Analysis
-
max time kernel
153s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
06-08-2022 07:42
Static task
static1
Behavioral task
behavioral1
Sample
Quote_PDF.js
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
Quote_PDF.js
Resource
win10v2004-20220721-en
General
-
Target
Quote_PDF.js
-
Size
413KB
-
MD5
79fb7c5753dc989e0c60289b36320afd
-
SHA1
545197015c5459a4aa846066a39ecbd109cd9230
-
SHA256
2fbfe996409f2cfececfcd3852deab2e25d6e8d403083d220e84b3d0be818a28
-
SHA512
17a7bf3e806c979aea263a19cecd5fb4d5875f01a8d4a3cf677fed19fd9329f33c6ac0513bb0dfb9cd3ede3f59522001e18ed97cd909f3c0f042e227d63eebe5
Malware Config
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe netwire C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe netwire C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe netwire C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe netwire -
Executes dropped EXE 2 IoCs
Processes:
Host Ip Js StartUp.exeNotepad.exepid process 2132 Host Ip Js StartUp.exe 1880 Notepad.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exeHost Ip Js StartUp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation Host Ip Js StartUp.exe -
Drops startup file 1 IoCs
Processes:
Notepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Note.lnk Notepad.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Notepad.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\£2ëUíaÊ—KåL¦K®¨æ = "C:\\Users\\Admin\\AppData\\Roaming\\Googlee\\Notepad.exe" Notepad.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
wscript.exeHost Ip Js StartUp.exedescription pid process target process PID 244 wrote to memory of 1828 244 wscript.exe wscript.exe PID 244 wrote to memory of 1828 244 wscript.exe wscript.exe PID 244 wrote to memory of 2132 244 wscript.exe Host Ip Js StartUp.exe PID 244 wrote to memory of 2132 244 wscript.exe Host Ip Js StartUp.exe PID 244 wrote to memory of 2132 244 wscript.exe Host Ip Js StartUp.exe PID 2132 wrote to memory of 1880 2132 Host Ip Js StartUp.exe Notepad.exe PID 2132 wrote to memory of 1880 2132 Host Ip Js StartUp.exe Notepad.exe PID 2132 wrote to memory of 1880 2132 Host Ip Js StartUp.exe Notepad.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Quote_PDF.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ZzwMpgzLEj.js"2⤵
-
C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe"C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe"C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exeFilesize
227KB
MD5fc6330d62ae89347dddf9e98d6dc2533
SHA1b2a3104e8178e25b6b40cf8b19d60c1a4e03e969
SHA25672c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7
SHA5121cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c
-
C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exeFilesize
227KB
MD5fc6330d62ae89347dddf9e98d6dc2533
SHA1b2a3104e8178e25b6b40cf8b19d60c1a4e03e969
SHA25672c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7
SHA5121cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c
-
C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exeFilesize
227KB
MD5fc6330d62ae89347dddf9e98d6dc2533
SHA1b2a3104e8178e25b6b40cf8b19d60c1a4e03e969
SHA25672c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7
SHA5121cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c
-
C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exeFilesize
227KB
MD5fc6330d62ae89347dddf9e98d6dc2533
SHA1b2a3104e8178e25b6b40cf8b19d60c1a4e03e969
SHA25672c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7
SHA5121cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c
-
C:\Users\Admin\AppData\Roaming\ZzwMpgzLEj.jsFilesize
2KB
MD5b75efef43e4017050dd978d7f5d361c8
SHA1df468ada8aa4cc8fded0714be1d555618c7e6b8d
SHA25685aefa3782e41109032a84e404cb38d6c8d1b8c2aeda81ef0c05f7e488f22fd3
SHA5125b3f66e0d904f947b5abb4b9c413ba80c1325c2c974be4a897d12f37ae43258f1c3b2cec8e45dcc50b2d8c089a8b5e1798b74ff56c7e4becab18968bec6436a2
-
memory/1828-130-0x0000000000000000-mapping.dmp
-
memory/1880-135-0x0000000000000000-mapping.dmp
-
memory/2132-132-0x0000000000000000-mapping.dmp