Analysis Overview
SHA256
7f4d0810b884d9647d5374550187a123f009ce8f6450d5dab818a2384358fb06
Threat Level: Known bad
The file SDAEMVChipWriterByPaws.exe was found to be: Known bad.
Malicious Activity Summary
Netwire
Netwire family
NetWire RAT payload
Boot or Logon Autostart Execution: Active Setup
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
AutoIT Executable
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-19 07:29
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-19 07:29
Reported
2024-11-19 07:31
Platform
win7-20240903-en
Max time kernel
149s
Max time network
142s
Command Line
Signatures
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Netwire
Netwire family
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FV27BA78-2S2J-Y2KF-44D4-X6XR4251FJEB}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\instal\\crhomeAT64bit.exe\"" | C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FV27BA78-2S2J-Y2KF-44D4-X6XR4251FJEB} | C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Sdachipwriter.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\tvnserver = "C:\\Users\\Admin\\AppData\\Roaming\\instal\\crhomeAT64bit.exe" | C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2764 set thread context of 1988 | N/A | C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe | C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe |
| PID 2888 set thread context of 624 | N/A | C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe | C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SDAEMVChipWriterByPaws.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Sdachipwriter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Sdachipwriter.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SDAEMVChipWriterByPaws.exe
"C:\Users\Admin\AppData\Local\Temp\SDAEMVChipWriterByPaws.exe"
C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe
C:\Users\Admin\AppData\Roaming/Syssvctoolsx64bit.exe
C:\Users\Admin\AppData\Local\Temp\Sdachipwriter.exe
C:\Users\Admin\AppData\Local\Temp/Sdachipwriter.exe
C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe
"C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe"
C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe
"C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe"
C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe
"C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | local.cable-modem.org | udp |
| ID | 180.241.167.20:3361 | local.cable-modem.org | tcp |
| US | 8.8.8.8:53 | teamviewer.ddns.net | udp |
| ID | 180.241.167.20:3361 | teamviewer.ddns.net | tcp |
| US | 8.8.8.8:53 | optic.cable-modem.org | udp |
| US | 8.8.8.8:53 | teamviewer.ddns.me | udp |
| US | 8.8.8.8:53 | logmein.loginto.me | udp |
| ID | 180.241.167.20:3361 | teamviewer.ddns.net | tcp |
| ID | 180.241.167.20:3361 | teamviewer.ddns.net | tcp |
| US | 8.8.8.8:53 | local.cable-modem.org | udp |
| ID | 180.241.167.20:3361 | local.cable-modem.org | tcp |
| US | 8.8.8.8:53 | teamviewer.ddns.net | udp |
| ID | 180.241.167.20:3361 | teamviewer.ddns.net | tcp |
Files
\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe
| MD5 | c57711ed5ac9003f30be5d81c0b8ddc1 |
| SHA1 | f7e14ebd419f4c6c3ba269e1fb6ff765adc5d8b9 |
| SHA256 | ec94ffbda11b4f750ea732a9986b6dd60d4c87978f810f27336abf4ee178bc03 |
| SHA512 | 2f000b930b6481a2cf4842a1dc04e7a99fb25c29fc21e221fddd7e3bfa299e69a5890dbfc8200cf5cb1191726697bf39e400810f4ee415206f95a6ab24905466 |
\Users\Admin\AppData\Local\Temp\Sdachipwriter.exe
| MD5 | 0828480f98adb533104d42ad42601f80 |
| SHA1 | 5528665c1e94ec7738174058196d3c818c64241e |
| SHA256 | 1ecfd3755eba578108363c0705c6ec205972080739ed0fbd17439f8139ba7e08 |
| SHA512 | c8e87296d06a1cc032dbc78828413c6d1636d506e859f8f5545a0164b73d0d32d7ed7b046aa8108dacd8299b6a587733d870fb45d3e03666e75bc45a4bb3bc65 |
memory/2928-22-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1988-50-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/1988-48-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1988-53-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1988-51-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1988-64-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1988-58-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2928-71-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2928-70-0x0000000000400000-0x0000000000972000-memory.dmp
memory/624-83-0x0000000000400000-0x000000000041F000-memory.dmp
