Overview

overview

10

Static

static

Quote.js

windows7-x64

10

Quote.js

windows10-2004-x64

10

Analysis

  • max time kernel
    41s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    01-08-2022 07:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quote.js

  • Size

    412KB

  • MD5

    36fd158eb019ac0d3b29754770aae398

  • SHA1

    b3421f16e3f6a7defed1cfd4c7e7ad0b71d00d81

  • SHA256

    31c05b8aacf0b417ecf6b3f3ddc88f18505a790e0a9a13186982789abf25875c

  • SHA512

    299a312eb5e572485e071374e3912acd2dc3be41e1b8b481b424c94c05f478570a293579814a3b9f3e767eec0d1eb9c3a662d5c927f673c96cd13a8c0aa75f0f

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Signatures

  • NetWire RAT payload 7 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 2 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Quote.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:996
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\pwhQXOgJoL.js"
      2⤵
        PID:1180
      • C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe
        "C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1588
        • C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe
          "C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe"
          3⤵
          • Executes dropped EXE
          • Drops startup file
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1976
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:612
            • C:\Windows\SysWOW64\PING.EXE
              ping 1.1.1.1 -n 1 -w 3000
              5⤵
              • Runs ping.exe
              PID:1676

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe
      Filesize

      227KB

      MD5

      fc6330d62ae89347dddf9e98d6dc2533

      SHA1

      b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

      SHA256

      72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

      SHA512

      1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe
      Filesize

      227KB

      MD5

      fc6330d62ae89347dddf9e98d6dc2533

      SHA1

      b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

      SHA256

      72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

      SHA512

      1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe
      Filesize

      227KB

      MD5

      fc6330d62ae89347dddf9e98d6dc2533

      SHA1

      b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

      SHA256

      72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

      SHA512

      1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe
      Filesize

      227KB

      MD5

      fc6330d62ae89347dddf9e98d6dc2533

      SHA1

      b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

      SHA256

      72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

      SHA512

      1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

      Download Submit

    • C:\Users\Admin\AppData\Roaming\pwhQXOgJoL.js
      Filesize

      2KB

      MD5

      0069b15d5047fb7bb498de58bfa8ec88

      SHA1

      d834c8ea6bc8335804928593794bbace9a49f30f

      SHA256

      c4f0895a1ed38abdb19e2f9d957064b8821ef52f80147e47a801fc57ee5f3e0b

      SHA512

      c8d5b4f056812b4b1efaf7716cb320bdfa705271e1cd6a12474ae091ba5685214dd3ae78edd5d70e1295d8f449afec58c0ff3f1dc35aec3ed0b5184314bfec9e

      Download Submit

    • \Users\Admin\AppData\Roaming\Googlee\Notepad.exe
      Filesize

      227KB

      MD5

      fc6330d62ae89347dddf9e98d6dc2533

      SHA1

      b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

      SHA256

      72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

      SHA512

      1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

      Download Submit

    • \Users\Admin\AppData\Roaming\Googlee\Notepad.exe
      Filesize

      227KB

      MD5

      fc6330d62ae89347dddf9e98d6dc2533

      SHA1

      b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

      SHA256

      72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

      SHA512

      1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

      Download Submit

    • \Users\Admin\AppData\Roaming\Googlee\Notepad.exe
      Filesize

      227KB

      MD5

      fc6330d62ae89347dddf9e98d6dc2533

      SHA1

      b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

      SHA256

      72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

      SHA512

      1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

      Download Submit

    • memory/612-68-0x0000000000000000-mapping.dmp

      Download

    • memory/996-54-0x000007FEFB671000-0x000007FEFB673000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1180-55-0x0000000000000000-mapping.dmp

      Download

    • memory/1588-57-0x0000000000000000-mapping.dmp

      Download

    • memory/1588-59-0x0000000074F01000-0x0000000074F03000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1676-69-0x0000000000000000-mapping.dmp

      Download

    • memory/1976-63-0x0000000000000000-mapping.dmp

      Download