netwire | daf814f4418c0806322977e304937e6dd18a4c70a1cc0524e0e5e1dd1548dee7

General

Target

Quote_PDF.js
Size

430KB
MD5

25e6f5655c71f7ee10968a01c51a8652
SHA1

bf0f2f6415e4a3e679f2b258bbd17714dddac41f
SHA256

daf814f4418c0806322977e304937e6dd18a4c70a1cc0524e0e5e1dd1548dee7
SHA512

177675b1152b74ec7e4ecfca2a92314871fff0b3c53a52acb8e75db89293b8fd7144b2c883478c7d8959ad1bb2e727bed744a50db8b621cd131b9de3b7790b89

Score

10^/10

netwire vjw0rm botnet persistence rat stealer trojan worm

Malware Config

Signatures

NetWire RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe	netwire
C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe	netwire
\Users\Admin\AppData\Roaming\Googlee\Notepad.exe	netwire
\Users\Admin\AppData\Roaming\Googlee\Notepad.exe	netwire
C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe	netwire
\Users\Admin\AppData\Roaming\Googlee\Notepad.exe	netwire
C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 16 IoCs

Processes:

wscript.exe

flow	pid	process
5	1684	wscript.exe
6	1684	wscript.exe
7	1684	wscript.exe
9	1684	wscript.exe
10	1684	wscript.exe
12	1684	wscript.exe
14	1684	wscript.exe
15	1684	wscript.exe
16	1684	wscript.exe
18	1684	wscript.exe
19	1684	wscript.exe
20	1684	wscript.exe
22	1684	wscript.exe
23	1684	wscript.exe
24	1684	wscript.exe
26	1684	wscript.exe

Executes dropped EXE 2 IoCs

Processes:

Host Ip Js StartUp.exeNotepad.exe

pid process

1816 Host Ip Js StartUp.exe
580 Notepad.exe

pid	process
1816	Host Ip Js StartUp.exe
580	Notepad.exe

Drops startup file 3 IoCs

Processes:

Notepad.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Note.lnk	Notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZkBggjbtre.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZkBggjbtre.js	wscript.exe

Loads dropped DLL 3 IoCs

Processes:

Host Ip Js StartUp.exeNotepad.exe

pid process

1816 Host Ip Js StartUp.exe
1816 Host Ip Js StartUp.exe
580 Notepad.exe

pid	process
1816	Host Ip Js StartUp.exe
1816	Host Ip Js StartUp.exe
580	Notepad.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Notepad.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Windows\CurrentVersion\Run\£2ëUíaÊ—KåL¦K®¨æ = "C:\\Users\\Admin\\AppData\\Roaming\\Googlee\\Notepad.exe"	Notepad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

wscript.exeHost Ip Js StartUp.exe

description	pid	process	target process
PID 1708 wrote to memory of 1684	1708	wscript.exe	wscript.exe
PID 1708 wrote to memory of 1684	1708	wscript.exe	wscript.exe
PID 1708 wrote to memory of 1684	1708	wscript.exe	wscript.exe
PID 1708 wrote to memory of 1816	1708	wscript.exe	Host Ip Js StartUp.exe
PID 1708 wrote to memory of 1816	1708	wscript.exe	Host Ip Js StartUp.exe
PID 1708 wrote to memory of 1816	1708	wscript.exe	Host Ip Js StartUp.exe
PID 1708 wrote to memory of 1816	1708	wscript.exe	Host Ip Js StartUp.exe
PID 1816 wrote to memory of 580	1816	Host Ip Js StartUp.exe	Notepad.exe
PID 1816 wrote to memory of 580	1816	Host Ip Js StartUp.exe	Notepad.exe
PID 1816 wrote to memory of 580	1816	Host Ip Js StartUp.exe	Notepad.exe
PID 1816 wrote to memory of 580	1816	Host Ip Js StartUp.exe	Notepad.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Quote_PDF.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ZkBggjbtre.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:1684
- C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe
  "C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe
    "C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe"
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Loads dropped DLL
    - Adds Run key to start application
    PID:580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe

Filesize
227KB

MD5
fc6330d62ae89347dddf9e98d6dc2533

SHA1
b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

SHA256
72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

SHA512
1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

Download Submit
C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe

Filesize
227KB

MD5
fc6330d62ae89347dddf9e98d6dc2533

SHA1
b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

SHA256
72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

SHA512
1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

Download Submit
C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe

Filesize
227KB

MD5
fc6330d62ae89347dddf9e98d6dc2533

SHA1
b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

SHA256
72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

SHA512
1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

Download Submit
C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe

Filesize
227KB

MD5
fc6330d62ae89347dddf9e98d6dc2533

SHA1
b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

SHA256
72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

SHA512
1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

Download Submit
C:\Users\Admin\AppData\Roaming\ZkBggjbtre.js

Filesize
9KB

MD5
60678163b28370d874ce73cb47bb9176

SHA1
132397b9aa53e3d92ebd5d3c93ef2766a8688326

SHA256
e44be6b0db106dde3375a79edb59bed0d5d6e2806974aaad2ed787802acfaed1

SHA512
5ceeffb85d611867897ac1346b23df3aa92ee941b4c88cad8e3e3865cf8c9a87ad35c16956ac9968192b6b8474f42fdbfcae4140e5536815a6baa5b266354117

Download Submit
\Users\Admin\AppData\Roaming\Googlee\Notepad.exe

Filesize
227KB

MD5
fc6330d62ae89347dddf9e98d6dc2533

SHA1
b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

SHA256
72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

SHA512
1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

Download Submit
\Users\Admin\AppData\Roaming\Googlee\Notepad.exe

Filesize
227KB

MD5
fc6330d62ae89347dddf9e98d6dc2533

SHA1
b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

SHA256
72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

SHA512
1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

Download Submit
\Users\Admin\AppData\Roaming\Googlee\Notepad.exe

Filesize
227KB

MD5
fc6330d62ae89347dddf9e98d6dc2533

SHA1
b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

SHA256
72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

SHA512
1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

Download Submit
memory/580-63-0x0000000000000000-mapping.dmp

Download
memory/1684-55-0x0000000000000000-mapping.dmp

Download
memory/1708-54-0x000007FEFC491000-0x000007FEFC493000-memory.dmp

Filesize
8KB

Download
memory/1816-59-0x0000000075D91000-0x0000000075D93000-memory.dmp

Filesize
8KB

Download
memory/1816-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads