Malware Analysis Report

2024-11-30 23:51

Sample ID 241119-kdmpwstbnn
Target SDA EMV Chip Writer By Paws.exe
SHA256 7f4d0810b884d9647d5374550187a123f009ce8f6450d5dab818a2384358fb06
Tags
netwire botnet discovery persistence rat stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7f4d0810b884d9647d5374550187a123f009ce8f6450d5dab818a2384358fb06

Threat Level: Known bad

The file SDA EMV Chip Writer By Paws.exe was found to be: Known bad.

Malicious Activity Summary

netwire botnet discovery persistence rat stealer

Netwire

NetWire RAT payload

Netwire family

Boot or Logon Autostart Execution: Active Setup

Executes dropped EXE

Adds Run key to start application

AutoIT Executable

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-19 08:29

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-19 08:29

Reported

2024-11-19 08:36

Platform

win11-20241007-en

Max time kernel

147s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SDA EMV Chip Writer By Paws.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Netwire family

netwire

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FV27BA78-2S2J-Y2KF-44D4-X6XR4251FJEB} C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FV27BA78-2S2J-Y2KF-44D4-X6XR4251FJEB}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\instal\\crhomeAT64bit.exe\"" C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\tvnserver = "C:\\Users\\Admin\\AppData\\Roaming\\instal\\crhomeAT64bit.exe" C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1368 set thread context of 860 N/A C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe
PID 4504 set thread context of 1952 N/A C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Sdachipwriter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SDA EMV Chip Writer By Paws.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sdachipwriter.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 248 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\SDA EMV Chip Writer By Paws.exe C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe
PID 248 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\SDA EMV Chip Writer By Paws.exe C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe
PID 248 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\SDA EMV Chip Writer By Paws.exe C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe
PID 248 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\SDA EMV Chip Writer By Paws.exe C:\Users\Admin\AppData\Local\Temp\Sdachipwriter.exe
PID 248 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\SDA EMV Chip Writer By Paws.exe C:\Users\Admin\AppData\Local\Temp\Sdachipwriter.exe
PID 248 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\SDA EMV Chip Writer By Paws.exe C:\Users\Admin\AppData\Local\Temp\Sdachipwriter.exe
PID 1368 wrote to memory of 860 N/A C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe
PID 1368 wrote to memory of 860 N/A C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe
PID 1368 wrote to memory of 860 N/A C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe
PID 1368 wrote to memory of 860 N/A C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe
PID 1368 wrote to memory of 860 N/A C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe
PID 860 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe
PID 860 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe
PID 860 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe
PID 4504 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe
PID 4504 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe
PID 4504 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe
PID 4504 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe
PID 4504 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SDA EMV Chip Writer By Paws.exe

"C:\Users\Admin\AppData\Local\Temp\SDA EMV Chip Writer By Paws.exe"

C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe

C:\Users\Admin\AppData\Roaming/Syssvctoolsx64bit.exe

C:\Users\Admin\AppData\Local\Temp\Sdachipwriter.exe

C:\Users\Admin\AppData\Local\Temp/Sdachipwriter.exe

C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe

"C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe"

C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe

"C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe"

C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe

"C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 local.cable-modem.org udp
ID 180.241.167.20:3361 teamviewer.ddns.net tcp
ID 180.241.167.20:3361 teamviewer.ddns.net tcp
ID 180.241.167.20:3361 teamviewer.ddns.net tcp
ID 180.241.167.20:3361 teamviewer.ddns.net tcp
ID 180.241.167.20:3361 teamviewer.ddns.net tcp
ID 180.241.167.20:3361 teamviewer.ddns.net tcp

Files

C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe

MD5 c57711ed5ac9003f30be5d81c0b8ddc1
SHA1 f7e14ebd419f4c6c3ba269e1fb6ff765adc5d8b9
SHA256 ec94ffbda11b4f750ea732a9986b6dd60d4c87978f810f27336abf4ee178bc03
SHA512 2f000b930b6481a2cf4842a1dc04e7a99fb25c29fc21e221fddd7e3bfa299e69a5890dbfc8200cf5cb1191726697bf39e400810f4ee415206f95a6ab24905466

C:\Users\Admin\AppData\Local\Temp\Sdachipwriter.exe

MD5 0828480f98adb533104d42ad42601f80
SHA1 5528665c1e94ec7738174058196d3c818c64241e
SHA256 1ecfd3755eba578108363c0705c6ec205972080739ed0fbd17439f8139ba7e08
SHA512 c8e87296d06a1cc032dbc78828413c6d1636d506e859f8f5545a0164b73d0d32d7ed7b046aa8108dacd8299b6a587733d870fb45d3e03666e75bc45a4bb3bc65

memory/3532-16-0x0000000002A70000-0x0000000002A71000-memory.dmp

memory/860-41-0x0000000000400000-0x000000000041F000-memory.dmp

memory/860-44-0x0000000000400000-0x000000000041F000-memory.dmp

memory/860-46-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3532-53-0x0000000002A70000-0x0000000002A71000-memory.dmp

memory/3532-52-0x0000000000400000-0x0000000000972000-memory.dmp

memory/1952-60-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1952-62-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1952-64-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1952-66-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1952-68-0x0000000000400000-0x000000000041F000-memory.dmp