Analysis
-
max time kernel
136s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19-09-2022 08:10
Static task
static1
Behavioral task
behavioral1
Sample
Invoice No.000733487303.js
Resource
win7-20220812-en
General
-
Target
Invoice No.000733487303.js
-
Size
496KB
-
MD5
7b76b56837fad8241f10604c44de493f
-
SHA1
b8575dc549f905dd9fddecc254232914abaaffe2
-
SHA256
09893a238f6a7dc6bcf685f566dd57f6a968b08d244e6e56e677a8070a4b595a
-
SHA512
b37eed33098fb2c85b7cd1a14c77b2d77d8f34ed480f00e5491e0479798e46ec5f2de22b9299ff9c0882c0fc60e494e7dc9cb966562bc2af39c9d642a2b42c45
-
SSDEEP
12288:n19SpUzm9WbccaebiM2fQ/ihctOe0prNzhKWyKQSg9y:n1QB9BeIzgWyO
Malware Config
Extracted
netwire
whiteking.giize.com:4040
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
DEGRACE
-
lock_executable
false
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\netwireserver.exe netwire C:\Users\Admin\AppData\Roaming\netwireserver.exe netwire -
Executes dropped EXE 1 IoCs
Processes:
netwireserver.exepid process 4892 netwireserver.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
wscript.exedescription pid process target process PID 2472 wrote to memory of 2828 2472 wscript.exe wscript.exe PID 2472 wrote to memory of 2828 2472 wscript.exe wscript.exe PID 2472 wrote to memory of 4892 2472 wscript.exe netwireserver.exe PID 2472 wrote to memory of 4892 2472 wscript.exe netwireserver.exe PID 2472 wrote to memory of 4892 2472 wscript.exe netwireserver.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Invoice No.000733487303.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ExbOvJypFy.js"2⤵
-
C:\Users\Admin\AppData\Roaming\netwireserver.exe"C:\Users\Admin\AppData\Roaming\netwireserver.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ExbOvJypFy.jsFilesize
2KB
MD5b77d47c39e0c9fe59cc7df2c14a87df2
SHA126e6ca612d84f38d1dbd5272d81c055f53d6997b
SHA256149c4919415370e2026d9e27236da259ae8323b96b6137e40a09887407fe06c9
SHA512024174fd2b4c5dbc14f639dc5504290ec69ad2a4c4abcae20f27b7e6a14ede82142a7b62048513def6bdd4b2cb8c3776b02e870c5d30df22fc7a12303db0a55f
-
C:\Users\Admin\AppData\Roaming\netwireserver.exeFilesize
273KB
MD5223b394e981299efbe848a1f9cba4703
SHA120f0c01df17630641aeb9d85410c98b5a77e06b1
SHA25686d278bf55d25df08ce3b1c46513c6e38da84bf143a059bdbb53c91c564ae211
SHA512fe2e25335de2a99ae203aeafb217578e86a4962d35dcd0500b538383a4a4621ce0eb9726d837d5a39d45f841486eaac29a8f28af88bbfd91382254dc09f366f0
-
C:\Users\Admin\AppData\Roaming\netwireserver.exeFilesize
273KB
MD5223b394e981299efbe848a1f9cba4703
SHA120f0c01df17630641aeb9d85410c98b5a77e06b1
SHA25686d278bf55d25df08ce3b1c46513c6e38da84bf143a059bdbb53c91c564ae211
SHA512fe2e25335de2a99ae203aeafb217578e86a4962d35dcd0500b538383a4a4621ce0eb9726d837d5a39d45f841486eaac29a8f28af88bbfd91382254dc09f366f0
-
memory/2828-132-0x0000000000000000-mapping.dmp
-
memory/4892-134-0x0000000000000000-mapping.dmp