Analysis
-
max time kernel
125s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-09-2022 14:15
Static task
static1
Behavioral task
behavioral1
Sample
Quote_PDF.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Quote_PDF.js
Resource
win10v2004-20220812-en
General
-
Target
Quote_PDF.js
-
Size
422KB
-
MD5
5d717ac195bc3787ab6ac01b49abaa22
-
SHA1
b450127007dd40b7ee2211d426bbe2586cdbaedf
-
SHA256
ec2bbe3bfa62d4741203ee49e07e40760985eed8222ed0da151baffa75fff385
-
SHA512
09084b31c880271646a3d054e5a596d95b30facb2eb2eb66718aaff3b242a5277c7c7abaf6f5269024fe8109a28122c690db9cc68a241cc0344a93b750437495
-
SSDEEP
6144:sxTu0/rJRYOEzdmleq0ymPxnpM8sO4VJZHhBQ+JtsATMan/e:B0/+8leOOxnpM8cVJZH/Q+wA3/e
Malware Config
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Host Dns.exe netwire C:\Users\Admin\AppData\Roaming\Host Dns.exe netwire C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe netwire C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe netwire -
Executes dropped EXE 2 IoCs
Processes:
Host Dns.exeNotepad.exepid process 4972 Host Dns.exe 1272 Notepad.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exeHost Dns.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation Host Dns.exe -
Drops startup file 1 IoCs
Processes:
Notepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Note.lnk Notepad.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Notepad.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\¿"rT8@ž2n æx2ÆÅ = "C:\\Users\\Admin\\AppData\\Roaming\\Googlee\\Notepad.exe" Notepad.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
wscript.exeHost Dns.exedescription pid process target process PID 1968 wrote to memory of 4164 1968 wscript.exe wscript.exe PID 1968 wrote to memory of 4164 1968 wscript.exe wscript.exe PID 1968 wrote to memory of 4972 1968 wscript.exe Host Dns.exe PID 1968 wrote to memory of 4972 1968 wscript.exe Host Dns.exe PID 1968 wrote to memory of 4972 1968 wscript.exe Host Dns.exe PID 4972 wrote to memory of 1272 4972 Host Dns.exe Notepad.exe PID 4972 wrote to memory of 1272 4972 Host Dns.exe Notepad.exe PID 4972 wrote to memory of 1272 4972 Host Dns.exe Notepad.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Quote_PDF.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\xsFpVXXoGH.js"2⤵
-
C:\Users\Admin\AppData\Roaming\Host Dns.exe"C:\Users\Admin\AppData\Roaming\Host Dns.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe"C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exeFilesize
227KB
MD5554aeeede0a3bfb607fa0ea59ad29f78
SHA1ff7a2bd1c4c76550945c4f9b3a5f476d8e10dc9f
SHA2569eec384cecb0513bf8576882cd4f649f20deab8c9ef2c0c41c02957b43eeafdb
SHA51214dabb59779053d2ac53cca0dd3f59d47569bf64cdc85532942b4601435916e8fd10b8e3fbaf8bc8a3caa94497d4518bb620ab4ff732eb810f8fae916ef34d71
-
C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exeFilesize
227KB
MD5554aeeede0a3bfb607fa0ea59ad29f78
SHA1ff7a2bd1c4c76550945c4f9b3a5f476d8e10dc9f
SHA2569eec384cecb0513bf8576882cd4f649f20deab8c9ef2c0c41c02957b43eeafdb
SHA51214dabb59779053d2ac53cca0dd3f59d47569bf64cdc85532942b4601435916e8fd10b8e3fbaf8bc8a3caa94497d4518bb620ab4ff732eb810f8fae916ef34d71
-
C:\Users\Admin\AppData\Roaming\Host Dns.exeFilesize
227KB
MD5554aeeede0a3bfb607fa0ea59ad29f78
SHA1ff7a2bd1c4c76550945c4f9b3a5f476d8e10dc9f
SHA2569eec384cecb0513bf8576882cd4f649f20deab8c9ef2c0c41c02957b43eeafdb
SHA51214dabb59779053d2ac53cca0dd3f59d47569bf64cdc85532942b4601435916e8fd10b8e3fbaf8bc8a3caa94497d4518bb620ab4ff732eb810f8fae916ef34d71
-
C:\Users\Admin\AppData\Roaming\Host Dns.exeFilesize
227KB
MD5554aeeede0a3bfb607fa0ea59ad29f78
SHA1ff7a2bd1c4c76550945c4f9b3a5f476d8e10dc9f
SHA2569eec384cecb0513bf8576882cd4f649f20deab8c9ef2c0c41c02957b43eeafdb
SHA51214dabb59779053d2ac53cca0dd3f59d47569bf64cdc85532942b4601435916e8fd10b8e3fbaf8bc8a3caa94497d4518bb620ab4ff732eb810f8fae916ef34d71
-
C:\Users\Admin\AppData\Roaming\xsFpVXXoGH.jsFilesize
4KB
MD59c4f5c30e711e4d15d03a45a6addf7f1
SHA15dc9d92d50b53abc32677ceb6ef729dd49d2a9a7
SHA256215cda7c7b4b899182d21f8e27b93d7723eff066aceada9ff7799ae85065b512
SHA51248bb4d17eaf19fa5213e594654cf4e7e13e250adcfee1709404c90d06e0fac5af5c5b8b856565ce8eee0e447386beccd018f4e1f9175dc1e4959447a90dc1ac4
-
memory/1272-137-0x0000000000000000-mapping.dmp
-
memory/4164-132-0x0000000000000000-mapping.dmp
-
memory/4972-134-0x0000000000000000-mapping.dmp