Analysis
-
max time kernel
91s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20-09-2022 15:42
Static task
static1
Behavioral task
behavioral1
Sample
Payment_PDF.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Payment_PDF.js
Resource
win10v2004-20220812-en
General
-
Target
Payment_PDF.js
-
Size
416KB
-
MD5
f5be5e836574332778a1746fd621a65f
-
SHA1
098ed47a50e7ca7845148162f44fbe4fba5985bd
-
SHA256
9ccdfb4952cfba51e3296f63efede3e363a9406dcf887ecbc8467f8d3b974f31
-
SHA512
fba821a045d0c20d7a9e9ec34e9e04744f6d16e45ed6de319546bdf4051f2a64ef42b37d0f3c469d45280d846d291a7602b075af6e1ad9e63573273d7491b5d4
-
SSDEEP
6144:XWuS/GKH18Vhwsm8JWhz660+O3qamLA6cuZPrX5Enr24XenZ7TAJo3uO:XWuiNcJWhz65z3q+6c+PTG67d
Malware Config
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe netwire C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe netwire C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe netwire C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe netwire -
Executes dropped EXE 2 IoCs
Processes:
Host Ip 185.216.71.251.exeNote.exepid process 3328 Host Ip 185.216.71.251.exe 3740 Note.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Host Ip 185.216.71.251.exewscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation Host Ip 185.216.71.251.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 1 IoCs
Processes:
Note.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepad.lnk Note.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Note.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Note.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\)Ô‡OûPN»t@÷áh = "C:\\Users\\Admin\\AppData\\Roaming\\Gooogle\\Note.exe" Note.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
wscript.exeHost Ip 185.216.71.251.exedescription pid process target process PID 1488 wrote to memory of 2064 1488 wscript.exe wscript.exe PID 1488 wrote to memory of 2064 1488 wscript.exe wscript.exe PID 1488 wrote to memory of 3328 1488 wscript.exe Host Ip 185.216.71.251.exe PID 1488 wrote to memory of 3328 1488 wscript.exe Host Ip 185.216.71.251.exe PID 1488 wrote to memory of 3328 1488 wscript.exe Host Ip 185.216.71.251.exe PID 3328 wrote to memory of 3740 3328 Host Ip 185.216.71.251.exe Note.exe PID 3328 wrote to memory of 3740 3328 Host Ip 185.216.71.251.exe Note.exe PID 3328 wrote to memory of 3740 3328 Host Ip 185.216.71.251.exe Note.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Payment_PDF.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PXuBjPMVOC.js"2⤵
-
C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe"C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe"C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Gooogle\Note.exeFilesize
227KB
MD5a8edd52c5edfe91da90ebee24b51d3c6
SHA1fc36350b93c6974865eaa7f00a98fa281d1ff7fd
SHA25635d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d
SHA51297278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14
-
C:\Users\Admin\AppData\Roaming\Gooogle\Note.exeFilesize
227KB
MD5a8edd52c5edfe91da90ebee24b51d3c6
SHA1fc36350b93c6974865eaa7f00a98fa281d1ff7fd
SHA25635d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d
SHA51297278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14
-
C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exeFilesize
227KB
MD5a8edd52c5edfe91da90ebee24b51d3c6
SHA1fc36350b93c6974865eaa7f00a98fa281d1ff7fd
SHA25635d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d
SHA51297278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14
-
C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exeFilesize
227KB
MD5a8edd52c5edfe91da90ebee24b51d3c6
SHA1fc36350b93c6974865eaa7f00a98fa281d1ff7fd
SHA25635d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d
SHA51297278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14
-
C:\Users\Admin\AppData\Roaming\PXuBjPMVOC.jsFilesize
3KB
MD5d29a81dca145e2c8e4fe0cd841c7f0b1
SHA140ddc0481967acd0a6ef243588b4040aa2628c0c
SHA2569617cedbeac15fa6287ee42ff30557d2edbae5b85267be757c368dcce56a9cf8
SHA5128e7a7b676abcd163b7cead6440c614098977460abc61f257cf410f70e0b6ae87bfd8ee64bba29df78e11bcfbb39b0c639c61f2b676b07d817d02f181cf51e7e7
-
memory/2064-132-0x0000000000000000-mapping.dmp
-
memory/3328-134-0x0000000000000000-mapping.dmp
-
memory/3740-137-0x0000000000000000-mapping.dmp