File name:

SDA EMV Chip Writer By Paws.exe

Full analysis: https://app.any.run/tasks/9a697f63-2589-4be6-865a-4b46e7945c83
Verdict: Malicious activity
Threats:

Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform various actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux, and MacOS.

Malware Trends Tracker     >>>
Analysis date: December 03, 2023, 20:22:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
netwire
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

30EE6AAF50E4B4369E0A1634AFBCD757

SHA1:

B2EE5B9C07098A1058AE9778AD59396B8B8C9878

SHA256:

7F4D0810B884D9647D5374550187A123F009CE8F6450D5DAB818A2384358FB06

SSDEEP:

98304:WZJ3Xi+LQegKdakQwSstgALbRhZZ1pkuIqf0pGbqLbhO2yU8zPdk4ujUwYChbnGF:fFoD7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • SDA EMV Chip Writer By Paws.exe (PID: 1864)
      • Syssvctoolsx64bit.exe (PID: 2532)
      • Sdachipwriter.exe (PID: 2964)

    • NETWIRE has been detected (YARA)

      • crhomeAT64bit.exe (PID: 2336)

  • SUSPICIOUS

    • Application launched itself

      • SDA EMV Chip Writer By Paws.exe (PID: 2412)
      • crhomeAT64bit.exe (PID: 684)
      • Syssvctoolsx64bit.exe (PID: 1088)

    • Reads the Internet Settings

      • SDA EMV Chip Writer By Paws.exe (PID: 2412)
      • Sdachipwriter.exe (PID: 2964)

    • Starts itself from another location

      • Syssvctoolsx64bit.exe (PID: 2532)

    • The process creates files with name similar to system file names

      • Sdachipwriter.exe (PID: 2964)

    • Connects to unusual port

      • crhomeAT64bit.exe (PID: 2336)

  • INFO

    • Reads mouse settings

      • SDA EMV Chip Writer By Paws.exe (PID: 2412)
      • SDA EMV Chip Writer By Paws.exe (PID: 1864)
      • Syssvctoolsx64bit.exe (PID: 1088)
      • crhomeAT64bit.exe (PID: 684)

    • Checks supported languages

      • SDA EMV Chip Writer By Paws.exe (PID: 2412)
      • SDA EMV Chip Writer By Paws.exe (PID: 1864)
      • Syssvctoolsx64bit.exe (PID: 1088)
      • crhomeAT64bit.exe (PID: 684)
      • crhomeAT64bit.exe (PID: 2336)
      • Sdachipwriter.exe (PID: 2964)
      • Syssvctoolsx64bit.exe (PID: 2532)
      • GPShell.exe (PID: 3880)
      • GPShell.exe (PID: 3108)
      • GPShell.exe (PID: 3528)
      • GPShell.exe (PID: 3116)
      • GPShell.exe (PID: 3940)
      • GPShell.exe (PID: 2764)
      • GPShell.exe (PID: 3296)
      • GPShell.exe (PID: 3944)
      • GPShell.exe (PID: 2932)
      • GPShell.exe (PID: 3424)
      • GPShell.exe (PID: 3884)
      • GPShell.exe (PID: 3984)
      • GPShell.exe (PID: 944)
      • GPShell.exe (PID: 2892)
      • GPShell.exe (PID: 3732)
      • GPShell.exe (PID: 3236)
      • GPShell.exe (PID: 3512)
      • GPShell.exe (PID: 3644)

    • Reads the computer name

      • SDA EMV Chip Writer By Paws.exe (PID: 1864)
      • Sdachipwriter.exe (PID: 2964)
      • Syssvctoolsx64bit.exe (PID: 1088)
      • crhomeAT64bit.exe (PID: 684)
      • GPShell.exe (PID: 2764)
      • GPShell.exe (PID: 3880)
      • GPShell.exe (PID: 3108)
      • GPShell.exe (PID: 3528)
      • GPShell.exe (PID: 3296)
      • crhomeAT64bit.exe (PID: 2336)
      • GPShell.exe (PID: 3940)
      • GPShell.exe (PID: 3644)
      • GPShell.exe (PID: 2932)
      • GPShell.exe (PID: 3424)
      • GPShell.exe (PID: 944)
      • GPShell.exe (PID: 2892)
      • GPShell.exe (PID: 3116)
      • SDA EMV Chip Writer By Paws.exe (PID: 2412)

