Analysis
-
max time kernel
141s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
07-08-2022 13:14
Static task
static1
Behavioral task
behavioral1
Sample
Quote_PDF.js
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
Quote_PDF.js
Resource
win10v2004-20220722-en
General
-
Target
Quote_PDF.js
-
Size
427KB
-
MD5
38d24212ffdc3b2ed75c7bfa6da7723e
-
SHA1
0167489af9f781052c684882145834fd18f8b0cb
-
SHA256
a03e2209954abb189898ff2c0af25fe38d6702995bcf9d3819968d9ffba7f972
-
SHA512
d9ab3ecb7eb014fa27c5f556b255d301eab1efc16f84753af541deea7cc8a138c4c8871b2a7f967b352fdce8b4875a9ecf084167a9d7979486c750d6df9bb43c
Malware Config
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe netwire C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe netwire C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe netwire C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe netwire -
Executes dropped EXE 2 IoCs
Processes:
Host Ip Js StartUp.exeNotepad.exepid process 2484 Host Ip Js StartUp.exe 4220 Notepad.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exeHost Ip Js StartUp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation Host Ip Js StartUp.exe -
Drops startup file 1 IoCs
Processes:
Notepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Note.lnk Notepad.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Notepad.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\£2ëUíaÊ—KåL¦K®¨æ = "C:\\Users\\Admin\\AppData\\Roaming\\Googlee\\Notepad.exe" Notepad.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
wscript.exeHost Ip Js StartUp.exedescription pid process target process PID 4828 wrote to memory of 1164 4828 wscript.exe wscript.exe PID 4828 wrote to memory of 1164 4828 wscript.exe wscript.exe PID 4828 wrote to memory of 2484 4828 wscript.exe Host Ip Js StartUp.exe PID 4828 wrote to memory of 2484 4828 wscript.exe Host Ip Js StartUp.exe PID 4828 wrote to memory of 2484 4828 wscript.exe Host Ip Js StartUp.exe PID 2484 wrote to memory of 4220 2484 Host Ip Js StartUp.exe Notepad.exe PID 2484 wrote to memory of 4220 2484 Host Ip Js StartUp.exe Notepad.exe PID 2484 wrote to memory of 4220 2484 Host Ip Js StartUp.exe Notepad.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Quote_PDF.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ObGxspjCwB.js"2⤵
-
C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe"C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe"C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exeFilesize
227KB
MD5fc6330d62ae89347dddf9e98d6dc2533
SHA1b2a3104e8178e25b6b40cf8b19d60c1a4e03e969
SHA25672c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7
SHA5121cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c
-
C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exeFilesize
227KB
MD5fc6330d62ae89347dddf9e98d6dc2533
SHA1b2a3104e8178e25b6b40cf8b19d60c1a4e03e969
SHA25672c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7
SHA5121cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c
-
C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exeFilesize
227KB
MD5fc6330d62ae89347dddf9e98d6dc2533
SHA1b2a3104e8178e25b6b40cf8b19d60c1a4e03e969
SHA25672c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7
SHA5121cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c
-
C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exeFilesize
227KB
MD5fc6330d62ae89347dddf9e98d6dc2533
SHA1b2a3104e8178e25b6b40cf8b19d60c1a4e03e969
SHA25672c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7
SHA5121cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c
-
C:\Users\Admin\AppData\Roaming\ObGxspjCwB.jsFilesize
7KB
MD56e98db77334a5a7019fe4a7fb761061c
SHA1e7cb252e2cee1b1711623a7e59bd5e9c07533b30
SHA256be3b5894f9695b28c6109383bb90499a3e878cabd01a4617dfec0ef8b29e068e
SHA512bf39207659934327d308e3f5b9f4cdbe9297c0a8d80b78df4a99d30f22ac70209ae564065644495d3a49322e460106d49c0e5f2424e227158e59915b6f8b532c
-
memory/1164-132-0x0000000000000000-mapping.dmp
-
memory/2484-134-0x0000000000000000-mapping.dmp
-
memory/4220-137-0x0000000000000000-mapping.dmp