Analysis

  • max time kernel
    84s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-08-2022 16:16

General

  • Target

    Quote_PDF.js

  • Size

    457KB

  • MD5

    5d9f9baf3d7c581bc7c9d5ef19dad173

  • SHA1

    f03d9205fa4b1d695079e77e44384a7a1afcf03d

  • SHA256

    1dc432ae11129c1f3497710ae3dcf457a3f3b99a71e011992434ecf11103cdeb

  • SHA512

    0f0bfa0089aec3149508242907835404d099c323c42da901e0a992bf937a087485f7bca6c53fd4ef4556a04f3ebc8fa60e714b28046470c4d10302d646d396e8

  • SSDEEP

    6144:KJm4iMO2wtqrHTt50ONAeFcYf/3XuDZz+NtM67bXoxKF:KJm4iMO2w6HPFcYHXu2yxoF

Malware Config

Signatures

  • NetWire RAT payload 4 IoCs
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Quote_PDF.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4896
    • C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe
      "C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3440
      • C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe
        "C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe"
        3⤵
        • Executes dropped EXE
        • Drops startup file
        • Adds Run key to start application
        PID:4816
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\GJesmMedJL.js"
      2⤵
        PID:2868

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Defense Evasion

    Modify Registry

    1
    T1112

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\GJesmMedJL.js
      Filesize

      18KB

      MD5

      99b66296ee0fe8afb57b407e6f9b33af

      SHA1

      20712ad4446efc63f564e2bc6ea582cc70a12368

      SHA256

      2bddbe3031cdf97a6533cd55a88093fc670ab438a69ac8f8684a5564dfb8acb7

      SHA512

      a8ccbf88ac1a8f05eebade7b73f302571a7dc16fd42a332ee6a6b44d88cc0e6fc1c11efefb341aed25e8267d7935bcc82fe205d5be97b2c2dfebe9ec80a64651

    • C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe
      Filesize

      227KB

      MD5

      fc6330d62ae89347dddf9e98d6dc2533

      SHA1

      b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

      SHA256

      72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

      SHA512

      1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

    • C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe
      Filesize

      227KB

      MD5

      fc6330d62ae89347dddf9e98d6dc2533

      SHA1

      b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

      SHA256

      72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

      SHA512

      1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

    • C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe
      Filesize

      227KB

      MD5

      fc6330d62ae89347dddf9e98d6dc2533

      SHA1

      b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

      SHA256

      72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

      SHA512

      1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

    • C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe
      Filesize

      227KB

      MD5

      fc6330d62ae89347dddf9e98d6dc2533

      SHA1

      b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

      SHA256

      72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

      SHA512

      1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

    • memory/2868-132-0x0000000000000000-mapping.dmp
    • memory/3440-134-0x0000000000000000-mapping.dmp
    • memory/4816-137-0x0000000000000000-mapping.dmp