Analysis
-
max time kernel
43s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
20-09-2022 15:42
Static task
static1
Behavioral task
behavioral1
Sample
Payment_PDF.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Payment_PDF.js
Resource
win10v2004-20220812-en
General
-
Target
Payment_PDF.js
-
Size
416KB
-
MD5
f5be5e836574332778a1746fd621a65f
-
SHA1
098ed47a50e7ca7845148162f44fbe4fba5985bd
-
SHA256
9ccdfb4952cfba51e3296f63efede3e363a9406dcf887ecbc8467f8d3b974f31
-
SHA512
fba821a045d0c20d7a9e9ec34e9e04744f6d16e45ed6de319546bdf4051f2a64ef42b37d0f3c469d45280d846d291a7602b075af6e1ad9e63573273d7491b5d4
-
SSDEEP
6144:XWuS/GKH18Vhwsm8JWhz660+O3qamLA6cuZPrX5Enr24XenZ7TAJo3uO:XWuiNcJWhz65z3q+6c+PTG67d
Malware Config
Signatures
-
NetWire RAT payload 7 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe netwire C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe netwire \Users\Admin\AppData\Roaming\Gooogle\Note.exe netwire \Users\Admin\AppData\Roaming\Gooogle\Note.exe netwire C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe netwire C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe netwire \Users\Admin\AppData\Roaming\Gooogle\Note.exe netwire -
Executes dropped EXE 2 IoCs
Processes:
Host Ip 185.216.71.251.exeNote.exepid process 2016 Host Ip 185.216.71.251.exe 956 Note.exe -
Drops startup file 1 IoCs
Processes:
Note.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepad.lnk Note.exe -
Loads dropped DLL 3 IoCs
Processes:
Host Ip 185.216.71.251.exeNote.exepid process 2016 Host Ip 185.216.71.251.exe 2016 Host Ip 185.216.71.251.exe 956 Note.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Note.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Note.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\)Ô‡OûPN»t@÷áh = "C:\\Users\\Admin\\AppData\\Roaming\\Gooogle\\Note.exe" Note.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
wscript.exeHost Ip 185.216.71.251.exedescription pid process target process PID 1088 wrote to memory of 276 1088 wscript.exe wscript.exe PID 1088 wrote to memory of 276 1088 wscript.exe wscript.exe PID 1088 wrote to memory of 276 1088 wscript.exe wscript.exe PID 1088 wrote to memory of 2016 1088 wscript.exe Host Ip 185.216.71.251.exe PID 1088 wrote to memory of 2016 1088 wscript.exe Host Ip 185.216.71.251.exe PID 1088 wrote to memory of 2016 1088 wscript.exe Host Ip 185.216.71.251.exe PID 1088 wrote to memory of 2016 1088 wscript.exe Host Ip 185.216.71.251.exe PID 2016 wrote to memory of 956 2016 Host Ip 185.216.71.251.exe Note.exe PID 2016 wrote to memory of 956 2016 Host Ip 185.216.71.251.exe Note.exe PID 2016 wrote to memory of 956 2016 Host Ip 185.216.71.251.exe Note.exe PID 2016 wrote to memory of 956 2016 Host Ip 185.216.71.251.exe Note.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Payment_PDF.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PXuBjPMVOC.js"2⤵
-
C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe"C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe"C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Gooogle\Note.exeFilesize
227KB
MD5a8edd52c5edfe91da90ebee24b51d3c6
SHA1fc36350b93c6974865eaa7f00a98fa281d1ff7fd
SHA25635d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d
SHA51297278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14
-
C:\Users\Admin\AppData\Roaming\Gooogle\Note.exeFilesize
227KB
MD5a8edd52c5edfe91da90ebee24b51d3c6
SHA1fc36350b93c6974865eaa7f00a98fa281d1ff7fd
SHA25635d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d
SHA51297278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14
-
C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exeFilesize
227KB
MD5a8edd52c5edfe91da90ebee24b51d3c6
SHA1fc36350b93c6974865eaa7f00a98fa281d1ff7fd
SHA25635d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d
SHA51297278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14
-
C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exeFilesize
227KB
MD5a8edd52c5edfe91da90ebee24b51d3c6
SHA1fc36350b93c6974865eaa7f00a98fa281d1ff7fd
SHA25635d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d
SHA51297278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14
-
C:\Users\Admin\AppData\Roaming\PXuBjPMVOC.jsFilesize
3KB
MD5d29a81dca145e2c8e4fe0cd841c7f0b1
SHA140ddc0481967acd0a6ef243588b4040aa2628c0c
SHA2569617cedbeac15fa6287ee42ff30557d2edbae5b85267be757c368dcce56a9cf8
SHA5128e7a7b676abcd163b7cead6440c614098977460abc61f257cf410f70e0b6ae87bfd8ee64bba29df78e11bcfbb39b0c639c61f2b676b07d817d02f181cf51e7e7
-
\Users\Admin\AppData\Roaming\Gooogle\Note.exeFilesize
227KB
MD5a8edd52c5edfe91da90ebee24b51d3c6
SHA1fc36350b93c6974865eaa7f00a98fa281d1ff7fd
SHA25635d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d
SHA51297278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14
-
\Users\Admin\AppData\Roaming\Gooogle\Note.exeFilesize
227KB
MD5a8edd52c5edfe91da90ebee24b51d3c6
SHA1fc36350b93c6974865eaa7f00a98fa281d1ff7fd
SHA25635d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d
SHA51297278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14
-
\Users\Admin\AppData\Roaming\Gooogle\Note.exeFilesize
227KB
MD5a8edd52c5edfe91da90ebee24b51d3c6
SHA1fc36350b93c6974865eaa7f00a98fa281d1ff7fd
SHA25635d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d
SHA51297278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14
-
memory/276-55-0x0000000000000000-mapping.dmp
-
memory/956-63-0x0000000000000000-mapping.dmp
-
memory/1088-54-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmpFilesize
8KB
-
memory/2016-57-0x0000000000000000-mapping.dmp
-
memory/2016-59-0x0000000075241000-0x0000000075243000-memory.dmpFilesize
8KB