory.dmp

Filesize
7.7MB

Download
memory/452-14-0x00000000747D0000-0x0000000074F80000-memory.dmp

Filesize
7.7MB

Download
memory/4620-9-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4620-13-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4620-15-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download