Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
13-08-2022 06:19
Static task
static1
Behavioral task
behavioral1
Sample
Quote_PDF.js
Resource
win7-20220812-en
General
-
Target
Quote_PDF.js
-
Size
430KB
-
MD5
fe558e8b7bad1d01fdefcefd7855fcbf
-
SHA1
2756be8542cd985eb705cfa6c2dfd6320fc00f7d
-
SHA256
d40160387487b0dac0046d366ac8eb84925c1623f2f9e85f7f80389a39c713af
-
SHA512
f6bca4122741c972c8ed9810f635fc9c70e9b069997e1b22baf123ecd9a75ece631d51a324480e59843bf7064ad0ded6a4f489dc8ae8952e40f2a16e2eeb9ebd
Malware Config
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe netwire C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe netwire C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe netwire C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe netwire -
Blocklisted process makes network request 16 IoCs
Processes:
wscript.exeflow pid process 2 1640 wscript.exe 5 1640 wscript.exe 6 1640 wscript.exe 8 1640 wscript.exe 9 1640 wscript.exe 11 1640 wscript.exe 16 1640 wscript.exe 17 1640 wscript.exe 18 1640 wscript.exe 19 1640 wscript.exe 20 1640 wscript.exe 21 1640 wscript.exe 22 1640 wscript.exe 23 1640 wscript.exe 24 1640 wscript.exe 25 1640 wscript.exe -
Executes dropped EXE 2 IoCs
Processes:
Host Ip Js StartUp.exeNotepad.exepid process 444 Host Ip Js StartUp.exe 2436 Notepad.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exeHost Ip Js StartUp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation Host Ip Js StartUp.exe -
Drops startup file 3 IoCs
Processes:
wscript.exeNotepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\odPiFDFyOM.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\odPiFDFyOM.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Note.lnk Notepad.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Notepad.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\£2ëUíaÊ—KåL¦K®¨æ = "C:\\Users\\Admin\\AppData\\Roaming\\Googlee\\Notepad.exe" Notepad.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
wscript.exeHost Ip Js StartUp.exedescription pid process target process PID 4116 wrote to memory of 1640 4116 wscript.exe wscript.exe PID 4116 wrote to memory of 1640 4116 wscript.exe wscript.exe PID 4116 wrote to memory of 444 4116 wscript.exe Host Ip Js StartUp.exe PID 4116 wrote to memory of 444 4116 wscript.exe Host Ip Js StartUp.exe PID 4116 wrote to memory of 444 4116 wscript.exe Host Ip Js StartUp.exe PID 444 wrote to memory of 2436 444 Host Ip Js StartUp.exe Notepad.exe PID 444 wrote to memory of 2436 444 Host Ip Js StartUp.exe Notepad.exe PID 444 wrote to memory of 2436 444 Host Ip Js StartUp.exe Notepad.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Quote_PDF.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\odPiFDFyOM.js"2⤵
- Blocklisted process makes network request
- Drops startup file
-
C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe"C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe"C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exeFilesize
227KB
MD5fc6330d62ae89347dddf9e98d6dc2533
SHA1b2a3104e8178e25b6b40cf8b19d60c1a4e03e969
SHA25672c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7
SHA5121cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c
-
C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exeFilesize
227KB
MD5fc6330d62ae89347dddf9e98d6dc2533
SHA1b2a3104e8178e25b6b40cf8b19d60c1a4e03e969
SHA25672c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7
SHA5121cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c
-
C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exeFilesize
227KB
MD5fc6330d62ae89347dddf9e98d6dc2533
SHA1b2a3104e8178e25b6b40cf8b19d60c1a4e03e969
SHA25672c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7
SHA5121cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c
-
C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exeFilesize
227KB
MD5fc6330d62ae89347dddf9e98d6dc2533
SHA1b2a3104e8178e25b6b40cf8b19d60c1a4e03e969
SHA25672c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7
SHA5121cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c
-
C:\Users\Admin\AppData\Roaming\odPiFDFyOM.jsFilesize
9KB
MD504564069457cd814e23f1187bfd6fb2f
SHA15fa802c02d7d175efa123bf52baa0152b250ef26
SHA25621f4a96ebe9782b148d04bc91a4cd2f406a9e7458e295729a5406dae885177fb
SHA512949bef87e05d1476e0d26598e61d61eb1f0d7bc81e79c9846946c77f7d4c6720615c180c3dc4323c427919d6b41fb1ee87d4698dcab4eddcd928e54c22a5ec23
-
memory/444-134-0x0000000000000000-mapping.dmp
-
memory/1640-132-0x0000000000000000-mapping.dmp
-
memory/2436-137-0x0000000000000000-mapping.dmp