|Enterprise||T1071||.001||Application Layer Protocol: Web Protocols|
|Enterprise||T1010||Application Window Discovery||
NETWIRE can discover and close windows on controlled systems.
|Enterprise||T1560||Archive Collected Data||
NETWIRE has the ability to compress archived screenshots.
|.003||Archive via Custom Method||
NETWIRE has used a custom encryption algorithm to encrypt collected data.
|Enterprise||T1547||.001||Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder||
NETWIRE creates a Registry start-up entry to establish persistence.
|.013||Boot or Logon Autostart Execution: XDG Autostart Entries||
NETWIRE can use XDG Autostart Entries to establish persistence.
|.015||Boot or Logon Autostart Execution: Login Items|
|Enterprise||T1059||.001||Command and Scripting Interpreter: PowerShell||
The NETWIRE binary has been executed via PowerShell script.
|.003||Command and Scripting Interpreter: Windows Command Shell|
|.004||Command and Scripting Interpreter: Unix Shell||
NETWIRE has the ability to use
|.005||Command and Scripting Interpreter: Visual Basic|
|Enterprise||T1543||.001||Create or Modify System Process: Launch Agent|
|Enterprise||T1555||Credentials from Password Stores||
NETWIRE can retrieve passwords from messaging and mail client applications.
|.003||Credentials from Web Browsers||
NETWIRE has the ability to steal credentials from web browsers including Internet Explorer, Opera, Yandex, and Chrome.
|Enterprise||T1074||.001||Data Staged: Local Data Staging||
NETWIRE has the ability to write collected data to a file created in the
|Enterprise||T1083||File and Directory Discovery||
NETWIRE has the ability to search for files on the compromised host.
|Enterprise||T1564||.001||Hide Artifacts: Hidden Files and Directories||
NETWIRE can copy itself to and launch itself from hidden folders.
|Enterprise||T1105||Ingress Tool Transfer||
NETWIRE can downloaded payloads from C2 to the compromised host.
|Enterprise||T1056||.001||Input Capture: Keylogging|
|Enterprise||T1036||.001||Masquerading: Invalid Code Signature||
The NETWIRE client has been signed by fake and invalid digital certificates.
|.005||Masquerading: Match Legitimate Name or Location||
NETWIRE has masqueraded as legitimate software including TeamViewer and macOS Finder.
NETWIRE can modify the Registry to store its configuration information.
NETWIRE can use Native API including
|Enterprise||T1095||Non-Application Layer Protocol|
|Enterprise||T1027||Obfuscated Files or Information||
NETWIRE has used a custom obfuscation algorithm to hide strings including Registry keys, APIs, and DLL names.
NETWIRE can store its configuration information in the Registry under
|Enterprise||T1566||.001||Phishing: Spearphishing Attachment||
NETWIRE has been spread via e-mail campaigns utilizing malicious attachments.
|.002||Phishing: Spearphishing Link||
NETWIRE has been spread via e-mail campaigns utilizing malicious links.
NETWIRE can inject code into system processes including notepad.exe, svchost.exe, and vbc.exe.
The NETWIRE payload has been injected into benign Microsoft executables via process hollowing.
|Enterprise||T1053||.003||Scheduled Task/Job: Cron|
|.005||Scheduled Task/Job: Scheduled Task||
NETWIRE can create a scheduled task to establish persistence.
|Enterprise||T1082||System Information Discovery||
NETWIRE can discover and collect victim system information.
|Enterprise||T1016||System Network Configuration Discovery||
NETWIRE can collect the IP address of a compromised host.
|Enterprise||T1049||System Network Connections Discovery||
NETWIRE can capture session logon details from a compromised host.
|Enterprise||T1204||.001||User Execution: Malicious Link||
NETWIRE has been executed through convincing victims into clicking malicious links.
|.002||User Execution: Malicious File||
NETWIRE has been executed through luring victims into opening malicious documents.
NETWIRE has used web services including Paste.ee to host payloads.
|G0089||The White Company|