Analysis
-
max time kernel
99s -
max time network
113s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02-09-2022 14:15
Static task
static1
Behavioral task
behavioral1
Sample
Quote_PDF.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Quote_PDF.js
Resource
win10v2004-20220812-en
General
-
Target
Quote_PDF.js
-
Size
422KB
-
MD5
5d717ac195bc3787ab6ac01b49abaa22
-
SHA1
b450127007dd40b7ee2211d426bbe2586cdbaedf
-
SHA256
ec2bbe3bfa62d4741203ee49e07e40760985eed8222ed0da151baffa75fff385
-
SHA512
09084b31c880271646a3d054e5a596d95b30facb2eb2eb66718aaff3b242a5277c7c7abaf6f5269024fe8109a28122c690db9cc68a241cc0344a93b750437495
-
SSDEEP
6144:sxTu0/rJRYOEzdmleq0ymPxnpM8sO4VJZHhBQ+JtsATMan/e:B0/+8leOOxnpM8cVJZH/Q+wA3/e
Malware Config
Signatures
-
NetWire RAT payload 7 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Host Dns.exe netwire C:\Users\Admin\AppData\Roaming\Host Dns.exe netwire C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe netwire \Users\Admin\AppData\Roaming\Googlee\Notepad.exe netwire \Users\Admin\AppData\Roaming\Googlee\Notepad.exe netwire \Users\Admin\AppData\Roaming\Googlee\Notepad.exe netwire C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe netwire -
Executes dropped EXE 2 IoCs
Processes:
Host Dns.exeNotepad.exepid process 2044 Host Dns.exe 1924 Notepad.exe -
Drops startup file 1 IoCs
Processes:
Notepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Note.lnk Notepad.exe -
Loads dropped DLL 3 IoCs
Processes:
Host Dns.exeNotepad.exepid process 2044 Host Dns.exe 2044 Host Dns.exe 1924 Notepad.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Notepad.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\¿"rT8@ž2n æx2ÆÅ = "C:\\Users\\Admin\\AppData\\Roaming\\Googlee\\Notepad.exe" Notepad.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
wscript.exeHost Dns.exedescription pid process target process PID 1208 wrote to memory of 1396 1208 wscript.exe wscript.exe PID 1208 wrote to memory of 1396 1208 wscript.exe wscript.exe PID 1208 wrote to memory of 1396 1208 wscript.exe wscript.exe PID 1208 wrote to memory of 2044 1208 wscript.exe Host Dns.exe PID 1208 wrote to memory of 2044 1208 wscript.exe Host Dns.exe PID 1208 wrote to memory of 2044 1208 wscript.exe Host Dns.exe PID 1208 wrote to memory of 2044 1208 wscript.exe Host Dns.exe PID 2044 wrote to memory of 1924 2044 Host Dns.exe Notepad.exe PID 2044 wrote to memory of 1924 2044 Host Dns.exe Notepad.exe PID 2044 wrote to memory of 1924 2044 Host Dns.exe Notepad.exe PID 2044 wrote to memory of 1924 2044 Host Dns.exe Notepad.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Quote_PDF.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\xsFpVXXoGH.js"2⤵
-
C:\Users\Admin\AppData\Roaming\Host Dns.exe"C:\Users\Admin\AppData\Roaming\Host Dns.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe"C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exeFilesize
227KB
MD5554aeeede0a3bfb607fa0ea59ad29f78
SHA1ff7a2bd1c4c76550945c4f9b3a5f476d8e10dc9f
