Analysis
-
max time kernel
82s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
14-09-2022 04:36
Static task
static1
Behavioral task
behavioral1
Sample
Request QuotePDF.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Request QuotePDF.js
Resource
win10v2004-20220812-en
General
-
Target
Request QuotePDF.js
-
Size
413KB
-
MD5
3d02c62008af5380118aae1dcc6e3e3d
-
SHA1
9ff83c7144de3919478f47a6185984ac43bd95a4
-
SHA256
c0177f6f95bf8a1d435add27ca92db115ac047026a2a6f51b553f96c867210b6
-
SHA512
6c2c43557d6feeaec7bd16e847e846badf1708cdd752f437a8882d688e252c1299338e7a74d564f027d513ab54cd4e3bfeaf5bf2d36b9dba125f7374705feda5
-
SSDEEP
6144:S/iLqOXNMlJ8kC8ZKFD6KsKmvGyiLQ6sudDTvBenSI/azZPvA94Xun:S/2FYZKFD6dLvGa6sqD7ljc
Malware Config
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe netwire C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe netwire C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe netwire C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe netwire -
Executes dropped EXE 2 IoCs
Processes:
Host Ip 185.216.71.251.exeNote.exepid process 2184 Host Ip 185.216.71.251.exe 456 Note.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Host Ip 185.216.71.251.exewscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation Host Ip 185.216.71.251.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 1 IoCs
Processes:
Note.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepad.lnk Note.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Note.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Note.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\)Ô‡OûPN»t@÷áh = "C:\\Users\\Admin\\AppData\\Roaming\\Gooogle\\Note.exe" Note.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
wscript.exeHost Ip 185.216.71.251.exedescription pid process target process PID 4116 wrote to memory of 4688 4116 wscript.exe wscript.exe PID 4116 wrote to memory of 4688 4116 wscript.exe wscript.exe PID 4116 wrote to memory of 2184 4116 wscript.exe Host Ip 185.216.71.251.exe PID 4116 wrote to memory of 2184 4116 wscript.exe Host Ip 185.216.71.251.exe PID 4116 wrote to memory of 2184 4116 wscript.exe Host Ip 185.216.71.251.exe PID 2184 wrote to memory of 456 2184 Host Ip 185.216.71.251.exe Note.exe PID 2184 wrote to memory of 456 2184 Host Ip 185.216.71.251.exe Note.exe PID 2184 wrote to memory of 456 2184 Host Ip 185.216.71.251.exe Note.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Request QuotePDF.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\kTaFAHjxeK.js"2⤵
-
C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe"C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe"C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Gooogle\Note.exeFilesize
227KB
MD5a8edd52c5edfe91da90ebee24b51d3c6
SHA1fc36350b93c6974865eaa7f00a98fa281d1ff7fd
SHA25635d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d
SHA51297278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14
-
C:\Users\Admin\AppData\Roaming\Gooogle\Note.exeFilesize
227KB
MD5a8edd52c5edfe91da90ebee24b51d3c6
SHA1fc36350b93c6974865eaa7f00a98fa281d1ff7fd
SHA25635d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d
SHA51297278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14
-
C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exeFilesize
227KB
MD5a8edd52c5edfe91da90ebee24b51d3c6
SHA1fc36350b93c6974865eaa7f00a98fa281d1ff7fd
SHA25635d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d
SHA51297278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14
-
C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exeFilesize
227KB
MD5a8edd52c5edfe91da90ebee24b51d3c6
SHA1fc36350b93c6974865eaa7f00a98fa281d1ff7fd
SHA25635d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d
SHA51297278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14
-
C:\Users\Admin\AppData\Roaming\kTaFAHjxeK.jsFilesize
2KB
MD558513b281f902c6d05cf77df217eff5f
SHA11459b9c0320c61bfbc81ca6de21e870b83a26d67
SHA25644f6d9a28cf8070c0096cc90a5c135c5b63ee028eb913ceb43c71537a09b1965
SHA51233fde4f79c7a4fa1e9b656a488c9560d00ff8518ef9b2382a87b3e84e2b8b8cb691ca86eef4b6b720166721f91aa0305239b1c43a0fb36827a7ef635d4c26fa0
-
memory/456-137-0x0000000000000000-mapping.dmp
-
memory/2184-134-0x0000000000000000-mapping.dmp
-
memory/4688-132-0x0000000000000000-mapping.dmp