netwire | e13b4c9650eb2f690fb8348ef33cf84539cf8aabc46be50224875224038f66fc

Analysis

max time kernel
143s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Skan Potwierdzenia.PDF.exe
Size

128KB
MD5

14395ac904015c1ca1ccb42df80a1859
SHA1

781bcb5596fbcdaaa998ab77b4621c1000393fbd
SHA256

0c141c1fe62782cb78e70d7c57a7b7d07b26a93ee058d271ff7f2fe4c04bfef3
SHA512

a8a7c54725c7803ee4da2d7afcbdf52de21faa1567fa46545c4b3b20c4909d110fa7ee356a84d53554660ea32bdde7f7108b6071c7121c9c7ee9a6275cdd8274
SSDEEP

3072:AsiXMqGmeABs/iOQlQF0fZyq/pRPFQrQKO854:BiRGzDB8MEptaO24

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

213.152.162.165:8747

109.202.107.15:8747

213.152.161.117:8747

213.152.161.229:8747

213.152.161.181:8747

37.233.101.73:5555

213.152.162.165:8733

213.152.161.117:8733

213.152.161.229:8733

213.152.161.165:8733

213.152.161.181:8733

Attributes

activex_autorun
true
activex_key
{N2P3036X-0CS1-AM05-7POW-541S3F314Q84}
copy_executable
true
delete_original
true
host_id
03.23
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
true
mutex
vvvbljPv
offline_keylogger
true
password
Mojekurwajebaneboty666
registry_autorun
true
startup_name
sys
use_mutex
true

Signatures

NetWire RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/420-1-0x00000000006F0000-0x00000000007F0000-memory.dmp	netwire
behavioral2/memory/420-3-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/3180-10-0x0000000000400000-0x0000000000437000-memory.dmp	netwire
behavioral2/memory/420-11-0x0000000000400000-0x0000000000437000-memory.dmp	netwire
behavioral2/memory/420-12-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/3180-14-0x0000000000400000-0x0000000000437000-memory.dmp	netwire
behavioral2/memory/3180-24-0x0000000000400000-0x0000000000437000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{N2P3036X-0CS1-AM05-7POW-541S3F314Q84}	Host.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{N2P3036X-0CS1-AM05-7POW-541S3F314Q84}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe\""	Host.exe

Executes dropped EXE 1 IoCs

Processes:

Host.exe

pid process

3180 Host.exe

pid	process
3180	Host.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sys = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4456 420 WerFault.exe Skan Potwierdzenia.PDF.exe

pid	pid_target	process	target process
4456	420	WerFault.exe	Skan Potwierdzenia.PDF.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Skan Potwierdzenia.PDF.exe

description	pid	process	target process
PID 420 wrote to memory of 3180	420	Skan Potwierdzenia.PDF.exe	Host.exe
PID 420 wrote to memory of 3180	420	Skan Potwierdzenia.PDF.exe	Host.exe
PID 420 wrote to memory of 3180	420	Skan Potwierdzenia.PDF.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\Skan Potwierdzenia.PDF.exe
"C:\Users\Admin\AppData\Local\Temp\Skan Potwierdzenia.PDF.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:420

C:\Users\Admin\AppData\Roaming\Install\Host.exe
-m "C:\Users\Admin\AppData\Local\Temp\Skan Potwierdzenia.PDF.exe"
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 420 -s 21096
2⤵
- Program crash
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 420 -ip 420
1⤵
PID:4948

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
128KB

MD5
14395ac904015c1ca1ccb42df80a1859

SHA1
781bcb5596fbcdaaa998ab77b4621c1000393fbd

SHA256
0c141c1fe62782cb78e70d7c57a7b7d07b26a93ee058d271ff7f2fe4c04bfef3

SHA512
a8a7c54725c7803ee4da2d7afcbdf52de21faa1567fa46545c4b3b20c4909d110fa7ee356a84d53554660ea32bdde7f7108b6071c7121c9c7ee9a6275cdd8274

Download Submit
memory/420-1-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/420-3-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/420-11-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/420-12-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3180-10-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3180-14-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3180-24-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download