    • Creates files or folders in the user directory

      • SDA EMV Chip Writer By Paws.exe (PID: 1864)
      • Syssvctoolsx64bit.exe (PID: 2532)
      • crhomeAT64bit.exe (PID: 2336)

    • Create files in a temporary directory

      • SDA EMV Chip Writer By Paws.exe (PID: 1864)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

NetWire

(PID) Process(2336) crhomeAT64bit.exe
C2 (5)local.cable-modem.org:3361
teamviewer.ddns.net:3361
optic.cable-modem.org:3361
teamviewer.ddns.me:3361
logmein.loginto.me:3361
HostBTC2020
Credentials
Passwordanjing
Options
MutexNLBJEoGj
Install path%AppData%\instal\crhomeAT64bit.exe
Startup nametvnserver
ProxyDirect connection
ActiveXTrue
Copy executableTrue
Delete originalFalse
Lock executableFalse
Registry autorunTrue
Use a mutexTrue
Offline keyloggerTrue
Sleep10
Keylogger directoryC:\Users\admin\AppData\Roaming\0pera\metaolgs.dat\
Keys
RC461c55498a2d7953c0f398f1ad24013fd
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:12:23 11:59:31+01:00
ImageFileCharacteristics: No relocs, Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 526336
InitializedDataSize: 100352
UninitializedDataSize: -
EntryPoint: 0x165c1
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 10.2.0.0
ProductVersionNumber: 10.2.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: English (British)
CharacterSet: Unicode
Comments: EMV chip writer by paws
CompanyName: EMV chip software
FileDescription: EMV chip writer by paws
FileVersion: 10.2.0.0
InternalName: EMVMX.exe
LegalCopyright: 2015-2020
OriginalFileName: EMVsoftware.exe
ProductName: EMVsoftware
ProductVersion: 10.2.0.0
AssemblyVersion: 10.2.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
82
Monitored processes
25
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start sda emv chip writer by paws.exe no specs sda emv chip writer by paws.exe syssvctoolsx64bit.exe no specs sdachipwriter.exe no specs syssvctoolsx64bit.exe no specs crhomeat64bit.exe no specs #NETWIRE crhomeat64bit.exe gpshell.exe no specs gpshell.exe no specs gpshell.exe no specs gpshell.exe no specs gpshell.exe no specs gpshell.exe no specs gpshell.exe no specs gpshell.exe no specs gpshell.exe no specs gpshell.exe no specs gpshell.exe no specs gpshell.exe no specs gpshell.exe no specs gpshell.exe no specs gpshell.exe no specs gpshell.exe no specs gpshell.exe no specs gpshell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
684"C:\Users\admin\AppData\Roaming\instal\crhomeAT64bit.exe"C:\Users\admin\AppData\Roaming\instal\crhomeAT64bit.exeSyssvctoolsx64bit.exe
User:
admin
Company:
Controller ACEI Inc.
Integrity Level:
HIGH
Description:
Controller ACEI: Host application
Exit code:
0
Version:
7.7.0.0
Modules
Images
c:\users\admin\appdata\roaming\instal\crhomeat64bit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
944"C:\Windowr\GPShell.exe" form.dllC:\Windowr\GPShell.exeSdachipwriter.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Version:
1, 4, 4, 0
Modules
Images
c:\windowr\gpshell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windowr\globalplatform.dll
c:\windowr\zlib1.dll
c:\windowr\libeay32.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
1088C:\Users\admin\AppData\Roaming/Syssvctoolsx64bit.exeC:\Users\admin\AppData\Roaming\Syssvctoolsx64bit.exeSDA EMV Chip Writer By Paws.exe
User:
admin
Company:
Controller ACEI Inc.
Integrity Level:
HIGH
Description:
Controller ACEI: Host application
Exit code:
