Analysis
-
max time kernel
142s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
02-08-2022 08:54
Static task
static1
Behavioral task
behavioral1
Sample
Quote.js
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
Quote.js
Resource
win10v2004-20220722-en
General
-
Target
Quote.js
-
Size
412KB
-
MD5
f0c19d650dc3c368fa1b46db59b79cbd
-
SHA1
fe1d42454982242083b3a75f57750c98b205ba90
-
SHA256
31ee94b841d7e61fa108df0d53fe7e98d08973e3d0e595b735a39c8d10c80a6c
-
SHA512
def29f947dc249f021ffaa9917c652e3b0bae106382b59051641cc0e9a424f1d488ae282cbe50abb8d7cc30b0baeceac5d7ecff840829cf447b5488bbbc24631
Malware Config
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe netwire C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe netwire C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe netwire C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe netwire -
Executes dropped EXE 2 IoCs
Processes:
Host Ip Js StartUp.exeNotepad.exepid process 4228 Host Ip Js StartUp.exe 2572 Notepad.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exeHost Ip Js StartUp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation Host Ip Js StartUp.exe -
Drops startup file 1 IoCs
Processes:
Notepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Note.lnk Notepad.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Notepad.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\£2ëUíaÊ—KåL¦K®¨æ = "C:\\Users\\Admin\\AppData\\Roaming\\Googlee\\Notepad.exe" Notepad.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
wscript.exeHost Ip Js StartUp.exeNotepad.execmd.exedescription pid process target process PID 1336 wrote to memory of 5020 1336 wscript.exe wscript.exe PID 1336 wrote to memory of 5020 1336 wscript.exe wscript.exe PID 1336 wrote to memory of 4228 1336 wscript.exe Host Ip Js StartUp.exe PID 1336 wrote to memory of 4228 1336 wscript.exe Host Ip Js StartUp.exe PID 1336 wrote to memory of 4228 1336 wscript.exe Host Ip Js StartUp.exe PID 4228 wrote to memory of 2572 4228 Host Ip Js StartUp.exe Notepad.exe PID 4228 wrote to memory of 2572 4228 Host Ip Js StartUp.exe Notepad.exe PID 4228 wrote to memory of 2572 4228 Host Ip Js StartUp.exe Notepad.exe PID 2572 wrote to memory of 4612 2572 Notepad.exe cmd.exe PID 2572 wrote to memory of 4612 2572 Notepad.exe cmd.exe PID 2572 wrote to memory of 4612 2572 Notepad.exe cmd.exe PID 4612 wrote to memory of 2256 4612 cmd.exe PING.EXE PID 4612 wrote to memory of 2256 4612 cmd.exe PING.EXE PID 4612 wrote to memory of 2256 4612 cmd.exe PING.EXE
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Quote.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\UPEiitTYkQ.js"2⤵
-
C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe"C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe"C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30005⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exeFilesize
227KB
MD5fc6330d62ae89347dddf9e98d6dc2533
SHA1b2a3104e8178e25b6b40cf8b19d60c1a4e03e969
SHA25672c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7
SHA5121cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c
-
C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exeFilesize
227KB
MD5fc6330d62ae89347dddf9e98d6dc2533
SHA1b2a3104e8178e25b6b40cf8b19d60c1a4e03e969
SHA25672c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7
SHA5121cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c
-
C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exeFilesize
227KB
MD5fc6330d62ae89347dddf9e98d6dc2533
SHA1b2a3104e8178e25b6b40cf8b19d60c1a4e03e969
SHA25672c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7
SHA5121cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c
-
C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exeFilesize
227KB
MD5fc6330d62ae89347dddf9e98d6dc2533
SHA1b2a3104e8178e25b6b40cf8b19d60c1a4e03e969
SHA25672c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7
SHA5121cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c
-
C:\Users\Admin\AppData\Roaming\UPEiitTYkQ.jsFilesize
2KB
MD5acf56e205be215e545afcc3b2a0fc005
SHA14f65a85e15e462cb780179b7fcfabbf51a4351bd
SHA25647170b499df87f9a981a07762a8135ea0dfcf5bd4bd0caf49611ab85346df29c
SHA5123ac09b83e64cd4522ca8c4d704691ebfabb088d67374a10a0cd7ec7b460f22f2b7e377cdca7edf142b02362e80d0055d61ed14d0e25d997c7bb996d8c37e53a4
-
memory/2256-141-0x0000000000000000-mapping.dmp
-
memory/2572-137-0x0000000000000000-mapping.dmp
-
memory/4228-134-0x0000000000000000-mapping.dmp
-
memory/4612-140-0x0000000000000000-mapping.dmp
-
memory/5020-132-0x0000000000000000-mapping.dmp