memory/624-87-0x0000000000400000-0x000000000041F000-memory.dmp
memory/624-90-0x0000000000400000-0x000000000041F000-memory.dmp
memory/624-92-0x0000000000400000-0x000000000041F000-memory.dmp
memory/624-94-0x0000000000400000-0x000000000041F000-memory.dmp
memory/624-96-0x0000000000400000-0x000000000041F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-19 07:29
Reported
2024-11-19 07:31
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Netwire
Netwire family
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FV27BA78-2S2J-Y2KF-44D4-X6XR4251FJEB}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\instal\\crhomeAT64bit.exe\"" | C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FV27BA78-2S2J-Y2KF-44D4-X6XR4251FJEB} | C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Sdachipwriter.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tvnserver = "C:\\Users\\Admin\\AppData\\Roaming\\instal\\crhomeAT64bit.exe" | C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4032 set thread context of 3652 | N/A | C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe | C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe |
| PID 5040 set thread context of 1300 | N/A | C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe | C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Sdachipwriter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SDAEMVChipWriterByPaws.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Sdachipwriter.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SDAEMVChipWriterByPaws.exe
"C:\Users\Admin\AppData\Local\Temp\SDAEMVChipWriterByPaws.exe"
C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe
C:\Users\Admin\AppData\Roaming/Syssvctoolsx64bit.exe
C:\Users\Admin\AppData\Local\Temp\Sdachipwriter.exe
C:\Users\Admin\AppData\Local\Temp/Sdachipwriter.exe
C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe
"C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe"
C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe
"C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe"
C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe
"C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | local.cable-modem.org | udp |
| ID | 180.241.167.20:3361 | local.cable-modem.org | tcp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | teamviewer.ddns.net | udp |
| ID | 180.241.167.20:3361 | teamviewer.ddns.net | tcp |
| US | 8.8.8.8:53 | optic.cable-modem.org | udp |
| US | 8.8.8.8:53 | teamviewer.ddns.me | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | logmein.loginto.me | udp |
| ID | 180.241.167.20:3361 | teamviewer.ddns.net | tcp |
| ID | 180.241.167.20:3361 | teamviewer.ddns.net | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | optic.cable-modem.org | udp |
| US | 8.8.8.8:53 | teamviewer.ddns.me | udp |
| US | 8.8.8.8:53 | logmein.loginto.me | udp |
| US | 8.8.8.8:53 | local.cable-modem.org | udp |
| ID | 180.241.167.20:3361 | local.cable-modem.org | tcp |
| US | 8.8.8.8:53 | teamviewer.ddns.net | udp |
| ID | 180.241.167.20:3361 | teamviewer.ddns.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe
| MD5 | c57711ed5ac9003f30be5d81c0b8ddc1 |
| SHA1 | f7e14ebd419f4c6c3ba269e1fb6ff765adc5d8b9 |
| SHA256 | ec94ffbda11b4f750ea732a9986b6dd60d4c87978f810f27336abf4ee178bc03 |
| SHA512 | 2f000b930b6481a2cf4842a1dc04e7a99fb25c29fc21e221fddd7e3bfa299e69a5890dbfc8200cf5cb1191726697bf39e400810f4ee415206f95a6ab24905466 |
C:\Users\Admin\AppData\Local\Temp\Sdachipwriter.exe
| MD5 | 0828480f98adb533104d42ad42601f80 |
| SHA1 | 5528665c1e94ec7738174058196d3c818c64241e |
| SHA256 | 1ecfd3755eba578108363c0705c6ec205972080739ed0fbd17439f8139ba7e08 |
| SHA512 | c8e87296d06a1cc032dbc78828413c6d1636d506e859f8f5545a0164b73d0d32d7ed7b046aa8108dacd8299b6a587733d870fb45d3e03666e75bc45a4bb3bc65 |
memory/1468-16-0x0000000000D90000-0x0000000000D91000-memory.dmp
memory/3652-41-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3652-44-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3652-51-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1468-53-0x0000000000D90000-0x0000000000D91000-memory.dmp
memory/1468-52-0x0000000000400000-0x0000000000972000-memory.dmp
memory/1300-60-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1300-62-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1300-64-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1300-66-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1300-68-0x0000000000400000-0x000000000041F000-memory.dmp