netwire | 3946d499d81e8506b8291dc0bd13475397bbcd7cb6e2c7ea504c079c92b99f62

Analysis

max time kernel
146s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 09:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3946d499d81e8506b8291dc0bd13475397bbcd7cb6e2c7ea504c079c92b99f62.exe
Size

296KB
MD5

37e922093d8a837b250e72cc87a664cd
SHA1

c4d06a2fc80bffbc6a64f92f95ffee02f92c6bb9
SHA256

3946d499d81e8506b8291dc0bd13475397bbcd7cb6e2c7ea504c079c92b99f62
SHA512

5d4a846504c138cf085c8967a1e9b384f0119ac82fecde311331ee577ffff646afbc61c279e1d81ae865df36931a01694bbd47245be4cdd55d821b53faed8510
SSDEEP

6144:9HCn0H5swF0lgr9QZHZEKvXBfPbFoG+ScHXg13JQ19PiTBqyT3O+hHVlQu120A:9iQswGgr9QZHZEKvRfPbFoZS2Xg13KiE

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

37.252.120.122:3360

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Microsoft\Crypto\Office.exe
keylogger_dir
%AppData%\Microsoft\Crypto\Logs\
lock_executable
false
mutex
mJhcimNA
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
Office
use_mutex
true

Signatures

NetWire RAT payload 1 IoCs
rat

Processes:

resource yara_rule

behavioral2/memory/408-4-0x0000000000400000-0x0000000000418000-memory.dmp netwire
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

resource	yara_rule
behavioral2/memory/408-4-0x0000000000400000-0x0000000000418000-memory.dmp	netwire

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3946d499d81e8506b8291dc0bd13475397bbcd7cb6e2c7ea504c079c92b99f62.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	3946d499d81e8506b8291dc0bd13475397bbcd7cb6e2c7ea504c079c92b99f62.exe

Executes dropped EXE 1 IoCs

Processes:

Office.exe

pid process

1176 Office.exe

pid	process
1176	Office.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Office.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Office = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\Office.exe"	Office.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

3946d499d81e8506b8291dc0bd13475397bbcd7cb6e2c7ea504c079c92b99f62.exe

description	pid	process	target process
PID 408 wrote to memory of 1176	408	3946d499d81e8506b8291dc0bd13475397bbcd7cb6e2c7ea504c079c92b99f62.exe	Office.exe
PID 408 wrote to memory of 1176	408	3946d499d81e8506b8291dc0bd13475397bbcd7cb6e2c7ea504c079c92b99f62.exe	Office.exe
PID 408 wrote to memory of 1176	408	3946d499d81e8506b8291dc0bd13475397bbcd7cb6e2c7ea504c079c92b99f62.exe	Office.exe

C:\Users\Admin\AppData\Local\Temp\3946d499d81e8506b8291dc0bd13475397bbcd7cb6e2c7ea504c079c92b99f62.exe
"C:\Users\Admin\AppData\Local\Temp\3946d499d81e8506b8291dc0bd13475397bbcd7cb6e2c7ea504c079c92b99f62.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:408

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\Office.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\Office.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1176

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\Office.exe
Filesize
296KB

MD5
37e922093d8a837b250e72cc87a664cd

SHA1
c4d06a2fc80bffbc6a64f92f95ffee02f92c6bb9

SHA256
3946d499d81e8506b8291dc0bd13475397bbcd7cb6e2c7ea504c079c92b99f62

SHA512
5d4a846504c138cf085c8967a1e9b384f0119ac82fecde311331ee577ffff646afbc61c279e1d81ae865df36931a01694bbd47245be4cdd55d821b53faed8510

Download Submit
memory/408-0-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/408-1-0x0000000000520000-0x0000000000532000-memory.dmp

Filesize
72KB

Download
memory/408-4-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/408-3-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/1176-16-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1176-19-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1176-18-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1176-17-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1176-22-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1176-24-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1176-23-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download