netwire | 803dc81402a006f1fda602075b961b7b5e01ada4db28828c53630ab3df55471e

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-06-2024 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

803dc81402a006f1fda602075b961b7b5e01ada4db28828c53630ab3df55471e_NeikiAnalytics.exe
Size

1.3MB
MD5

c191ec2547ef0cb69dcabf8d9786fd40
SHA1

67c32cfe6cf14609c5b28523a7d700e7570c0900
SHA256

803dc81402a006f1fda602075b961b7b5e01ada4db28828c53630ab3df55471e
SHA512

1b9d589a94b23f1e3d98b1f69d3e3b6b4b58d8b4a263ba89e4fe01bc290b3a3f6157db4989f56997cc7839c7845549ac55d6ef568a3c078f51c6df21f7fe213f
SSDEEP

24576:Ku6J33O0c+JY5UZ+XC0kGso6Fa720W4njUprvVcC1f2o5RRfgUWYT:8u0c++OCvkGs9Fa+rd1f26RaYT

Score

10^/10

netwire warzonerat botnet infostealer rat stealer

Malware Config

Extracted

Family

netwire

Wealthy2019.com.strangled.net:20190

wealthyme.ddns.net:20190

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
sunshineslisa
install_path
%AppData%\Imgburn\Host.exe
keylogger_dir
%AppData%\Logs\Imgburn\
lock_executable
false
offline_keylogger
true
password
sucess
registry_autorun
false
use_mutex
false

Extracted

Family

warzonerat

wealth.warzonedns.com:5202

Signatures

NetWire RAT payload 9 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Blasthost.exe	netwire
behavioral2/memory/4724-10-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/4508-26-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/4508-27-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe	netwire
behavioral2/memory/1424-51-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/1424-55-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/4748-77-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/4748-80-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1176-13-0x0000000000750000-0x000000000076D000-memory.dmp	warzonerat
behavioral2/memory/1176-22-0x0000000000750000-0x000000000076D000-memory.dmp	warzonerat
behavioral2/memory/2748-38-0x00000000000D0000-0x00000000000ED000-memory.dmp	warzonerat
behavioral2/memory/2748-46-0x00000000000D0000-0x00000000000ED000-memory.dmp	warzonerat
behavioral2/memory/1408-63-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat
behavioral2/memory/1408-71-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

803dc81402a006f1fda602075b961b7b5e01ada4db28828c53630ab3df55471e_NeikiAnalytics.exeRtDCpl64.exeRtDCpl64.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	803dc81402a006f1fda602075b961b7b5e01ada4db28828c53630ab3df55471e_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	RtDCpl64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	RtDCpl64.exe

Executes dropped EXE 8 IoCs

Processes:

Blasthost.exeHost.exeRtDCpl64.exeBlasthost.exeRtDCpl64.exeRtDCpl64.exeBlasthost.exeRtDCpl64.exe

pid process

4724 Blasthost.exe
4508 Host.exe
3244 RtDCpl64.exe
1424 Blasthost.exe
2748 RtDCpl64.exe
1136 RtDCpl64.exe
4748 Blasthost.exe
1408 RtDCpl64.exe
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.

Processes:

resource yara_rule

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe autoit_exe

pid	process
4724	Blasthost.exe
4508	Host.exe
3244	RtDCpl64.exe
1424	Blasthost.exe
2748	RtDCpl64.exe
1136	RtDCpl64.exe
4748	Blasthost.exe
1408	RtDCpl64.exe

resource	yara_rule
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe	autoit_exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

803dc81402a006f1fda602075b961b7b5e01ada4db28828c53630ab3df55471e_NeikiAnalytics.exeRtDCpl64.exeRtDCpl64.exe

description	pid	process	target process
PID 2768 set thread context of 1176	2768	803dc81402a006f1fda602075b961b7b5e01ada4db28828c53630ab3df55471e_NeikiAnalytics.exe	803dc81402a006f1fda602075b961b7b5e01ada4db28828c53630ab3df55471e_NeikiAnalytics.exe
PID 3244 set thread context of 2748	3244	RtDCpl64.exe	RtDCpl64.exe
PID 1136 set thread context of 1408	1136	RtDCpl64.exe	RtDCpl64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4980 schtasks.exe
4776 schtasks.exe
2920 schtasks.exe

pid	process
4980	schtasks.exe
4776	schtasks.exe
2920	schtasks.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

