Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
03-08-2022 15:13
Static task
static1
Behavioral task
behavioral1
Sample
Quote.js
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
Quote.js
Resource
win10v2004-20220721-en
General
-
Target
Quote.js
-
Size
411KB
-
MD5
8d716616f6251eb501301a7ae6adb281
-
SHA1
f77a1b8fee85dc4a268ac4ec84a72d7992849266
-
SHA256
bbfbad35286bd453c139ad4e1a6361072509fd878c9583f2b4767cb2bbb9fd54
-
SHA512
9f58ae42bb1aa34a54e805c1e69a74068d9a3836268b6c5d483fde555409331367767a9b297b45911373bb54b31d61ebdfb09529807e71cdc92624b7df37425d
Malware Config
Signatures
-
NetWire RAT payload 7 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe netwire C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe netwire \Users\Admin\AppData\Roaming\Googlee\Notepad.exe netwire \Users\Admin\AppData\Roaming\Googlee\Notepad.exe netwire C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe netwire C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe netwire \Users\Admin\AppData\Roaming\Googlee\Notepad.exe netwire -
Executes dropped EXE 2 IoCs
Processes:
Host Ip Js StartUp.exeNotepad.exepid process 1712 Host Ip Js StartUp.exe 1628 Notepad.exe -
Drops startup file 1 IoCs
Processes:
Notepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Note.lnk Notepad.exe -
Loads dropped DLL 3 IoCs
Processes:
Host Ip Js StartUp.exeNotepad.exepid process 1712 Host Ip Js StartUp.exe 1712 Host Ip Js StartUp.exe 1628 Notepad.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Notepad.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\£2ëUíaÊ—KåL¦K®¨æ = "C:\\Users\\Admin\\AppData\\Roaming\\Googlee\\Notepad.exe" Notepad.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
wscript.exeHost Ip Js StartUp.exeNotepad.execmd.exedescription pid process target process PID 1364 wrote to memory of 784 1364 wscript.exe wscript.exe PID 1364 wrote to memory of 784 1364 wscript.exe wscript.exe PID 1364 wrote to memory of 784 1364 wscript.exe wscript.exe PID 1364 wrote to memory of 1712 1364 wscript.exe Host Ip Js StartUp.exe PID 1364 wrote to memory of 1712 1364 wscript.exe Host Ip Js StartUp.exe PID 1364 wrote to memory of 1712 1364 wscript.exe Host Ip Js StartUp.exe PID 1364 wrote to memory of 1712 1364 wscript.exe Host Ip Js StartUp.exe PID 1712 wrote to memory of 1628 1712 Host Ip Js StartUp.exe Notepad.exe PID 1712 wrote to memory of 1628 1712 Host Ip Js StartUp.exe Notepad.exe PID 1712 wrote to memory of 1628 1712 Host Ip Js StartUp.exe Notepad.exe PID 1712 wrote to memory of 1628 1712 Host Ip Js StartUp.exe Notepad.exe PID 1628 wrote to memory of 1524 1628 Notepad.exe cmd.exe PID 1628 wrote to memory of 1524 1628 Notepad.exe cmd.exe PID 1628 wrote to memory of 1524 1628 Notepad.exe cmd.exe PID 1628 wrote to memory of 1524 1628 Notepad.exe cmd.exe PID 1524 wrote to memory of 804 1524 cmd.exe PING.EXE PID 1524 wrote to memory of 804 1524 cmd.exe PING.EXE PID 1524 wrote to memory of 804 1524 cmd.exe PING.EXE PID 1524 wrote to memory of 804 1524 cmd.exe PING.EXE
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Quote.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\NiEPTAGvwK.js"2⤵
-
C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe"C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe"C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30005⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exeFilesize
227KB
MD5fc6330d62ae89347dddf9e98d6dc2533
SHA1b2a3104e8178e25b6b40cf8b19d60c1a4e03e969
SHA25672c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7
SHA5121cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c
-
C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exeFilesize
227KB
MD5fc6330d62ae89347dddf9e98d6dc2533
SHA1b2a3104e8178e25b6b40cf8b19d60c1a4e03e969
SHA25672c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7
SHA5121cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c
-
C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exeFilesize
227KB
MD5fc6330d62ae89347dddf9e98d6dc2533
SHA1b2a3104e8178e25b6b40cf8b19d60c1a4e03e969
SHA25672c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7
SHA5121cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c
-
C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exeFilesize
227KB
MD5fc6330d62ae89347dddf9e98d6dc2533
SHA1b2a3104e8178e25b6b40cf8b19d60c1a4e03e969
SHA25672c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7
SHA5121cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c
-
C:\Users\Admin\AppData\Roaming\NiEPTAGvwK.jsFilesize
1KB
MD58efa6c8d330a2f78a70ea7c34d15a105
SHA11a4cbe922884b4c70ce5149fb5df2fd648914c4c
SHA2567003aeebb9585e848aaa2be76ed8c1d0538c183233487d46867aa750b8eb5acd
SHA512e5a80386cf1ee17af7d08aa31b617333420da985a188b9df78feeb080110bbfdc9ecdd6309d26b38420cba1ff249aa9bfc63649fb2198cc43d666c142487f431
-
\Users\Admin\AppData\Roaming\Googlee\Notepad.exeFilesize
227KB
MD5fc6330d62ae89347dddf9e98d6dc2533
SHA1b2a3104e8178e25b6b40cf8b19d60c1a4e03e969
SHA25672c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7
SHA5121cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c
-
\Users\Admin\AppData\Roaming\Googlee\Notepad.exeFilesize
227KB
MD5fc6330d62ae89347dddf9e98d6dc2533
SHA1b2a3104e8178e25b6b40cf8b19d60c1a4e03e969
SHA25672c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7
SHA5121cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c
-
\Users\Admin\AppData\Roaming\Googlee\Notepad.exeFilesize
227KB
MD5fc6330d62ae89347dddf9e98d6dc2533
SHA1b2a3104e8178e25b6b40cf8b19d60c1a4e03e969
SHA25672c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7
SHA5121cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c
-
memory/784-55-0x0000000000000000-mapping.dmp
-
memory/804-69-0x0000000000000000-mapping.dmp
-
memory/1364-54-0x000007FEFB7A1000-0x000007FEFB7A3000-memory.dmpFilesize
8KB
-
memory/1524-68-0x0000000000000000-mapping.dmp
-
memory/1628-63-0x0000000000000000-mapping.dmp
-
memory/1712-59-0x0000000075681000-0x0000000075683000-memory.dmpFilesize
8KB
-
memory/1712-57-0x0000000000000000-mapping.dmp