SHA2569eec384cecb0513bf8576882cd4f649f20deab8c9ef2c0c41c02957b43eeafdb
SHA51214dabb59779053d2ac53cca0dd3f59d47569bf64cdc85532942b4601435916e8fd10b8e3fbaf8bc8a3caa94497d4518bb620ab4ff732eb810f8fae916ef34d71
-
C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exeFilesize
227KB
MD5554aeeede0a3bfb607fa0ea59ad29f78
SHA1ff7a2bd1c4c76550945c4f9b3a5f476d8e10dc9f
SHA2569eec384cecb0513bf8576882cd4f649f20deab8c9ef2c0c41c02957b43eeafdb
SHA51214dabb59779053d2ac53cca0dd3f59d47569bf64cdc85532942b4601435916e8fd10b8e3fbaf8bc8a3caa94497d4518bb620ab4ff732eb810f8fae916ef34d71
-
C:\Users\Admin\AppData\Roaming\Host Dns.exeFilesize
227KB
MD5554aeeede0a3bfb607fa0ea59ad29f78
SHA1ff7a2bd1c4c76550945c4f9b3a5f476d8e10dc9f
SHA2569eec384cecb0513bf8576882cd4f649f20deab8c9ef2c0c41c02957b43eeafdb
SHA51214dabb59779053d2ac53cca0dd3f59d47569bf64cdc85532942b4601435916e8fd10b8e3fbaf8bc8a3caa94497d4518bb620ab4ff732eb810f8fae916ef34d71
-
C:\Users\Admin\AppData\Roaming\Host Dns.exeFilesize
227KB
MD5554aeeede0a3bfb607fa0ea59ad29f78
SHA1ff7a2bd1c4c76550945c4f9b3a5f476d8e10dc9f
SHA2569eec384cecb0513bf8576882cd4f649f20deab8c9ef2c0c41c02957b43eeafdb
SHA51214dabb59779053d2ac53cca0dd3f59d47569bf64cdc85532942b4601435916e8fd10b8e3fbaf8bc8a3caa94497d4518bb620ab4ff732eb810f8fae916ef34d71
-
C:\Users\Admin\AppData\Roaming\xsFpVXXoGH.jsFilesize
4KB
MD59c4f5c30e711e4d15d03a45a6addf7f1
SHA15dc9d92d50b53abc32677ceb6ef729dd49d2a9a7
SHA256215cda7c7b4b899182d21f8e27b93d7723eff066aceada9ff7799ae85065b512
SHA51248bb4d17eaf19fa5213e594654cf4e7e13e250adcfee1709404c90d06e0fac5af5c5b8b856565ce8eee0e447386beccd018f4e1f9175dc1e4959447a90dc1ac4
-
\Users\Admin\AppData\Roaming\Googlee\Notepad.exeFilesize
227KB
MD5554aeeede0a3bfb607fa0ea59ad29f78
SHA1ff7a2bd1c4c76550945c4f9b3a5f476d8e10dc9f
SHA2569eec384cecb0513bf8576882cd4f649f20deab8c9ef2c0c41c02957b43eeafdb
SHA51214dabb59779053d2ac53cca0dd3f59d47569bf64cdc85532942b4601435916e8fd10b8e3fbaf8bc8a3caa94497d4518bb620ab4ff732eb810f8fae916ef34d71
-
\Users\Admin\AppData\Roaming\Googlee\Notepad.exeFilesize
227KB
MD5554aeeede0a3bfb607fa0ea59ad29f78
SHA1ff7a2bd1c4c76550945c4f9b3a5f476d8e10dc9f
SHA2569eec384cecb0513bf8576882cd4f649f20deab8c9ef2c0c41c02957b43eeafdb
SHA51214dabb59779053d2ac53cca0dd3f59d47569bf64cdc85532942b4601435916e8fd10b8e3fbaf8bc8a3caa94497d4518bb620ab4ff732eb810f8fae916ef34d71
-
\Users\Admin\AppData\Roaming\Googlee\Notepad.exeFilesize
227KB
MD5554aeeede0a3bfb607fa0ea59ad29f78
SHA1ff7a2bd1c4c76550945c4f9b3a5f476d8e10dc9f
SHA2569eec384cecb0513bf8576882cd4f649f20deab8c9ef2c0c41c02957b43eeafdb
SHA51214dabb59779053d2ac53cca0dd3f59d47569bf64cdc85532942b4601435916e8fd10b8e3fbaf8bc8a3caa94497d4518bb620ab4ff732eb810f8fae916ef34d71
-
memory/1208-54-0x000007FEFC161000-0x000007FEFC163000-memory.dmpFilesize
8KB
-
memory/1396-55-0x0000000000000000-mapping.dmp
-
memory/1924-63-0x0000000000000000-mapping.dmp
-
memory/2044-57-0x0000000000000000-mapping.dmp
-
memory/2044-59-0x0000000075D01000-0x0000000075D03000-memory.dmpFilesize
8KB