Resubmissions

05/05/2025, 12:24

250505-plgk3axta1 10

25/04/2025, 00:41

250425-a1yessxtes 10

25/04/2025, 00:37

250425-ayh74a1ks4 10

General

  • Target

    EMV Writer Reader Software v8.exe

  • Size

    1.3MB

  • Sample

    250425-a1yessxtes

  • MD5

    f368225b07c15a58fc20c022b5d67ac7

  • SHA1

    0b91bffa3098fc586516a08c10a641c0f01a4337

  • SHA256

    e146c7e9223d84f76c59a0979facb49a347bb1b1427df98334a22b348bb624cd

  • SHA512

    678de6e96ba0caf0daf6e00c7da37018cbcb3cf0bd7384e7a1a21e0d23e4a0bda3b42adaae38e037e61c0e53d40db53273b98da305a9149fe69111dea0199fb6

  • SSDEEP

    24576:gRmJk9oQrilOIz+yMxPaknyxaKwdGyR/iOcYs1PtGaGw4o:ZJwoQryTtMxPaksa91RKHbUS

Malware Config

Extracted

Family

netwire

C2

teamviewer.ddns.net:3360

local.cable-modem.org:3360

local-cable.duckdns.org:3360

Attributes
  • activex_autorun

    true

  • activex_key

    {I428F72B-17T1-3YB6-KVXD-ED316JPXN378}

  • copy_executable

    true

  • delete_original

    false

  • host_id

    mypesse

  • install_path

    %AppData%\Onedrivel\Prevhostwin10.exe

  • keylogger_dir

    %AppData%\systemprev\

  • lock_executable

    false

  • mutex

    nSOFwQuC

  • offline_keylogger

    true

  • password

    memek

  • registry_autorun

    true

  • startup_name

    Microsft@operati

  • use_mutex

    true

Targets

    • Target

      EMV Writer Reader Software v8.exe

    • Size

      1.3MB

    • MD5

      f368225b07c15a58fc20c022b5d67ac7

    • SHA1

      0b91bffa3098fc586516a08c10a641c0f01a4337

    • SHA256

      e146c7e9223d84f76c59a0979facb49a347bb1b1427df98334a22b348bb624cd

    • SHA512

      678de6e96ba0caf0daf6e00c7da37018cbcb3cf0bd7384e7a1a21e0d23e4a0bda3b42adaae38e037e61c0e53d40db53273b98da305a9149fe69111dea0199fb6

    • SSDEEP

      24576:gRmJk9oQrilOIz+yMxPaknyxaKwdGyR/iOcYs1PtGaGw4o:ZJwoQryTtMxPaksa91RKHbUS

    • Modifies WinLogon for persistence

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Netwire family

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Modifies RDP port number used by Windows

    • Patched UPX-packed file

      Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.

    • Sets service image path in registry

    • Stops running service(s)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Deletes itself

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Hide Artifacts: Hidden Window

      Windows that would typically be displayed when an application carries out an operation can be hidden.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Boot or Logon Autostart Execution: Authentication Package

      Suspicious Windows Authentication Registry Modification.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v16

Tasks