Analysis
-
max time kernel
140s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 17:40
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order.js
Resource
win7-20220715-en
General
-
Target
Purchase Order.js
-
Size
416KB
-
MD5
c1e4692ddf7c0d185bd22009e16ecc23
-
SHA1
2ded130da9911cb4de8c0509274e0f3334e3a452
-
SHA256
e036752f36ea0c6f711330469d78e04cbf944466dcacc3e2b27544716c34e0a3
-
SHA512
21536109ada4b5a5481ec84a4cb0984932ec057866637655b9312199ab20d6260b2be06a961a9de672b9511f1fbb4225fec6ea1208534573cda0463b87751862
Malware Config
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Host Ip Regular Startup.exe netwire C:\Users\Admin\AppData\Roaming\Host Ip Regular Startup.exe netwire C:\Users\Admin\AppData\Roaming\Install\Host.exe netwire C:\Users\Admin\AppData\Roaming\Install\Host.exe netwire -
Blocklisted process makes network request 7 IoCs
Processes:
wscript.exeflow pid process 13 2348 wscript.exe 18 2348 wscript.exe 23 2348 wscript.exe 27 2348 wscript.exe 29 2348 wscript.exe 32 2348 wscript.exe 34 2348 wscript.exe -
Executes dropped EXE 2 IoCs
Processes:
Host Ip Regular Startup.exeHost.exepid process 2084 Host Ip Regular Startup.exe 1492 Host.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Host Ip Regular Startup.exewscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation Host Ip Regular Startup.exe Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 3 IoCs
Processes:
wscript.exeHost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KTXYmVxtXS.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KTXYmVxtXS.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepad.lnk Host.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
wscript.exeHost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3LFOG3Z3XA = "\"C:\\Users\\Admin\\AppData\\Roaming\\KTXYmVxtXS.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Host.exe Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\A»\¸©8/_m!´@þhÞ = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe" Host.exe Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
wscript.exeHost Ip Regular Startup.exedescription pid process target process PID 4912 wrote to memory of 2348 4912 wscript.exe wscript.exe PID 4912 wrote to memory of 2348 4912 wscript.exe wscript.exe PID 4912 wrote to memory of 2084 4912 wscript.exe Host Ip Regular Startup.exe PID 4912 wrote to memory of 2084 4912 wscript.exe Host Ip Regular Startup.exe PID 4912 wrote to memory of 2084 4912 wscript.exe Host Ip Regular Startup.exe PID 2084 wrote to memory of 1492 2084 Host Ip Regular Startup.exe Host.exe PID 2084 wrote to memory of 1492 2084 Host Ip Regular Startup.exe Host.exe PID 2084 wrote to memory of 1492 2084 Host Ip Regular Startup.exe Host.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Order.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\KTXYmVxtXS.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:2348 -
C:\Users\Admin\AppData\Roaming\Host Ip Regular Startup.exe"C:\Users\Admin\AppData\Roaming\Host Ip Regular Startup.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
PID:1492
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
227KB
MD5388df235546f6b0bd2afac08cefad1f9
SHA1cef9a225d50cf1b062e2040239622661c2cf255e
SHA2561934228fe5236936942f5037c26f6d42e322caa60b6b42d1a30fa346433bc5d3
SHA512771db8884c5b32c3aea6a29d5fa17fb6604a50930d3f0362d7eb0e37f62f60c730f0fd69cbb52e3d4b0a7d8a926e7808d8a7ea1bf85cb11b7764d6125faa06c8
-
Filesize
227KB
MD5388df235546f6b0bd2afac08cefad1f9
SHA1cef9a225d50cf1b062e2040239622661c2cf255e
SHA2561934228fe5236936942f5037c26f6d42e322caa60b6b42d1a30fa346433bc5d3
SHA512771db8884c5b32c3aea6a29d5fa17fb6604a50930d3f0362d7eb0e37f62f60c730f0fd69cbb52e3d4b0a7d8a926e7808d8a7ea1bf85cb11b7764d6125faa06c8
-
Filesize
227KB
MD5388df235546f6b0bd2afac08cefad1f9
SHA1cef9a225d50cf1b062e2040239622661c2cf255e
SHA2561934228fe5236936942f5037c26f6d42e322caa60b6b42d1a30fa346433bc5d3
SHA512771db8884c5b32c3aea6a29d5fa17fb6604a50930d3f0362d7eb0e37f62f60c730f0fd69cbb52e3d4b0a7d8a926e7808d8a7ea1bf85cb11b7764d6125faa06c8
-
Filesize
227KB
MD5388df235546f6b0bd2afac08cefad1f9
SHA1cef9a225d50cf1b062e2040239622661c2cf255e
SHA2561934228fe5236936942f5037c26f6d42e322caa60b6b42d1a30fa346433bc5d3
SHA512771db8884c5b32c3aea6a29d5fa17fb6604a50930d3f0362d7eb0e37f62f60c730f0fd69cbb52e3d4b0a7d8a926e7808d8a7ea1bf85cb11b7764d6125faa06c8
-
Filesize
5KB
MD5a05f4f18409818213ad40f7cedc8c3c5
SHA1d0b8650fe5c718adc0e7ce700bc9527b4be94411
SHA256445c8795746ab9696f84cfdfad898c61efb8ea67f2e76084d549310ee1ce25d6
SHA5121bb878170c8a9894aab223f180d52ec77a41088ca8e00955e18ce2e50a72e494600f2b8c242baa48b82987e13a6407900e4efa625777aeaceadffdd5047f1592