Overview

overview

10

Static

static

Quote.js

windows7-x64

10

Quote.js

windows10-2004-x64

10

Analysis

  • max time kernel
    87s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220722-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-07-2022 14:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quote.js

  • Size

    416KB

  • MD5

    aa291aa599ebf686ae5d49907c307ca2

  • SHA1

    04a6c1ef1b848c8443ea1a83ced4b606382eeccd

  • SHA256

    ead670293a8d8d85c76363403b8827e570d68204f2e88b855eab5cd312ab9c3a

  • SHA512

    e0ba4593ab9a61f68d2759738b31aae92e8ed0d5a7f242d9ac9bb584e55a262cb2657542f85b4544d291954ba4d4d1d4b0fb9b9d6a3a23e9786e1bd4707c4936

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Signatures

  • NetWire RAT payload 4 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Quote.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1400
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\fdRxFYzixC.js"
      2⤵
        PID:1796
      • C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe
        "C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe"
        2⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4328
        • C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe
          "C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe"
          3⤵
          • Executes dropped EXE
          • Drops startup file
          • Adds Run key to start application
          PID:2392

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe
      Filesize

      227KB

      MD5

      fc6330d62ae89347dddf9e98d6dc2533

      SHA1

      b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

      SHA256

      72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

      SHA512

      1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe
      Filesize

      227KB

      MD5

      fc6330d62ae89347dddf9e98d6dc2533

      SHA1

      b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

      SHA256

      72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

      SHA512

      1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe
      Filesize

      227KB

      MD5

      fc6330d62ae89347dddf9e98d6dc2533

      SHA1

      b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

      SHA256

      72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

      SHA512

      1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe
      Filesize

      227KB

      MD5

      fc6330d62ae89347dddf9e98d6dc2533

      SHA1

      b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

      SHA256

      72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

      SHA512

      1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

      Download Submit

    • C:\Users\Admin\AppData\Roaming\fdRxFYzixC.js
      Filesize

      3KB

      MD5

      6aaf45ae510e30a5ef4e59a19390c5ab

      SHA1

      4026a32a006fe97bd06c30e1a12f81e3a449ba69

      SHA256

      fe1ba4aa82c4e2fd81a2ec651a984aaf785183201fb6d35ec7ba460850333dca

      SHA512

      55f6b06674452112f59edf8eb28dc363ee26fb1fe7e28921892d989daa993a6f1eca19ecd581b704189b903c2efc6cfa104a5dd96f9da18fc7875cc82e27f514

      Download Submit

    • memory/1796-132-0x0000000000000000-mapping.dmp

      Download

    • memory/2392-137-0x0000000000000000-mapping.dmp

      Download

    • memory/4328-134-0x0000000000000000-mapping.dmp

      Download