netwire | 0784e638fe04e5cd4775531aacae4a7e200e0748a49407def7044017ec5939e8

Analysis

max time kernel
131s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe
Size

3.3MB
MD5

9b1e365aab7ce774ccf22cf671543129
SHA1

1aed28938e6b1945ac64314facb315d01e7e5519
SHA256

0784e638fe04e5cd4775531aacae4a7e200e0748a49407def7044017ec5939e8
SHA512

c8610e2caa2f548b2b00e33b18523c0e414dce832b70fe6572288f6b1f09f61b229600d7e1b65e3d7e91c4c610dcb3e48a6394c82522c95deb9233d44f94530f
SSDEEP

49152:Ih+ZkldoPK8YaFsJha/KoHO9VG4xb4sd8t8S/aVg/3Vrtge4Ky+bZSZKyVto3aN:p2cPK8Ko7J4/d8tZ8g/D94KyVZZB9za

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

clients.enigmasolutions.xyz:54578

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
Office-%Rand%
install_path
%AppData%\Microsoft\Crypto\fers.exe
keylogger_dir
%AppData%\msr\
lock_executable
false
offline_keylogger
true
password
\tx>N(6H`Om2k/cWJBp,""bUbAd1-0Mg
registry_autorun
true
startup_name
fers
use_mutex
false

Signatures

NetWire RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1592-11-0x0000000003AA0000-0x0000000003B06000-memory.dmp	netwire
behavioral2/memory/1592-12-0x0000000003AA0000-0x0000000003B06000-memory.dmp	netwire
behavioral2/memory/5084-15-0x0000000000C40000-0x0000000000C70000-memory.dmp	netwire
behavioral2/memory/5084-14-0x0000000000C40000-0x0000000000C70000-memory.dmp	netwire
behavioral2/memory/1592-18-0x0000000003AA0000-0x0000000003B06000-memory.dmp	netwire
behavioral2/memory/4156-42-0x0000000000F10000-0x0000000000F40000-memory.dmp	netwire
behavioral2/memory/4156-44-0x0000000000F10000-0x0000000000F40000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation 9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe
Executes dropped EXE 2 IoCs

Processes:

fers.exefers.exe

pid process

5080 fers.exe
4156 fers.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe

pid	process
5080	fers.exe
4156	fers.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fers.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fers = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\fers.exe"	fers.exe

AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.

Processes:

resource yara_rule

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe autoit_exe

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exefers.exe

description	pid	process	target process
PID 1592 set thread context of 5084	1592	9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe	9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe
PID 5080 set thread context of 4156	5080	fers.exe	fers.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exefers.exe

description	pid	process	target process
PID 1592 wrote to memory of 5084	1592	9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe	9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe
PID 1592 wrote to memory of 5084	1592	9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe	9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe
PID 1592 wrote to memory of 5084	1592	9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe	9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe
PID 1592 wrote to memory of 5084	1592	9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe	9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe
PID 1592 wrote to memory of 5084	1592	9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe	9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe
PID 5084 wrote to memory of 5080	5084	9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe	fers.exe
PID 5084 wrote to memory of 5080	5084	9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe	fers.exe
PID 5084 wrote to memory of 5080	5084	9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe	fers.exe
PID 5080 wrote to memory of 4156	5080	fers.exe	fers.exe
PID 5080 wrote to memory of 4156	5080	fers.exe	fers.exe
PID 5080 wrote to memory of 4156	5080	fers.exe	fers.exe
PID 5080 wrote to memory of 4156	5080	fers.exe	fers.exe
PID 5080 wrote to memory of 4156	5080	fers.exe	fers.exe

C:\Users\Admin\AppData\Local\Temp\9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1592

C:\Users\Admin\AppData\Local\Temp\9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5084

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5080

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4156

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut3F89.tmp
Filesize
395KB

MD5
9e363c345d2acd93bb1bde7842ce3f0a

SHA1
6372c573b867b8352729fa8ecba7b7eac4be16fd

SHA256
dab9341a1028e06c038ad40853b8cb060bae97fb635c5b9a8d0e35e740364bc6

SHA512
23dde3ce7ef9424a4fbbc6210ce5fc139322ac5e4cba0878b062e34da33dd619c2481e02b2aa46f35cef4b4cc12883ca74080d4f62e402328d08563664168ba5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe
Filesize
3.3MB

MD5
9b1e365aab7ce774ccf22cf671543129

SHA1
1aed28938e6b1945ac64314facb315d01e7e5519

SHA256
0784e638fe04e5cd4775531aacae4a7e200e0748a49407def7044017ec5939e8

SHA512
c8610e2caa2f548b2b00e33b18523c0e414dce832b70fe6572288f6b1f09f61b229600d7e1b65e3d7e91c4c610dcb3e48a6394c82522c95deb9233d44f94530f

Download Submit
memory/1592-12-0x0000000003AA0000-0x0000000003B06000-memory.dmp

Filesize
408KB

Download
memory/1592-9-0x0000000003AA0000-0x0000000003B06000-memory.dmp

Filesize
408KB

Download
memory/1592-10-0x0000000003AA0000-0x0000000003B06000-memory.dmp

Filesize
408KB

Download
memory/1592-11-0x0000000003AA0000-0x0000000003B06000-memory.dmp

Filesize
408KB

Download
memory/1592-8-0x0000000003AA0000-0x0000000003B06000-memory.dmp

Filesize
408KB

Download
memory/1592-13-0x0000000076FF8000-0x0000000076FF9000-memory.dmp

Filesize
4KB

Download
memory/1592-18-0x0000000003AA0000-0x0000000003B06000-memory.dmp

Filesize
408KB

Download
memory/1592-7-0x0000000003AA0000-0x0000000003B06000-memory.dmp

Filesize
408KB

Download
memory/4156-42-0x0000000000F10000-0x0000000000F40000-memory.dmp

Filesize
192KB

Download
memory/4156-44-0x0000000000F10000-0x0000000000F40000-memory.dmp

Filesize
192KB

Download
memory/5084-15-0x0000000000C40000-0x0000000000C70000-memory.dmp

Filesize
192KB

Download
memory/5084-14-0x0000000000C40000-0x0000000000C70000-memory.dmp

Filesize
192KB

Download