Analysis
-
max time kernel
38s -
max time network
107s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
06-08-2022 07:42
Static task
static1
Behavioral task
behavioral1
Sample
Quote_PDF.js
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
Quote_PDF.js
Resource
win10v2004-20220721-en
General
-
Target
Quote_PDF.js
-
Size
413KB
-
MD5
79fb7c5753dc989e0c60289b36320afd
-
SHA1
545197015c5459a4aa846066a39ecbd109cd9230
-
SHA256
2fbfe996409f2cfececfcd3852deab2e25d6e8d403083d220e84b3d0be818a28
-
SHA512
17a7bf3e806c979aea263a19cecd5fb4d5875f01a8d4a3cf677fed19fd9329f33c6ac0513bb0dfb9cd3ede3f59522001e18ed97cd909f3c0f042e227d63eebe5
Malware Config
Signatures
-
NetWire RAT payload 7 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe netwire C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe netwire \Users\Admin\AppData\Roaming\Googlee\Notepad.exe netwire \Users\Admin\AppData\Roaming\Googlee\Notepad.exe netwire C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe netwire C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe netwire \Users\Admin\AppData\Roaming\Googlee\Notepad.exe netwire -
Executes dropped EXE 2 IoCs
Processes:
Host Ip Js StartUp.exeNotepad.exepid process 832 Host Ip Js StartUp.exe 1948 Notepad.exe -
Drops startup file 1 IoCs
Processes:
Notepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Note.lnk Notepad.exe -
Loads dropped DLL 3 IoCs
Processes:
Host Ip Js StartUp.exeNotepad.exepid process 832 Host Ip Js StartUp.exe 832 Host Ip Js StartUp.exe 1948 Notepad.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Notepad.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\£2ëUíaÊ—KåL¦K®¨æ = "C:\\Users\\Admin\\AppData\\Roaming\\Googlee\\Notepad.exe" Notepad.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
wscript.exeHost Ip Js StartUp.exedescription pid process target process PID 1052 wrote to memory of 1908 1052 wscript.exe wscript.exe PID 1052 wrote to memory of 1908 1052 wscript.exe wscript.exe PID 1052 wrote to memory of 1908 1052 wscript.exe wscript.exe PID 1052 wrote to memory of 832 1052 wscript.exe Host Ip Js StartUp.exe PID 1052 wrote to memory of 832 1052 wscript.exe Host Ip Js StartUp.exe PID 1052 wrote to memory of 832 1052 wscript.exe Host Ip Js StartUp.exe PID 1052 wrote to memory of 832 1052 wscript.exe Host Ip Js StartUp.exe PID 832 wrote to memory of 1948 832 Host Ip Js StartUp.exe Notepad.exe PID 832 wrote to memory of 1948 832 Host Ip Js StartUp.exe Notepad.exe PID 832 wrote to memory of 1948 832 Host Ip Js StartUp.exe Notepad.exe PID 832 wrote to memory of 1948 832 Host Ip Js StartUp.exe Notepad.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Quote_PDF.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ZzwMpgzLEj.js"2⤵
-
C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe"C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe"C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exeFilesize
227KB
MD5fc6330d62ae89347dddf9e98d6dc2533
SHA1b2a3104e8178e25b6b40cf8b19d60c1a4e03e969
SHA25672c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7
SHA5121cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c
-
C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exeFilesize
227KB
MD5fc6330d62ae89347dddf9e98d6dc2533
SHA1b2a3104e8178e25b6b40cf8b19d60c1a4e03e969
SHA25672c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7
SHA5121cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c
-
C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exeFilesize
227KB
MD5fc6330d62ae89347dddf9e98d6dc2533
SHA1b2a3104e8178e25b6b40cf8b19d60c1a4e03e969
SHA25672c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7
SHA5121cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c
-
C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exeFilesize
227KB
MD5fc6330d62ae89347dddf9e98d6dc2533
SHA1b2a3104e8178e25b6b40cf8b19d60c1a4e03e969
SHA25672c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7
SHA5121cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c
-
C:\Users\Admin\AppData\Roaming\ZzwMpgzLEj.jsFilesize
2KB
MD5b75efef43e4017050dd978d7f5d361c8
SHA1df468ada8aa4cc8fded0714be1d555618c7e6b8d
SHA25685aefa3782e41109032a84e404cb38d6c8d1b8c2aeda81ef0c05f7e488f22fd3
SHA5125b3f66e0d904f947b5abb4b9c413ba80c1325c2c974be4a897d12f37ae43258f1c3b2cec8e45dcc50b2d8c089a8b5e1798b74ff56c7e4becab18968bec6436a2
-
\Users\Admin\AppData\Roaming\Googlee\Notepad.exeFilesize
227KB
MD5fc6330d62ae89347dddf9e98d6dc2533
SHA1b2a3104e8178e25b6b40cf8b19d60c1a4e03e969
SHA25672c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7
SHA5121cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c
-
\Users\Admin\AppData\Roaming\Googlee\Notepad.exeFilesize
227KB
MD5fc6330d62ae89347dddf9e98d6dc2533
SHA1b2a3104e8178e25b6b40cf8b19d60c1a4e03e969
SHA25672c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7
SHA5121cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c
-
\Users\Admin\AppData\Roaming\Googlee\Notepad.exeFilesize
227KB
MD5fc6330d62ae89347dddf9e98d6dc2533
SHA1b2a3104e8178e25b6b40cf8b19d60c1a4e03e969
SHA25672c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7
SHA5121cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c
-
memory/832-59-0x0000000075F81000-0x0000000075F83000-memory.dmpFilesize
8KB
-
memory/832-57-0x0000000000000000-mapping.dmp
-
memory/1052-54-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmpFilesize
8KB
-
memory/1908-55-0x0000000000000000-mapping.dmp
-
memory/1948-63-0x0000000000000000-mapping.dmp