Analysis
-
max time kernel
95s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
16-09-2022 07:37
Static task
static1
Behavioral task
behavioral1
Sample
Payment_PDF.js
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Payment_PDF.js
Resource
win10v2004-20220812-en
General
-
Target
Payment_PDF.js
-
Size
413KB
-
MD5
e73b5a8013d9a3e9d23ccc801360710e
-
SHA1
71af99e6cdc182af193072bf1ccae44d4d35763a
-
SHA256
c1a1607c8471e135ad234c5ac04519b62225604f2c29bbdf8a93f451dd12304e
-
SHA512
b8593e89b9eac381738ec90d1749e9f785cecb405eb8f0aca6023b0b9df83e329dbfb379323187afd5f0e46d5b7855971d4303a47909c227a18f3ccd1fda33fe
-
SSDEEP
6144:xigBqQHVy7zWgwA1ypzgcOsaDOguPM6MuhTVJ/KBk+pKLlvbAh2xu5:xiGrG1ypzgdFDOM6M+TLrfS
Malware Config
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe netwire C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe netwire C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe netwire C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe netwire -
Executes dropped EXE 2 IoCs
Processes:
Host Ip 185.216.71.251.exeNote.exepid process 4688 Host Ip 185.216.71.251.exe 2440 Note.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exeHost Ip 185.216.71.251.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation Host Ip 185.216.71.251.exe -
Drops startup file 1 IoCs
Processes:
Note.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepad.lnk Note.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Note.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Note.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\)Ô‡OûPN»t@÷áh = "C:\\Users\\Admin\\AppData\\Roaming\\Gooogle\\Note.exe" Note.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
wscript.exeHost Ip 185.216.71.251.exedescription pid process target process PID 2148 wrote to memory of 1700 2148 wscript.exe wscript.exe PID 2148 wrote to memory of 1700 2148 wscript.exe wscript.exe PID 2148 wrote to memory of 4688 2148 wscript.exe Host Ip 185.216.71.251.exe PID 2148 wrote to memory of 4688 2148 wscript.exe Host Ip 185.216.71.251.exe PID 2148 wrote to memory of 4688 2148 wscript.exe Host Ip 185.216.71.251.exe PID 4688 wrote to memory of 2440 4688 Host Ip 185.216.71.251.exe Note.exe PID 4688 wrote to memory of 2440 4688 Host Ip 185.216.71.251.exe Note.exe PID 4688 wrote to memory of 2440 4688 Host Ip 185.216.71.251.exe Note.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Payment_PDF.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\oxzCqvVlSa.js"2⤵
-
C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe"C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe"C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Gooogle\Note.exeFilesize
227KB
MD5a8edd52c5edfe91da90ebee24b51d3c6
SHA1fc36350b93c6974865eaa7f00a98fa281d1ff7fd
SHA25635d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d
SHA51297278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14
-
C:\Users\Admin\AppData\Roaming\Gooogle\Note.exeFilesize
227KB
MD5a8edd52c5edfe91da90ebee24b51d3c6
SHA1fc36350b93c6974865eaa7f00a98fa281d1ff7fd
SHA25635d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d
SHA51297278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14
-
C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exeFilesize
227KB
MD5a8edd52c5edfe91da90ebee24b51d3c6
SHA1fc36350b93c6974865eaa7f00a98fa281d1ff7fd
SHA25635d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d
SHA51297278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14
-
C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exeFilesize
227KB
MD5a8edd52c5edfe91da90ebee24b51d3c6
SHA1fc36350b93c6974865eaa7f00a98fa281d1ff7fd
SHA25635d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d
SHA51297278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14
-
C:\Users\Admin\AppData\Roaming\oxzCqvVlSa.jsFilesize
2KB
MD529b681188f244157da1f2aeaad0f2a54
SHA10f1707a44b5b1667eae03a0612512046b7154e09
SHA25658975ae344dcd7129a5c308f3dc70f83b40e0645ced49dbf8ffebbfcec2e6669
SHA512e0e77d025de3c8529cabe745a4339e35e6e68ce95004f63529a1d2f1409be7ee4d82adfc1fb175cf56ae460b1936a5b73eec8ff030861e4e60c2d473425e940a
-
memory/1700-132-0x0000000000000000-mapping.dmp
-
memory/2440-137-0x0000000000000000-mapping.dmp
-
memory/4688-134-0x0000000000000000-mapping.dmp