Overview

overview

10

Static

static

5

EMV Reader....5.exe

windows10-ltsc_2021-x64

10

EMV Reader...al.rtf

windows10-ltsc_2021-x64

1

EMV Reader...MV.exe

windows10-ltsc_2021-x64

10

EMV Reader...al.rtf

windows10-ltsc_2021-x64

1

EMV Reader...cy.rtf

windows10-ltsc_2021-x64

1

EMV Reader...in.dll

windows10-ltsc_2021-x64

3

EMV Reader...rm.dll

windows10-ltsc_2021-x64

3

EMV Reader...ll.exe

windows10-ltsc_2021-x64

3

EMV Reader...b1.dll

windows10-ltsc_2021-x64

3

EMV Reader...in.dll

windows10-ltsc_2021-x64

3

EMV Reader...rm.dll

windows10-ltsc_2021-x64

3

EMV Reader...X1.exe

windows10-ltsc_2021-x64

10

EMV Reader...e3.dll

windows10-ltsc_2021-x64

3

EMV Reader...b1.dll

windows10-ltsc_2021-x64

3

Analysis

  • max time kernel
    899s
  • max time network
    897s
  • platform
    windows10-ltsc_2021_x64
  • resource
    win10ltsc2021-20250314-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
  • submitted
    03/04/2025, 09:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    EMV Reader Writer/X1v5/X1.exe

  • Size

    2.0MB

  • MD5

    4dcad2976d44b39374049f9ebbc12115

  • SHA1

    043b4ce521eea2265c13b25c9177f769d066ce4c

  • SHA256

    d22a6211b7d1e90142395aa3c55a6ee6e4bc563409b3fe27a2b19e1a61f5b869

  • SHA512

    a8bdf5e42656633fe620af81eb6ba41a67c317925f92b8e8f56303ae5a6847e1f583ff27aef377366810e1e7d78eb9202d369f4ba9598ac043c4e48f6751f0c9

  • SSDEEP

    49152:aJqoQryTkMx8aWuClGvkVaAXb4kqNEhjt7QrrePkvvWrv+Y:a4ryTTxelGv0aojhVereWvgGY

Score
10/10
netwirebotnetdiscoverypersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

local.cable-modem.org:3361

teamviewer.ddns.net:3361

optic.cable-modem.org:3361

teamviewer.ddns.me:3361

logmein.loginto.me:3361
Attributes
  • activex_autorun

    true

  • activex_key

    {LYN464PX-ITSA-6EUY-J762-UKD6Y5BMGV3H}

  • copy_executable

    true

  • delete_original

    false

  • host_id

    Milionare

  • install_path

    %AppData%\mscftmon\ntsvc32.exe

  • keylogger_dir

    %AppData%\metmsfmon\metaolgs.dat\

  • lock_executable

    false

  • mutex

    cVNWvLvU

  • offline_keylogger

    true

  • password

    anjing

  • registry_autorun

    true

  • startup_name

    winipcservices

  • use_mutex

    true

Signatures

  • NetWire RAT payload 9 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Netwire family
    netwire
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 19 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\EMV Reader Writer\X1v5\X1.exe
    "C:\Users\Admin\AppData\Local\Temp\EMV Reader Writer\X1v5\X1.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5344
    • C:\Users\Admin\AppData\Roaming\win7system.exe
      C:\Users\Admin\AppData\Roaming/win7system.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:6000
      • C:\Users\Admin\AppData\Roaming\win7system.exe
        "C:\Users\Admin\AppData\Roaming\win7system.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4656
        • C:\Users\Admin\AppData\Roaming\mscftmon\ntsvc32.exe
          "C:\Users\Admin\AppData\Roaming\mscftmon\ntsvc32.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4856
          • C:\Users\Admin\AppData\Roaming\mscftmon\ntsvc32.exe
            "C:\Users\Admin\AppData\Roaming\mscftmon\ntsvc32.exe"
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:5292
    • C:\Users\Admin\AppData\Local\Temp\temp.exe
      C:\Users\Admin\AppData\Local\Temp/temp.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:2976
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\mscftmon\ntsvc32.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4272
    • C:\Users\Admin\AppData\Roaming\mscftmon\ntsvc32.exe
      C:\Users\Admin\AppData\Roaming\mscftmon\ntsvc32.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1116
      • C:\Users\Admin\AppData\Roaming\mscftmon\ntsvc32.exe
        "C:\Users\Admin\AppData\Roaming\mscftmon\ntsvc32.exe"
        3⤵
        • Executes dropped EXE
        PID:1712

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\temp.exe
    Filesize

    2.1MB

    MD5

    4797151867a45824e90fc5c7bb0ce3c0

    SHA1

    febebde0fe81094c1d7d8c96f16b7d9c18e68ee1

    SHA256

    6f24acf9a3ed15b5ef034460850679d7e9df1233386a36fc0a4b787844ee2e2e

    SHA512

    3fa638ae37e82a2767047d8a42ca556df3859d5a432107820b6d9be37aed6dfbb386a39abbb7ae1bd2ed207aaea5724c9c2d36174e967dd38e638d1dd0d3f4bc

    Download Submit

  • C:\Users\Admin\AppData\Roaming\win7system.exe
    Filesize

    851KB

    MD5

    f0efbb2f387c405af70553af29b330dd

    SHA1

    9b495dd76e44621fd20b4372c6df6ec5e573f8a0

    SHA256

    95a48c97cdb26f24143d7dcc52b8897d6516511c453ac7c7d0f7446e01340e3e

    SHA512

    5f5eb19693ed83e458bd55436b49bd3be758312ad71f74150f494597e623d56341fefb4d3fd3243cc9b636b8a1fe80cfb4afbd5b9098cfd1ff1ffc3db4c4bde2

    Download Submit

  • memory/1712-38-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2976-25-0x0000000060900000-0x0000000060992000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2976-26-0x0000000062E80000-0x0000000062EA2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4656-18-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/4656-21-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/4656-16-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/5292-40-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/5292-43-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/5292-49-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/5292-53-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/5292-56-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download