Analysis
-
max time kernel
108s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
19-09-2022 16:45
Static task
static1
Behavioral task
behavioral1
Sample
Quote_PDF.js
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Quote_PDF.js
Resource
win10v2004-20220901-en
General
-
Target
Quote_PDF.js
-
Size
417KB
-
MD5
10ea52784165e94c2b8d62029f47fc2f
-
SHA1
9f3d0e42cbe82beeb4a467b78d612ce89fddfa41
-
SHA256
883a1fb015a99ca444237d8d48187d9cca44ed7daa3dfe0c21836fb207047c7a
-
SHA512
6f9e9f4136fedf90bd836abaf2cf51c67b822509f01b9d8a19fabcd327a190324e25ece949f4c5a2408648b2214c1a5ee3f0a6e98d4b14f405f6d29d97b096f5
-
SSDEEP
6144:hN8ML4yxnebd6j+IjhS6EzYYosOquA4nfuqQiWYl69Sjrh54:nL40yIjNQYYoWuA4nWqQK6ut54
Malware Config
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe netwire C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe netwire C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe netwire C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe netwire -
Executes dropped EXE 2 IoCs
Processes:
Host Ip 185.216.71.251.exeNote.exepid process 224 Host Ip 185.216.71.251.exe 3748 Note.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Host Ip 185.216.71.251.exewscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation Host Ip 185.216.71.251.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 1 IoCs
Processes:
Note.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepad.lnk Note.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Note.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Note.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\)Ô‡OûPN»t@÷áh = "C:\\Users\\Admin\\AppData\\Roaming\\Gooogle\\Note.exe" Note.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
wscript.exeHost Ip 185.216.71.251.exedescription pid process target process PID 2092 wrote to memory of 4292 2092 wscript.exe wscript.exe PID 2092 wrote to memory of 4292 2092 wscript.exe wscript.exe PID 2092 wrote to memory of 224 2092 wscript.exe Host Ip 185.216.71.251.exe PID 2092 wrote to memory of 224 2092 wscript.exe Host Ip 185.216.71.251.exe PID 2092 wrote to memory of 224 2092 wscript.exe Host Ip 185.216.71.251.exe PID 224 wrote to memory of 3748 224 Host Ip 185.216.71.251.exe Note.exe PID 224 wrote to memory of 3748 224 Host Ip 185.216.71.251.exe Note.exe PID 224 wrote to memory of 3748 224 Host Ip 185.216.71.251.exe Note.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Quote_PDF.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\jYFftRlXJm.js"2⤵
-
C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe"C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe"C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Gooogle\Note.exeFilesize
227KB
MD5a8edd52c5edfe91da90ebee24b51d3c6
SHA1fc36350b93c6974865eaa7f00a98fa281d1ff7fd
SHA25635d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d
SHA51297278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14
-
C:\Users\Admin\AppData\Roaming\Gooogle\Note.exeFilesize
227KB
MD5a8edd52c5edfe91da90ebee24b51d3c6
SHA1fc36350b93c6974865eaa7f00a98fa281d1ff7fd
SHA25635d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d
SHA51297278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14
-
C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exeFilesize
227KB
MD5a8edd52c5edfe91da90ebee24b51d3c6
SHA1fc36350b93c6974865eaa7f00a98fa281d1ff7fd
SHA25635d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d
SHA51297278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14
-
C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exeFilesize
227KB
MD5a8edd52c5edfe91da90ebee24b51d3c6
SHA1fc36350b93c6974865eaa7f00a98fa281d1ff7fd
SHA25635d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d
SHA51297278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14
-
C:\Users\Admin\AppData\Roaming\jYFftRlXJm.jsFilesize
2KB
MD50c4a6227be19f00194b85c415692ba2d
SHA10b27682637636a1dff71247558bb852128c1e90e
SHA256972dd28bf03d9c4437b9b2d0c13563a039b44386c43c1adc2bc23e29bb7f7d06
SHA5122799ee01736f214e20d645c1e06a9cbcc2da84db53c683e6bd1978c1d3bff7df2d0f64236298e18a164b88796eed6fc258987a84df16f3969241307d89bbd87d
-
memory/224-134-0x0000000000000000-mapping.dmp
-
memory/3748-137-0x0000000000000000-mapping.dmp
-
memory/4292-132-0x0000000000000000-mapping.dmp