803dc81402a006f1fda602075b961b7b5e01ada4db28828c53630ab3df55471e_NeikiAnalytics.exeBlasthost.exe803dc81402a006f1fda602075b961b7b5e01ada4db28828c53630ab3df55471e_NeikiAnalytics.exeRtDCpl64.exeRtDCpl64.exeRtDCpl64.exeRtDCpl64.exe

description	pid	process	target process
PID 2768 wrote to memory of 4724	2768	803dc81402a006f1fda602075b961b7b5e01ada4db28828c53630ab3df55471e_NeikiAnalytics.exe	Blasthost.exe
PID 2768 wrote to memory of 4724	2768	803dc81402a006f1fda602075b961b7b5e01ada4db28828c53630ab3df55471e_NeikiAnalytics.exe	Blasthost.exe
PID 2768 wrote to memory of 4724	2768	803dc81402a006f1fda602075b961b7b5e01ada4db28828c53630ab3df55471e_NeikiAnalytics.exe	Blasthost.exe
PID 4724 wrote to memory of 4508	4724	Blasthost.exe	Host.exe
PID 4724 wrote to memory of 4508	4724	Blasthost.exe	Host.exe
PID 4724 wrote to memory of 4508	4724	Blasthost.exe	Host.exe
PID 2768 wrote to memory of 1176	2768	803dc81402a006f1fda602075b961b7b5e01ada4db28828c53630ab3df55471e_NeikiAnalytics.exe	803dc81402a006f1fda602075b961b7b5e01ada4db28828c53630ab3df55471e_NeikiAnalytics.exe
PID 2768 wrote to memory of 1176	2768	803dc81402a006f1fda602075b961b7b5e01ada4db28828c53630ab3df55471e_NeikiAnalytics.exe	803dc81402a006f1fda602075b961b7b5e01ada4db28828c53630ab3df55471e_NeikiAnalytics.exe
PID 2768 wrote to memory of 1176	2768	803dc81402a006f1fda602075b961b7b5e01ada4db28828c53630ab3df55471e_NeikiAnalytics.exe	803dc81402a006f1fda602075b961b7b5e01ada4db28828c53630ab3df55471e_NeikiAnalytics.exe
PID 2768 wrote to memory of 1176	2768	803dc81402a006f1fda602075b961b7b5e01ada4db28828c53630ab3df55471e_NeikiAnalytics.exe	803dc81402a006f1fda602075b961b7b5e01ada4db28828c53630ab3df55471e_NeikiAnalytics.exe
PID 2768 wrote to memory of 1176	2768	803dc81402a006f1fda602075b961b7b5e01ada4db28828c53630ab3df55471e_NeikiAnalytics.exe	803dc81402a006f1fda602075b961b7b5e01ada4db28828c53630ab3df55471e_NeikiAnalytics.exe
PID 1176 wrote to memory of 688	1176	803dc81402a006f1fda602075b961b7b5e01ada4db28828c53630ab3df55471e_NeikiAnalytics.exe	cmd.exe
PID 1176 wrote to memory of 688	1176	803dc81402a006f1fda602075b961b7b5e01ada4db28828c53630ab3df55471e_NeikiAnalytics.exe	cmd.exe
PID 1176 wrote to memory of 688	1176	803dc81402a006f1fda602075b961b7b5e01ada4db28828c53630ab3df55471e_NeikiAnalytics.exe	cmd.exe
PID 2768 wrote to memory of 4980	2768	803dc81402a006f1fda602075b961b7b5e01ada4db28828c53630ab3df55471e_NeikiAnalytics.exe	schtasks.exe
PID 2768 wrote to memory of 4980	2768	803dc81402a006f1fda602075b961b7b5e01ada4db28828c53630ab3df55471e_NeikiAnalytics.exe	schtasks.exe
PID 2768 wrote to memory of 4980	2768	803dc81402a006f1fda602075b961b7b5e01ada4db28828c53630ab3df55471e_NeikiAnalytics.exe	schtasks.exe
PID 1176 wrote to memory of 688	1176	803dc81402a006f1fda602075b961b7b5e01ada4db28828c53630ab3df55471e_NeikiAnalytics.exe	cmd.exe
PID 1176 wrote to memory of 688	1176	803dc81402a006f1fda602075b961b7b5e01ada4db28828c53630ab3df55471e_NeikiAnalytics.exe	cmd.exe
PID 3244 wrote to memory of 1424	3244	RtDCpl64.exe	Blasthost.exe
PID 3244 wrote to memory of 1424	3244	RtDCpl64.exe	Blasthost.exe
PID 3244 wrote to memory of 1424	3244	RtDCpl64.exe	Blasthost.exe
PID 3244 wrote to memory of 2748	3244	RtDCpl64.exe	RtDCpl64.exe
PID 3244 wrote to memory of 2748	3244	RtDCpl64.exe	RtDCpl64.exe
PID 3244 wrote to memory of 2748	3244	RtDCpl64.exe	RtDCpl64.exe
PID 3244 wrote to memory of 2748	3244	RtDCpl64.exe	RtDCpl64.exe
PID 3244 wrote to memory of 2748	3244	RtDCpl64.exe	RtDCpl64.exe
PID 2748 wrote to memory of 2764	2748	RtDCpl64.exe	cmd.exe
PID 2748 wrote to memory of 2764	2748	RtDCpl64.exe	cmd.exe
PID 2748 wrote to memory of 2764	2748	RtDCpl64.exe	cmd.exe
PID 3244 wrote to memory of 4776	3244	RtDCpl64.exe	schtasks.exe
PID 3244 wrote to memory of 4776	3244	RtDCpl64.exe	schtasks.exe
PID 3244 wrote to memory of 4776	3244	RtDCpl64.exe	schtasks.exe
PID 2748 wrote to memory of 2764	2748	RtDCpl64.exe	cmd.exe
PID 2748 wrote to memory of 2764	2748	RtDCpl64.exe	cmd.exe
PID 1136 wrote to memory of 4748	1136	RtDCpl64.exe	Blasthost.exe
PID 1136 wrote to memory of 4748	1136	RtDCpl64.exe	Blasthost.exe
PID 1136 wrote to memory of 4748	1136	RtDCpl64.exe	Blasthost.exe
PID 1136 wrote to memory of 1408	1136	RtDCpl64.exe	RtDCpl64.exe
PID 1136 wrote to memory of 1408	1136	RtDCpl64.exe	RtDCpl64.exe
PID 1136 wrote to memory of 1408	1136	RtDCpl64.exe	RtDCpl64.exe
PID 1136 wrote to memory of 1408	1136	RtDCpl64.exe	RtDCpl64.exe
PID 1136 wrote to memory of 1408	1136	RtDCpl64.exe	RtDCpl64.exe
PID 1136 wrote to memory of 2920	1136	RtDCpl64.exe	schtasks.exe
PID 1136 wrote to memory of 2920	1136	RtDCpl64.exe	schtasks.exe
PID 1136 wrote to memory of 2920	1136	RtDCpl64.exe	schtasks.exe
PID 1408 wrote to memory of 3776	1408	RtDCpl64.exe	cmd.exe
PID 1408 wrote to memory of 3776	1408	RtDCpl64.exe	cmd.exe
PID 1408 wrote to memory of 3776	1408	RtDCpl64.exe	cmd.exe
PID 1408 wrote to memory of 3776	1408	RtDCpl64.exe	cmd.exe
PID 1408 wrote to memory of 3776	1408	RtDCpl64.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\803dc81402a006f1fda602075b961b7b5e01ada4db28828c53630ab3df55471e_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\803dc81402a006f1fda602075b961b7b5e01ada4db28828c53630ab3df55471e_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2768

