netwire | 8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20

Analysis

max time kernel
145s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-06-2024 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe
Size

620KB
MD5

126a93893a231d0d04d51c062ffacb24
SHA1

2dc7626161923496e1161321564649de8a505462
SHA256

8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20
SHA512

7ead5d82543478d48820429fa78a6b47c4b96f9a081d6599bc7f47208acc73dee20b97345f971b7298642fb4104d90eb8a660cbdc8f592449410cba459d46715
SSDEEP

6144:jIgLd7M38csN+OepKstohqNuPSzjRfXfqSicv2oJ04YIEr7rwdaJ:JNMJzpWhYvRfXiSicbJ0d7rco

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

Wealthybond.ddns.me:39560

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
uElWAoFe
offline_keylogger
true
password
sucess
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 1 IoCs
rat

Processes:

resource yara_rule

behavioral2/memory/1928-31-0x0000000000400000-0x000000000049D000-memory.dmp netwire
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation 126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe
Executes dropped EXE 2 IoCs

Processes:

Elektroteknikkerne3.exeElektroteknikkerne3.exe

pid process

1036 Elektroteknikkerne3.exe
1928 Elektroteknikkerne3.exe

resource	yara_rule
behavioral2/memory/1928-31-0x0000000000400000-0x000000000049D000-memory.dmp	netwire

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe

pid	process
1036	Elektroteknikkerne3.exe
1928	Elektroteknikkerne3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Elektroteknikkerne3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Fejdendes = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Elektroteknikkerne3.vbs\""	Elektroteknikkerne3.exe

Drops file in Windows directory 4 IoCs

Processes:

126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exeElektroteknikkerne3.exeElektroteknikkerne3.exe

description	ioc	process
File opened for modification	C:\Windows\win.ini	126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe
File opened for modification	C:\Windows\win.ini	126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe
File opened for modification	C:\Windows\win.ini	Elektroteknikkerne3.exe
File opened for modification	C:\Windows\win.ini	Elektroteknikkerne3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exeElektroteknikkerne3.exeElektroteknikkerne3.exe

pid	process
1380	126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe
1380	126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe
2736	126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe
2736	126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe
1036	Elektroteknikkerne3.exe
1036	Elektroteknikkerne3.exe
1928	Elektroteknikkerne3.exe
1928	Elektroteknikkerne3.exe

Suspicious use of SendNotifyMessage 8 IoCs

Processes:

126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exeElektroteknikkerne3.exeElektroteknikkerne3.exe

pid	process
1380	126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe
1380	126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe
2736	126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe
2736	126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe
1036	Elektroteknikkerne3.exe
1036	Elektroteknikkerne3.exe
1928	Elektroteknikkerne3.exe
1928	Elektroteknikkerne3.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exeElektroteknikkerne3.exeElektroteknikkerne3.exe

pid process

1380 126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe
2736 126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe
1036 Elektroteknikkerne3.exe
1928 Elektroteknikkerne3.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exeElektroteknikkerne3.exe

description	pid	process	target process
PID 1380 wrote to memory of 2736	1380	126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe	126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe
PID 1380 wrote to memory of 2736	1380	126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe	126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe
PID 1380 wrote to memory of 2736	1380	126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe	126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe
PID 2736 wrote to memory of 1036	2736	126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe	Elektroteknikkerne3.exe
PID 2736 wrote to memory of 1036	2736	126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe	Elektroteknikkerne3.exe
PID 2736 wrote to memory of 1036	2736	126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe	Elektroteknikkerne3.exe
PID 1036 wrote to memory of 1928	1036	Elektroteknikkerne3.exe	Elektroteknikkerne3.exe
PID 1036 wrote to memory of 1928	1036	Elektroteknikkerne3.exe	Elektroteknikkerne3.exe
PID 1036 wrote to memory of 1928	1036	Elektroteknikkerne3.exe	Elektroteknikkerne3.exe

C:\Users\Admin\AppData\Local\Temp\126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1380

C:\Users\Admin\AppData\Local\Temp\126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe"
2⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2736

C:\Users\Admin\AppData\Local\Temp\Elektroteknikkerne3.exe
"C:\Users\Admin\AppData\Local\Temp\Elektroteknikkerne3.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1036

C:\Users\Admin\AppData\Local\Temp\Elektroteknikkerne3.exe
"C:\Users\Admin\AppData\Local\Temp\Elektroteknikkerne3.exe"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4020,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=3984 /prefetch:8
1⤵
PID:1184

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Elektroteknikkerne3.exe
Filesize
620KB

MD5
c8b740d5083715048f6ec93a3fdc627c

SHA1
754919550bdd0d8c911e2a8f064a474d0cdeb457

SHA256
7cc46b7baca763d9a1ec051befb75e5d2e6e30aeffd76613d149e6ccb6f9e42b

SHA512
9ca26f1f9f716320792804152eda11c17f85f55fbb02fea7f074415d72c87795dbb34ecc3944042f1597c5c64b3da4c19f30c123d24d9ddee01c772f5d2d366e

Download Submit
C:\Windows\win.ini
Filesize
123B

MD5
6bf517432f65eb7f0d18d574bf14124c

SHA1
5b9f37c1dd1318ebbec3bd2f07c109eb9d22c727

SHA256
6e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46

SHA512
7b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06

Download Submit
memory/1380-3-0x00000000038E0000-0x00000000039E0000-memory.dmp

Filesize
1024KB

Download
memory/1380-4-0x0000000077481000-0x00000000775A1000-memory.dmp

Filesize
1.1MB

Download
memory/1928-31-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2736-11-0x0000000002C20000-0x0000000002D20000-memory.dmp

Filesize
1024KB

Download