Overview

overview

10

Static

static

Quote_PDF.js

windows7-x64

10

Quote_PDF.js

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-08-2022 18:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quote_PDF.js

  • Size

    592KB

  • MD5

    edd15033148bf7e2bf4125c4d211e8ca

  • SHA1

    bdb2ed893df770f57ef19cb2a6d2ffbac1fde78e

  • SHA256

    c1a07cde2b35fc342b437b715d447a564db513a7c23223ba66f7d68da74d368d

  • SHA512

    42d46d1607d1efa75e3ab540334afab109825209fdff8226f2e2a57a62c39df8c007995f93b3eae03567ea58b2ca5ce3b6e42baf6febb3658b7fb906fbe7cf4d

Score
10/10
netwirevjw0rmbotnetpersistenceratstealertrojanworm

Malware Config

Signatures

  • NetWire RAT payload 4 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 13 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Quote_PDF.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3144
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\zyOjbguoaJ.js"
      2⤵
      • Blocklisted process makes network request
      • Checks computer location settings
      • Drops startup file
      • Suspicious use of WriteProcessMemory
      PID:1884
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\juIwXhspQL.js"
        3⤵
        • Blocklisted process makes network request
        • Checks computer location settings
        • Drops startup file
        • Suspicious use of WriteProcessMemory
        PID:4060
        • C:\Windows\System32\wscript.exe
          "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\oVKKrOdyJJ.js"
          4⤵
            PID:1348
      • C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe
        "C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe"
        2⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:3296
        • C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe
          "C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe"
          3⤵
          • Executes dropped EXE
          • Drops startup file
          • Adds Run key to start application
          PID:4924

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe
      Filesize

      227KB

      MD5

      fc6330d62ae89347dddf9e98d6dc2533

      SHA1

      b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

      SHA256

      72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

      SHA512

      1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe
      Filesize

      227KB

      MD5

      fc6330d62ae89347dddf9e98d6dc2533

      SHA1

      b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

      SHA256

      72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

      SHA512

      1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe
      Filesize

      227KB

      MD5

      fc6330d62ae89347dddf9e98d6dc2533

      SHA1

      b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

      SHA256

      72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

      SHA512

      1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe
      Filesize

      227KB

      MD5

      fc6330d62ae89347dddf9e98d6dc2533

      SHA1

      b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

      SHA256

      72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

      SHA512

      1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

      Download Submit

    • C:\Users\Admin\AppData\Roaming\juIwXhspQL.js
      Filesize

      38KB

      MD5

      18a451d41d501f501013b82c8697083e

      SHA1

      e31027858b8dd30339db29453791ab9552fd2e0f

      SHA256

      ca93d14291d1ee81cc27df8fc1b55092cb0e819d37233f1e0ddb963c10288d0f

      SHA512

      46c4b7c1bf9e1470a0ae244e56c10d2d4db97ed5102a3dea27501f1aff6528cd70b9b452348f0d53b935b3d222c8c1401df7537e5202105b09e2b013fb4cb6aa

      Download Submit

    • C:\Users\Admin\AppData\Roaming\oVKKrOdyJJ.js
      Filesize

      7KB

      MD5

      3706cdda45b9643a81251d011c39e8e5

      SHA1

      1dcfc53931935cc86a459302777845271cf3e175

      SHA256

      3787d7284843c9fda5c95d75eb8bc16c4c0b92b0bd84d58b1bb0fb00905ee612

      SHA512

      51967bdb3ab98e4389b46a0f6e5feb98fb6009b630820d8236ce920f5c04a3f710a4cd871aa0b10d8a6979a469cbb2d5954a7e13afe54d55a0621a8943c36d32

      Download Submit

    • C:\Users\Admin\AppData\Roaming\zyOjbguoaJ.js
      Filesize

      103KB

      MD5

      f6de6532bcb5dff519b1571779b99199

      SHA1

      898302bf728cd7784a0f171722bf232c32ab3ed1

      SHA256

      a5d8777e4d074fd73a97218850e0883b07945eb9eed084765181da209e608d3a

      SHA512

      65fe6d05b64ecd93addb82c8cf9936357bf23bbd9540208c614cc6d78a4027824fdf987410adffd84407d18a9de7623b1396ce3fd8d96000af2849f7fc69d3b1

      Download Submit

    • memory/1348-137-0x0000000000000000-mapping.dmp

      Download

    • memory/1884-130-0x0000000000000000-mapping.dmp

      Download

    • memory/3296-132-0x0000000000000000-mapping.dmp

      Download

    • memory/4060-135-0x0000000000000000-mapping.dmp

      Download

    • memory/4924-139-0x0000000000000000-mapping.dmp

      Download