C:\Users\Admin\AppData\Roaming\Blasthost.exe
"C:\Users\Admin\AppData\Roaming\Blasthost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"
3⤵
- Executes dropped EXE
PID:4508

C:\Users\Admin\AppData\Local\Temp\803dc81402a006f1fda602075b961b7b5e01ada4db28828c53630ab3df55471e_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\803dc81402a006f1fda602075b961b7b5e01ada4db28828c53630ab3df55471e_NeikiAnalytics.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:688

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
2⤵
- Scheduled Task/Job: Scheduled Task
PID:4980

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3244

C:\Users\Admin\AppData\Roaming\Blasthost.exe
"C:\Users\Admin\AppData\Roaming\Blasthost.exe"
2⤵
- Executes dropped EXE
PID:1424

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:2764

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
2⤵
- Scheduled Task/Job: Scheduled Task
PID:4776

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1136

C:\Users\Admin\AppData\Roaming\Blasthost.exe
"C:\Users\Admin\AppData\Roaming\Blasthost.exe"
2⤵
- Executes dropped EXE
PID:4748

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:3776

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2920

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Blasthost.exe
Filesize
132KB

MD5
6087bf6af59b9c531f2c9bb421d5e902

SHA1
8bc0f1596c986179b82585c703bacae6d2a00316

SHA256
3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

SHA512
c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

Download Submit
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
Filesize
1.3MB

MD5
c9df537fb7217a8f24f5f60cef619623

SHA1
b0c4d57325703e6d87e97955011e89f9c9b371af

SHA256
0a2054e28c130d7f14cb82dcc0e2340d108f4a153b3209af7426094cca2550aa

SHA512
6814c72dd9dab2362b9caadcdce373da65b8d4065595e150054e42f0db1cac4625e1242ebd269b99681eb9d9ce86d86546af46104bdd289f7f6df9beab4d1afc

Download Submit
memory/688-24-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/1176-22-0x0000000000750000-0x000000000076D000-memory.dmp

Filesize
116KB

Download
memory/1176-13-0x0000000000750000-0x000000000076D000-memory.dmp

Filesize
116KB

Download
memory/1408-71-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1408-63-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1424-51-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1424-55-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2748-46-0x00000000000D0000-0x00000000000ED000-memory.dmp

Filesize
116KB

Download
memory/2748-38-0x00000000000D0000-0x00000000000ED000-memory.dmp

Filesize
116KB

Download
memory/2764-47-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/2768-21-0x00000000046A0000-0x00000000046A1000-memory.dmp

Filesize
4KB

Download
memory/3776-73-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/4508-27-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4508-26-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4724-10-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4748-77-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4748-80-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download