Overview

overview

10

Static

static

Quote_PDF.js

windows7-x64

10

Quote_PDF.js

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-09-2022 14:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quote_PDF.js

  • Size

    422KB

  • MD5

    5d717ac195bc3787ab6ac01b49abaa22

  • SHA1

    b450127007dd40b7ee2211d426bbe2586cdbaedf

  • SHA256

    ec2bbe3bfa62d4741203ee49e07e40760985eed8222ed0da151baffa75fff385

  • SHA512

    09084b31c880271646a3d054e5a596d95b30facb2eb2eb66718aaff3b242a5277c7c7abaf6f5269024fe8109a28122c690db9cc68a241cc0344a93b750437495

  • SSDEEP

    6144:sxTu0/rJRYOEzdmleq0ymPxnpM8sO4VJZHhBQ+JtsATMan/e:B0/+8leOOxnpM8cVJZH/Q+wA3/e

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Signatures

  • NetWire RAT payload 4 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Quote_PDF.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\xsFpVXXoGH.js"
      2⤵
        PID:3620
      • C:\Users\Admin\AppData\Roaming\Host Dns.exe
        "C:\Users\Admin\AppData\Roaming\Host Dns.exe"
        2⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4204
        • C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe
          "C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe"
          3⤵
          • Executes dropped EXE
          • Drops startup file
          • Adds Run key to start application
          PID:1616

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe
      Filesize

      227KB

      MD5

      554aeeede0a3bfb607fa0ea59ad29f78

      SHA1

      ff7a2bd1c4c76550945c4f9b3a5f476d8e10dc9f

      SHA256

      9eec384cecb0513bf8576882cd4f649f20deab8c9ef2c0c41c02957b43eeafdb

      SHA512

      14dabb59779053d2ac53cca0dd3f59d47569bf64cdc85532942b4601435916e8fd10b8e3fbaf8bc8a3caa94497d4518bb620ab4ff732eb810f8fae916ef34d71

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe
      Filesize

      227KB

      MD5

      554aeeede0a3bfb607fa0ea59ad29f78

      SHA1

      ff7a2bd1c4c76550945c4f9b3a5f476d8e10dc9f

      SHA256

      9eec384cecb0513bf8576882cd4f649f20deab8c9ef2c0c41c02957b43eeafdb

      SHA512

      14dabb59779053d2ac53cca0dd3f59d47569bf64cdc85532942b4601435916e8fd10b8e3fbaf8bc8a3caa94497d4518bb620ab4ff732eb810f8fae916ef34d71

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Host Dns.exe
      Filesize

      227KB

      MD5

      554aeeede0a3bfb607fa0ea59ad29f78

      SHA1

      ff7a2bd1c4c76550945c4f9b3a5f476d8e10dc9f

      SHA256

      9eec384cecb0513bf8576882cd4f649f20deab8c9ef2c0c41c02957b43eeafdb

      SHA512

      14dabb59779053d2ac53cca0dd3f59d47569bf64cdc85532942b4601435916e8fd10b8e3fbaf8bc8a3caa94497d4518bb620ab4ff732eb810f8fae916ef34d71

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Host Dns.exe
      Filesize

      227KB

      MD5

      554aeeede0a3bfb607fa0ea59ad29f78

      SHA1

      ff7a2bd1c4c76550945c4f9b3a5f476d8e10dc9f

      SHA256

      9eec384cecb0513bf8576882cd4f649f20deab8c9ef2c0c41c02957b43eeafdb

      SHA512

      14dabb59779053d2ac53cca0dd3f59d47569bf64cdc85532942b4601435916e8fd10b8e3fbaf8bc8a3caa94497d4518bb620ab4ff732eb810f8fae916ef34d71

      Download Submit
    • C:\Users\Admin\AppData\Roaming\xsFpVXXoGH.js
      Filesize

      4KB

      MD5

      9c4f5c30e711e4d15d03a45a6addf7f1

      SHA1

      5dc9d92d50b53abc32677ceb6ef729dd49d2a9a7

      SHA256

      215cda7c7b4b899182d21f8e27b93d7723eff066aceada9ff7799ae85065b512

      SHA512

      48bb4d17eaf19fa5213e594654cf4e7e13e250adcfee1709404c90d06e0fac5af5c5b8b856565ce8eee0e447386beccd018f4e1f9175dc1e4959447a90dc1ac4

      Download Submit
    • memory/1616-137-0x0000000000000000-mapping.dmp
      Download
    • memory/3620-132-0x0000000000000000-mapping.dmp
      Download
    • memory/4204-134-0x0000000000000000-mapping.dmp
      Download