Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2022 13:21
Static task
static1
Behavioral task
behavioral1
Sample
PO20221110-PDF.js
Resource
win7-20220812-en
General
-
Target
PO20221110-PDF.js
-
Size
511KB
-
MD5
abb2c006b96920466b3ccf956f734e3b
-
SHA1
23ba08441fb0f5bad93a2d258fe72bfb429b1250
-
SHA256
94f02513d9ba859ff486e5e7514c2ca656d2fc5979576da44d68726d9d03de2d
-
SHA512
4ebbee2d4d067ab93a05ae12afba09e744a003428169916d93cb47774e66c1eb99f1b9e7627580e844a4c99dc5b22dfefa88c8acc22fa6329f92060ce5a6751c
-
SSDEEP
12288:X4asKyOMBGvENnL8m4wNTUewr4ZOFQLlvaVHDT73tNBcQmXOFjL3veFL:N56MEZ74BwQJjL3vY
Malware Config
Extracted
netwire
jspowerone.cloudns.nz:8078
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
DN
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
TestLink.lnk
-
lock_executable
false
-
mutex
wLPvLQMO
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Host DNS.exe netwire C:\Users\Admin\AppData\Roaming\Host DNS.exe netwire C:\Users\Admin\AppData\Roaming\Install\Host.exe netwire C:\Users\Admin\AppData\Roaming\Install\Host.exe netwire -
Blocklisted process makes network request 6 IoCs
Processes:
wscript.exeflow pid process 5 4880 wscript.exe 22 4880 wscript.exe 38 4880 wscript.exe 40 4880 wscript.exe 42 4880 wscript.exe 43 4880 wscript.exe -
Executes dropped EXE 2 IoCs
Processes:
Host DNS.exeHost.exepid process 1660 Host DNS.exe 1712 Host.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Host DNS.exewscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation Host DNS.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 3 IoCs
Processes:
wscript.exeHost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YJbkIAqdml.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YJbkIAqdml.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TestLink.lnk Host.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
wscript.exeHost DNS.exedescription pid process target process PID 5060 wrote to memory of 4880 5060 wscript.exe wscript.exe PID 5060 wrote to memory of 4880 5060 wscript.exe wscript.exe PID 5060 wrote to memory of 1660 5060 wscript.exe Host DNS.exe PID 5060 wrote to memory of 1660 5060 wscript.exe Host DNS.exe PID 5060 wrote to memory of 1660 5060 wscript.exe Host DNS.exe PID 1660 wrote to memory of 1712 1660 Host DNS.exe Host.exe PID 1660 wrote to memory of 1712 1660 Host DNS.exe Host.exe PID 1660 wrote to memory of 1712 1660 Host DNS.exe Host.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\PO20221110-PDF.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\YJbkIAqdml.js"2⤵
- Blocklisted process makes network request
- Drops startup file
-
C:\Users\Admin\AppData\Roaming\Host DNS.exe"C:\Users\Admin\AppData\Roaming\Host DNS.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"3⤵
- Executes dropped EXE
- Drops startup file
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Host DNS.exeFilesize
272KB
MD593faef710207f7739552b0c60f36f6f2
SHA1cf4e4425ccea409e2d2eec80ad20088f934bc262
SHA2568421c842d964e5eb8fd7964f29c4ed2f5d7d0f3591f8e5738b6f066037b5eabb
SHA51280b4171d2e42d38f6c7dcfa186427ffc59f1ef7c4f52690cca0394cd7fc988da480dbda1c87b1516ac730424c508088201dddd3b4a26ad1c2de9a536a06c5090
-
C:\Users\Admin\AppData\Roaming\Host DNS.exeFilesize
272KB
MD593faef710207f7739552b0c60f36f6f2
SHA1cf4e4425ccea409e2d2eec80ad20088f934bc262
SHA2568421c842d964e5eb8fd7964f29c4ed2f5d7d0f3591f8e5738b6f066037b5eabb
SHA51280b4171d2e42d38f6c7dcfa186427ffc59f1ef7c4f52690cca0394cd7fc988da480dbda1c87b1516ac730424c508088201dddd3b4a26ad1c2de9a536a06c5090
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
272KB
MD593faef710207f7739552b0c60f36f6f2
SHA1cf4e4425ccea409e2d2eec80ad20088f934bc262
SHA2568421c842d964e5eb8fd7964f29c4ed2f5d7d0f3591f8e5738b6f066037b5eabb
SHA51280b4171d2e42d38f6c7dcfa186427ffc59f1ef7c4f52690cca0394cd7fc988da480dbda1c87b1516ac730424c508088201dddd3b4a26ad1c2de9a536a06c5090
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
272KB
MD593faef710207f7739552b0c60f36f6f2
SHA1cf4e4425ccea409e2d2eec80ad20088f934bc262
SHA2568421c842d964e5eb8fd7964f29c4ed2f5d7d0f3591f8e5738b6f066037b5eabb
SHA51280b4171d2e42d38f6c7dcfa186427ffc59f1ef7c4f52690cca0394cd7fc988da480dbda1c87b1516ac730424c508088201dddd3b4a26ad1c2de9a536a06c5090
-
C:\Users\Admin\AppData\Roaming\YJbkIAqdml.jsFilesize
10KB
MD5b2ab4f082c681e45ba19a59c55c2a418
SHA146c869e81ab32f5875bd1aedc05e1858d90963d4
SHA256698ff38f65986350217e7718c792f4d1b540a773718b05d821cfdf2919e9d473
SHA512fede4f9cfd8abfd9bb4ceef0303874d81edd97015a2e1b1c03fd9147bc320a554f75cd9ece1592fe41d90934bfcfcf53d1ab2c03422861132fb2157be2e16efd
-
memory/1660-134-0x0000000000000000-mapping.dmp
-
memory/1712-137-0x0000000000000000-mapping.dmp
-
memory/4880-132-0x0000000000000000-mapping.dmp