Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
22-08-2022 15:00
Static task
static1
Behavioral task
behavioral1
Sample
Payment_PDF.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Payment_PDF.js
Resource
win10v2004-20220812-en
General
-
Target
Payment_PDF.js
-
Size
423KB
-
MD5
371a8641026b2a7ef3006b8bb4dece0a
-
SHA1
7bb7a599080e696f92b875f4218f22aa2db4ba16
-
SHA256
3f15efe553460c7afa09e3464a98612d3b6107fdb1b076b985f9959b177e8214
-
SHA512
d92047fb2c0fae92aabd73cd621302e545b024eb476e8d4a71052a2621aeda9ff98a15864acc301e6b332820c6c1345a9f67e1284e468562450e3a6ccc5e8afa
Malware Config
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe netwire C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe netwire C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe netwire C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe netwire -
Executes dropped EXE 2 IoCs
Processes:
Host Ip Js StartUp.exeNotepad.exepid process 3208 Host Ip Js StartUp.exe 4916 Notepad.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exeHost Ip Js StartUp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation Host Ip Js StartUp.exe -
Drops startup file 1 IoCs
Processes:
Notepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Note.lnk Notepad.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Notepad.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\£2ëUíaÊ—KåL¦K®¨æ = "C:\\Users\\Admin\\AppData\\Roaming\\Googlee\\Notepad.exe" Notepad.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
wscript.exeHost Ip Js StartUp.exedescription pid process target process PID 4132 wrote to memory of 3232 4132 wscript.exe wscript.exe PID 4132 wrote to memory of 3232 4132 wscript.exe wscript.exe PID 4132 wrote to memory of 3208 4132 wscript.exe Host Ip Js StartUp.exe PID 4132 wrote to memory of 3208 4132 wscript.exe Host Ip Js StartUp.exe PID 4132 wrote to memory of 3208 4132 wscript.exe Host Ip Js StartUp.exe PID 3208 wrote to memory of 4916 3208 Host Ip Js StartUp.exe Notepad.exe PID 3208 wrote to memory of 4916 3208 Host Ip Js StartUp.exe Notepad.exe PID 3208 wrote to memory of 4916 3208 Host Ip Js StartUp.exe Notepad.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Payment_PDF.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HaFZbLHqjJ.js"2⤵
-
C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe"C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe"C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exeFilesize
227KB
MD5fc6330d62ae89347dddf9e98d6dc2533
SHA1b2a3104e8178e25b6b40cf8b19d60c1a4e03e969
SHA25672c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7
SHA5121cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c
-
C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exeFilesize
227KB
MD5fc6330d62ae89347dddf9e98d6dc2533
SHA1b2a3104e8178e25b6b40cf8b19d60c1a4e03e969
SHA25672c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7
SHA5121cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c
-
C:\Users\Admin\AppData\Roaming\HaFZbLHqjJ.jsFilesize
6KB
MD56ce191a48f5cbedf94f0857f2e1bdb0f
SHA16688758553c117f5f470b2ab24279de67320efe0
SHA2563d0f0edd9ed469eab3ec7ea9c7db039765b1abe65f268706f92f9667c67ac7b4
SHA512c1f7b0dc4de433688e81cdd2a1851865073d958e1ae782d1d2d0bc9cbecd3d39fb4c3e717679a4f2f042dc97d27a3a975fcb479db9392f68a2310c1348ffd657
-
C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exeFilesize
227KB
MD5fc6330d62ae89347dddf9e98d6dc2533
SHA1b2a3104e8178e25b6b40cf8b19d60c1a4e03e969
SHA25672c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7
SHA5121cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c
-
C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exeFilesize
227KB
MD5fc6330d62ae89347dddf9e98d6dc2533
SHA1b2a3104e8178e25b6b40cf8b19d60c1a4e03e969
SHA25672c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7
SHA5121cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c
-
memory/3208-134-0x0000000000000000-mapping.dmp
-
memory/3232-132-0x0000000000000000-mapping.dmp
-
memory/4916-137-0x0000000000000000-mapping.dmp