Overview

overview

10

Static

static

Payment_PDF.js

windows7-x64

10

Payment_PDF.js

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-09-2022 15:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment_PDF.js

  • Size

    416KB

  • MD5

    f5be5e836574332778a1746fd621a65f

  • SHA1

    098ed47a50e7ca7845148162f44fbe4fba5985bd

  • SHA256

    9ccdfb4952cfba51e3296f63efede3e363a9406dcf887ecbc8467f8d3b974f31

  • SHA512

    fba821a045d0c20d7a9e9ec34e9e04744f6d16e45ed6de319546bdf4051f2a64ef42b37d0f3c469d45280d846d291a7602b075af6e1ad9e63573273d7491b5d4

  • SSDEEP

    6144:XWuS/GKH18Vhwsm8JWhz660+O3qamLA6cuZPrX5Enr24XenZ7TAJo3uO:XWuiNcJWhz65z3q+6c+PTG67d

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Signatures

  • NetWire RAT payload 4 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Payment_PDF.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1488
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PXuBjPMVOC.js"
      2⤵
        PID:2064
      • C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe
        "C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe"
        2⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:3328
        • C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe
          "C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe"
          3⤵
          • Executes dropped EXE
          • Drops startup file
          • Adds Run key to start application
          PID:3740

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe
      Filesize

      227KB

      MD5

      a8edd52c5edfe91da90ebee24b51d3c6

      SHA1

      fc36350b93c6974865eaa7f00a98fa281d1ff7fd

      SHA256

      35d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d

      SHA512

      97278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe
      Filesize

      227KB

      MD5

      a8edd52c5edfe91da90ebee24b51d3c6

      SHA1

      fc36350b93c6974865eaa7f00a98fa281d1ff7fd

      SHA256

      35d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d

      SHA512

      97278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe
      Filesize

      227KB

      MD5

      a8edd52c5edfe91da90ebee24b51d3c6

      SHA1

      fc36350b93c6974865eaa7f00a98fa281d1ff7fd

      SHA256

      35d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d

      SHA512

      97278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe
      Filesize

      227KB

      MD5

      a8edd52c5edfe91da90ebee24b51d3c6

      SHA1

      fc36350b93c6974865eaa7f00a98fa281d1ff7fd

      SHA256

      35d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d

      SHA512

      97278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14

      Download Submit
    • C:\Users\Admin\AppData\Roaming\PXuBjPMVOC.js
      Filesize

      3KB

      MD5

      d29a81dca145e2c8e4fe0cd841c7f0b1

      SHA1

      40ddc0481967acd0a6ef243588b4040aa2628c0c

      SHA256

      9617cedbeac15fa6287ee42ff30557d2edbae5b85267be757c368dcce56a9cf8

      SHA512

      8e7a7b676abcd163b7cead6440c614098977460abc61f257cf410f70e0b6ae87bfd8ee64bba29df78e11bcfbb39b0c639c61f2b676b07d817d02f181cf51e7e7

      Download Submit
    • memory/2064-132-0x0000000000000000-mapping.dmp
      Download
    • memory/3328-134-0x0000000000000000-mapping.dmp
      Download
    • memory/3740-137-0x0000000000000000-mapping.dmp
      Download