0
Version:
7.7.0.0
Modules
Images
c:\users\admin\appdata\roaming\syssvctoolsx64bit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
1864"C:\Users\admin\Desktop\SDA EMV Chip Writer By Paws.exe" C:\Users\admin\Desktop\SDA EMV Chip Writer By Paws.exe
SDA EMV Chip Writer By Paws.exe
User:
admin
Company:
EMV chip software
Integrity Level:
HIGH
Description:
EMV chip writer by paws
Exit code:
0
Version:
10.2.0.0
Modules
Images
c:\users\admin\desktop\sda emv chip writer by paws.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
2336"C:\Users\admin\AppData\Roaming\instal\crhomeAT64bit.exe"C:\Users\admin\AppData\Roaming\instal\crhomeAT64bit.exe
crhomeAT64bit.exe
User:
admin
Company:
Controller ACEI Inc.
Integrity Level:
HIGH
Description:
Controller ACEI: Host application
Exit code:
0
Version:
7.7.0.0
Modules
Images
c:\users\admin\appdata\roaming\instal\crhomeat64bit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
NetWire
(PID) Process(2336) crhomeAT64bit.exe
C2 (5)local.cable-modem.org:3361
teamviewer.ddns.net:3361
optic.cable-modem.org:3361
teamviewer.ddns.me:3361
logmein.loginto.me:3361
HostBTC2020
Credentials
Passwordanjing
Options
MutexNLBJEoGj
Install path%AppData%\instal\crhomeAT64bit.exe
Startup nametvnserver
ProxyDirect connection
ActiveXTrue
Copy executableTrue
Delete originalFalse
Lock executableFalse
Registry autorunTrue
Use a mutexTrue
Offline keyloggerTrue
Sleep10
Keylogger directoryC:\Users\admin\AppData\Roaming\0pera\metaolgs.dat\
Keys
RC461c55498a2d7953c0f398f1ad24013fd
2412"C:\Users\admin\Desktop\SDA EMV Chip Writer By Paws.exe" C:\Users\admin\Desktop\SDA EMV Chip Writer By Paws.exeexplorer.exe
User:
admin
Company:
EMV chip software
Integrity Level:
MEDIUM
Description:
EMV chip writer by paws
Exit code:
0
Version:
10.2.0.0
Modules
Images
c:\users\admin\desktop\sda emv chip writer by paws.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
2532"C:\Users\admin\AppData\Roaming\Syssvctoolsx64bit.exe"C:\Users\admin\AppData\Roaming\Syssvctoolsx64bit.exeSyssvctoolsx64bit.exe
User:
admin
Company:
Controller ACEI Inc.
Integrity Level:
HIGH
Description:
Controller ACEI: Host application
Exit code:
0
Version:
7.7.0.0
Modules
Images
c:\users\admin\appdata\roaming\syssvctoolsx64bit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
2764"C:\Windowr\GPShell.exe" del.dllC:\Windowr\GPShell.exeSdachipwriter.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Version:
1, 4, 4, 0
Modules
Images
c:\windowr\gpshell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windowr\globalplatform.dll
c:\windowr\zlib1.dll
c:\windowr\libeay32.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
2892"C:\Windowr\GPShell.exe" form.dllC:\Windowr\GPShell.exeSdachipwriter.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Version:
1, 4, 4, 0
Modules
Images
c:\windowr\gpshell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windowr\globalplatform.dll
c:\windowr\zlib1.dll
c:\windowr\libeay32.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
2932"C:\Windowr\GPShell.exe" form.dllC:\Windowr\GPShell.exeSdachipwriter.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Version:
1, 4, 4, 0
Modules
Images
c:\windowr\gpshell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windowr\globalplatform.dll
c:\windowr\zlib1.dll
c:\windowr\libeay32.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
Total events
1 405
Read events
1 389
Write events
16
Delete events
0

