netwire | 5e6936004864f0ea2ca948645cf3a73610b08b61e28dd9dd9abd37c3a7097df2

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2024 21:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6b3b195fc729456c47573cc58f7b420_JaffaCakes118.exe
Size

160KB
MD5

a6b3b195fc729456c47573cc58f7b420
SHA1

1a388ba57f09225eed3a4fed6a9a9b8b7f16bcfd
SHA256

5e6936004864f0ea2ca948645cf3a73610b08b61e28dd9dd9abd37c3a7097df2
SHA512

eec3a6e00461fd8f7293522df11a018daffd4d3716e35c2448743e7169b73d798dfbf4a82b8edc896df1a29653cfcad218dbb1048457b6c3eaed7cb127d2ff11
SSDEEP

3072:aKZFby2LWGwwgtkpmOgUkimSGX1sz3+l3dfd1:Dby2yGwwgtQmOgUkiDGX1sL+lNl

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

rop-s.ru:3360

Attributes

activex_autorun
true
activex_key
{12VT1G0W-4N37-8VXY-40Y3-HP5QCF1KT4P3}
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\microsofts\iexplore.exe
keylogger_dir
%AppData%\microsofts\Logs\
lock_executable
false
mutex
fortune
offline_keylogger
true
password
fortune
registry_autorun
true
startup_name
iexplore
use_mutex
true

Signatures

NetWire RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1404-12-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/1404-15-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/1404-19-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/2940-39-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/2940-40-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12VT1G0W-4N37-8VXY-40Y3-HP5QCF1KT4P3}	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12VT1G0W-4N37-8VXY-40Y3-HP5QCF1KT4P3}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\microsofts\\iexplore.exe\""	iexplore.exe

Executes dropped EXE 2 IoCs

Processes:

iexplore.exeiexplore.exe

pid process

1436 iexplore.exe
2940 iexplore.exe

pid	process
1436	iexplore.exe
2940	iexplore.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iexplore = "C:\\Users\\Admin\\AppData\\Roaming\\microsofts\\iexplore.exe"	iexplore.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

a6b3b195fc729456c47573cc58f7b420_JaffaCakes118.exeiexplore.exe

description	pid	process	target process
PID 4020 set thread context of 1404	4020	a6b3b195fc729456c47573cc58f7b420_JaffaCakes118.exe	a6b3b195fc729456c47573cc58f7b420_JaffaCakes118.exe
PID 1436 set thread context of 2940	1436	iexplore.exe	iexplore.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

a6b3b195fc729456c47573cc58f7b420_JaffaCakes118.exeiexplore.exe

pid process

4020 a6b3b195fc729456c47573cc58f7b420_JaffaCakes118.exe
1436 iexplore.exe

pid	process
4020	a6b3b195fc729456c47573cc58f7b420_JaffaCakes118.exe
1436	iexplore.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

a6b3b195fc729456c47573cc58f7b420_JaffaCakes118.exea6b3b195fc729456c47573cc58f7b420_JaffaCakes118.exeiexplore.exe

description	pid	process	target process
PID 4020 wrote to memory of 1404	4020	a6b3b195fc729456c47573cc58f7b420_JaffaCakes118.exe	a6b3b195fc729456c47573cc58f7b420_JaffaCakes118.exe
PID 4020 wrote to memory of 1404	4020	a6b3b195fc729456c47573cc58f7b420_JaffaCakes118.exe	a6b3b195fc729456c47573cc58f7b420_JaffaCakes118.exe
PID 4020 wrote to memory of 1404	4020	a6b3b195fc729456c47573cc58f7b420_JaffaCakes118.exe	a6b3b195fc729456c47573cc58f7b420_JaffaCakes118.exe
PID 4020 wrote to memory of 1404	4020	a6b3b195fc729456c47573cc58f7b420_JaffaCakes118.exe	a6b3b195fc729456c47573cc58f7b420_JaffaCakes118.exe
PID 4020 wrote to memory of 1404	4020	a6b3b195fc729456c47573cc58f7b420_JaffaCakes118.exe	a6b3b195fc729456c47573cc58f7b420_JaffaCakes118.exe
PID 4020 wrote to memory of 1404	4020	a6b3b195fc729456c47573cc58f7b420_JaffaCakes118.exe	a6b3b195fc729456c47573cc58f7b420_JaffaCakes118.exe
PID 4020 wrote to memory of 1404	4020	a6b3b195fc729456c47573cc58f7b420_JaffaCakes118.exe	a6b3b195fc729456c47573cc58f7b420_JaffaCakes118.exe
PID 4020 wrote to memory of 1404	4020	a6b3b195fc729456c47573cc58f7b420_JaffaCakes118.exe	a6b3b195fc729456c47573cc58f7b420_JaffaCakes118.exe
PID 4020 wrote to memory of 1404	4020	a6b3b195fc729456c47573cc58f7b420_JaffaCakes118.exe	a6b3b195fc729456c47573cc58f7b420_JaffaCakes118.exe
PID 1404 wrote to memory of 1436	1404	a6b3b195fc729456c47573cc58f7b420_JaffaCakes118.exe	iexplore.exe
PID 1404 wrote to memory of 1436	1404	a6b3b195fc729456c47573cc58f7b420_JaffaCakes118.exe	iexplore.exe
PID 1404 wrote to memory of 1436	1404	a6b3b195fc729456c47573cc58f7b420_JaffaCakes118.exe	iexplore.exe
PID 1436 wrote to memory of 2940	1436	iexplore.exe	iexplore.exe
PID 1436 wrote to memory of 2940	1436	iexplore.exe	iexplore.exe
PID 1436 wrote to memory of 2940	1436	iexplore.exe	iexplore.exe
PID 1436 wrote to memory of 2940	1436	iexplore.exe	iexplore.exe
PID 1436 wrote to memory of 2940	1436	iexplore.exe	iexplore.exe
PID 1436 wrote to memory of 2940	1436	iexplore.exe	iexplore.exe
PID 1436 wrote to memory of 2940	1436	iexplore.exe	iexplore.exe
PID 1436 wrote to memory of 2940	1436	iexplore.exe	iexplore.exe
PID 1436 wrote to memory of 2940	1436	iexplore.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\a6b3b195fc729456c47573cc58f7b420_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a6b3b195fc729456c47573cc58f7b420_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4020

C:\Users\Admin\AppData\Local\Temp\a6b3b195fc729456c47573cc58f7b420_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a6b3b195fc729456c47573cc58f7b420_JaffaCakes118.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1404

C:\Users\Admin\AppData\Roaming\microsofts\iexplore.exe
"C:\Users\Admin\AppData\Roaming\microsofts\iexplore.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1436

C:\Users\Admin\AppData\Roaming\microsofts\iexplore.exe
"C:\Users\Admin\AppData\Roaming\microsofts\iexplore.exe"
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4200,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4004 /prefetch:8
1⤵
PID:1540

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\microsofts\iexplore.exe
Filesize
160KB

MD5
a6b3b195fc729456c47573cc58f7b420

SHA1
1a388ba57f09225eed3a4fed6a9a9b8b7f16bcfd

SHA256
5e6936004864f0ea2ca948645cf3a73610b08b61e28dd9dd9abd37c3a7097df2

SHA512
eec3a6e00461fd8f7293522df11a018daffd4d3716e35c2448743e7169b73d798dfbf4a82b8edc896df1a29653cfcad218dbb1048457b6c3eaed7cb127d2ff11

Download Submit
memory/1404-12-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1404-15-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1404-19-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1436-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2940-39-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2940-40-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4020-7-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/4020-6-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/4020-5-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download