Overview

overview

10

Static

static

Boat Payment _PDF .js

windows7-x64

10

Boat Payment _PDF .js

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    180s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2022 16:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Boat Payment _PDF .js

  • Size

    413KB

  • MD5

    440e7b02be54dea36dc1e4d3c74d6588

  • SHA1

    27c1511dda1e07dc181b99a270d70694b24aa12e

  • SHA256

    ff2e6769db544063dcdcae55887971681a32e21c7a468eae2375971d5c5ee36c

  • SHA512

    8986f8dcc2daa88e8c78973f767aa98be7ecf3457f4d9c8e3cedb69aee831b5c0a3cb5ce54067a1ebe72ce8ec9d1f9da90694abb74089cd954deebcee4eccbe2

  • SSDEEP

    6144:C1YSEPt0WHnHp0I2hHo9KUusuNv1p0Y8JLHFjnaW2x5t4SxZY:C1YSpWHKI9Kcwv1p+JLHFzaWeHbY

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Signatures

  • NetWire RAT payload 4 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Boat Payment _PDF .js"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\FLyVAXBmCl.js"
      2⤵
        PID:820
      • C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe
        "C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe"
        2⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:2496
        • C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe
          "C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe"
          3⤵
          • Executes dropped EXE
          • Drops startup file
          • Adds Run key to start application
          PID:4236

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\FLyVAXBmCl.js
      Filesize

      2KB

      MD5

      03fb27f948516898cddf9f37c560bdba

      SHA1

      e458fd85cb0d667cbf3319a56dcce21053788b9b

      SHA256

      fbb4f847e669f9154306792b1e977e5534475863c6a4520db89cb0644fe3d95c

      SHA512

      318b80684314b6996c52d97c9716ef894079fcaf6aa41db317f5d5cce0e610a20e9f9bacc481bb7afcfece77347dbfa5967c873ae1ee9baf62c42060b2ea623c

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe
      Filesize

      227KB

      MD5

      a8edd52c5edfe91da90ebee24b51d3c6

      SHA1

      fc36350b93c6974865eaa7f00a98fa281d1ff7fd

      SHA256

      35d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d

      SHA512

      97278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe
      Filesize

      227KB

      MD5

      a8edd52c5edfe91da90ebee24b51d3c6

      SHA1

      fc36350b93c6974865eaa7f00a98fa281d1ff7fd

      SHA256

      35d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d

      SHA512

      97278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe
      Filesize

      227KB

      MD5

      a8edd52c5edfe91da90ebee24b51d3c6

      SHA1

      fc36350b93c6974865eaa7f00a98fa281d1ff7fd

      SHA256

      35d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d

      SHA512

      97278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe
      Filesize

      227KB

      MD5

      a8edd52c5edfe91da90ebee24b51d3c6

      SHA1

      fc36350b93c6974865eaa7f00a98fa281d1ff7fd

      SHA256

      35d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d

      SHA512

      97278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14

      Download Submit
    • memory/820-132-0x0000000000000000-mapping.dmp
      Download
    • memory/2496-134-0x0000000000000000-mapping.dmp
      Download
    • memory/4236-137-0x0000000000000000-mapping.dmp
      Download