General
-
Target
EMV Writer Reader Software v8.exe
-
Size
1.3MB
-
Sample
250425-a1yessxtes
-
MD5
f368225b07c15a58fc20c022b5d67ac7
-
SHA1
0b91bffa3098fc586516a08c10a641c0f01a4337
-
SHA256
e146c7e9223d84f76c59a0979facb49a347bb1b1427df98334a22b348bb624cd
-
SHA512
678de6e96ba0caf0daf6e00c7da37018cbcb3cf0bd7384e7a1a21e0d23e4a0bda3b42adaae38e037e61c0e53d40db53273b98da305a9149fe69111dea0199fb6
-
SSDEEP
24576:gRmJk9oQrilOIz+yMxPaknyxaKwdGyR/iOcYs1PtGaGw4o:ZJwoQryTtMxPaksa91RKHbUS
Static task
static1
Behavioral task
behavioral1
Sample
EMV Writer Reader Software v8.exe
Resource
win10v2004-20250410-en
Malware Config
Extracted
netwire
teamviewer.ddns.net:3360
local.cable-modem.org:3360
local-cable.duckdns.org:3360
-
activex_autorun
true
-
activex_key
{I428F72B-17T1-3YB6-KVXD-ED316JPXN378}
-
copy_executable
true
-
delete_original
false
-
host_id
mypesse
-
install_path
%AppData%\Onedrivel\Prevhostwin10.exe
-
keylogger_dir
%AppData%\systemprev\
-
lock_executable
false
-
mutex
nSOFwQuC
-
offline_keylogger
true
-
password
memek
-
registry_autorun
true
-
startup_name
Microsft@operati
-
use_mutex
true
Targets
-
-
Target
EMV Writer Reader Software v8.exe
-
Size
1.3MB
-
MD5
f368225b07c15a58fc20c022b5d67ac7
-
SHA1
0b91bffa3098fc586516a08c10a641c0f01a4337
-
SHA256
e146c7e9223d84f76c59a0979facb49a347bb1b1427df98334a22b348bb624cd
-
SHA512
678de6e96ba0caf0daf6e00c7da37018cbcb3cf0bd7384e7a1a21e0d23e4a0bda3b42adaae38e037e61c0e53d40db53273b98da305a9149fe69111dea0199fb6
-
SSDEEP
24576:gRmJk9oQrilOIz+yMxPaknyxaKwdGyR/iOcYs1PtGaGw4o:ZJwoQryTtMxPaksa91RKHbUS
-
Modifies WinLogon for persistence
-
NetWire RAT payload
-
Netwire family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies RDP port number used by Windows
-
Patched UPX-packed file
Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.
-
Sets service image path in registry
-
Stops running service(s)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Deletes itself
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Impair Defenses: Safe Mode Boot
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Hide Artifacts: Hidden Window
Windows that would typically be displayed when an application carries out an operation can be hidden.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Boot or Logon Autostart Execution: Authentication Package
Suspicious Windows Authentication Registry Modification.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
2PowerShell
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
5Active Setup
1Authentication Package
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
5Active Setup
1Authentication Package
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Hide Artifacts
1Hidden Window
1Impair Defenses
2Safe Mode Boot
1Modify Registry
6Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1