Overview

overview

10

Static

static

Request QuotePDF.js

windows7-x64

10

Request QuotePDF.js

windows10-2004-x64

10

Analysis

  • max time kernel
    82s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-09-2022 04:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Request QuotePDF.js

  • Size

    413KB

  • MD5

    3d02c62008af5380118aae1dcc6e3e3d

  • SHA1

    9ff83c7144de3919478f47a6185984ac43bd95a4

  • SHA256

    c0177f6f95bf8a1d435add27ca92db115ac047026a2a6f51b553f96c867210b6

  • SHA512

    6c2c43557d6feeaec7bd16e847e846badf1708cdd752f437a8882d688e252c1299338e7a74d564f027d513ab54cd4e3bfeaf5bf2d36b9dba125f7374705feda5

  • SSDEEP

    6144:S/iLqOXNMlJ8kC8ZKFD6KsKmvGyiLQ6sudDTvBenSI/azZPvA94Xun:S/2FYZKFD6dLvGa6sqD7ljc

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Signatures

  • NetWire RAT payload 4 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request QuotePDF.js"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4116
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\kTaFAHjxeK.js"
      2⤵
        PID:4688
      • C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe
        "C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe"
        2⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:2184
        • C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe
          "C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe"
          3⤵
          • Executes dropped EXE
          • Drops startup file
          • Adds Run key to start application
          PID:456

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe
      Filesize

      227KB

      MD5

      a8edd52c5edfe91da90ebee24b51d3c6

      SHA1

      fc36350b93c6974865eaa7f00a98fa281d1ff7fd

      SHA256

      35d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d

      SHA512

      97278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe
      Filesize

      227KB

      MD5

      a8edd52c5edfe91da90ebee24b51d3c6

      SHA1

      fc36350b93c6974865eaa7f00a98fa281d1ff7fd

      SHA256

      35d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d

      SHA512

      97278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe
      Filesize

      227KB

      MD5

      a8edd52c5edfe91da90ebee24b51d3c6

      SHA1

      fc36350b93c6974865eaa7f00a98fa281d1ff7fd

      SHA256

      35d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d

      SHA512

      97278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe
      Filesize

      227KB

      MD5

      a8edd52c5edfe91da90ebee24b51d3c6

      SHA1

      fc36350b93c6974865eaa7f00a98fa281d1ff7fd

      SHA256

      35d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d

      SHA512

      97278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14

      Download Submit
    • C:\Users\Admin\AppData\Roaming\kTaFAHjxeK.js
      Filesize

      2KB

      MD5

      58513b281f902c6d05cf77df217eff5f

      SHA1

      1459b9c0320c61bfbc81ca6de21e870b83a26d67

      SHA256

      44f6d9a28cf8070c0096cc90a5c135c5b63ee028eb913ceb43c71537a09b1965

      SHA512

      33fde4f79c7a4fa1e9b656a488c9560d00ff8518ef9b2382a87b3e84e2b8b8cb691ca86eef4b6b720166721f91aa0305239b1c43a0fb36827a7ef635d4c26fa0

      Download Submit
    • memory/456-137-0x0000000000000000-mapping.dmp
      Download
    • memory/2184-134-0x0000000000000000-mapping.dmp
      Download
    • memory/4688-132-0x0000000000000000-mapping.dmp
      Download