Modification events

(PID) Process:(2412) SDA EMV Chip Writer By Paws.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2412) SDA EMV Chip Writer By Paws.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2412) SDA EMV Chip Writer By Paws.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2412) SDA EMV Chip Writer By Paws.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2964) Sdachipwriter.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2964) Sdachipwriter.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2964) Sdachipwriter.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2964) Sdachipwriter.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
9
Suspicious files
5
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
1864SDA EMV Chip Writer By Paws.exeC:\Users\admin\AppData\Local\Temp\Sdachipwriter.exeexecutable
MD5:0828480F98ADB533104D42AD42601F80
SHA256:1ECFD3755EBA578108363C0705C6EC205972080739ED0FBD17439F8139BA7E08
1864SDA EMV Chip Writer By Paws.exeC:\Users\admin\AppData\Local\Temp\aut698C.tmpbinary
MD5:13B3DE29B96725C248448DA736A2CEA7
SHA256:245ABA2A3FC4DD976B1A000F9DD3177F4D26AD146F5D01771B0B485727DA3674
1864SDA EMV Chip Writer By Paws.exeC:\Users\admin\AppData\Local\Temp\aut692E.tmpbinary
MD5:D6D055DC35731C86EA942B14DDFE09F5
SHA256:5230CD3764629D78C7CC4BB9FCBF97B95DD171AB38855C94A276211642426D16
1864SDA EMV Chip Writer By Paws.exeC:\Users\admin\AppData\Roaming\Syssvctoolsx64bit.exeexecutable
MD5:C57711ED5AC9003F30BE5D81C0B8DDC1
SHA256:EC94FFBDA11B4F750EA732A9986B6DD60D4C87978F810F27336ABF4EE178BC03
2336crhomeAT64bit.exeC:\Users\admin\AppData\Roaming\instal\.Identifierbinary
MD5:F07AF13FF3ACC739506F9A4881CE5A88
SHA256:5DE15C6627916120CB8CBA307184D9CB8FF8647EE59F7F0767847284A060A262
2964Sdachipwriter.exeC:\Windowr\Global.drvcompressed
MD5:418F4F42405CEC3252F0B952ED9A642C
SHA256:148B8755D228F174F4DBD0B8454E3825F34E6D6E055341D4C3981C2BB7664C07
2964Sdachipwriter.exeC:\Windowr\del.dlltext
MD5:39F489355AC6CCC48A810E2C867475FD
SHA256:71E16A8C9540CBEB6AFC80045A21F7C5954F9E54B5EC731C93AFCA6D67A61646
2964Sdachipwriter.exeC:\Windowr\GlobalPlatform.dllexecutable
MD5:C035B189CCC0FA06E549CCABF7DFBA48
SHA256:DAC5A4213654CAE1AA622877E7E156C0EFD77C0601440DF7CE9995E280DF8694
2964Sdachipwriter.exeC:\Windowr\GPPcScConnectionPlugin.dllexecutable
MD5:2F99E012379E8C950B0BDE761C5CCA0F
SHA256:5D84EC3F8DEE7438B0049D5DC201A68A99F3E471A4C9ACAC48DD7F67F89FD178
2964Sdachipwriter.exeC:\Windowr\zlib1.dllexecutable
MD5:C7D4D685A0AF2A09CBC21CB474358595
SHA256:E96B397B499D9EAA3F52EAF496CA8941E80C0AD1544879CCADF02BF2C6A1ECFC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
11
DNS requests
11
Threats
10

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
2336
crhomeAT64bit.exe
180.241.167.149:3361
local.cable-modem.org
PT Telekomunikasi Indonesia
ID
unknown

DNS requests

Domain
IP
Reputation
local.cable-modem.org
  • 180.241.167.149
malicious
dns.msftncsi.com
  • 131.107.255.255
shared
teamviewer.ddns.net
  • 180.241.167.149
malicious
optic.cable-modem.org
unknown
teamviewer.ddns.me
unknown
logmein.loginto.me
unknown

Threats

PID
Process
Class
Message
1080
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.cable-modem .org
1080
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
1080
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.cable-modem .org
1080
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .me
1080
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.loginto .me
1080
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.cable-modem .org
1080
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
1080
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.cable-modem .org
1080
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
1080
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.cable-modem .org
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SDA EMV Chip Writer By Paws.exe