Overview

overview

10

Static

static

Document Payment.js

windows7-x64

8

Document Payment.js

windows10-2004-x64

10

Analysis

  • max time kernel
    179s
  • max time network
    193s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-11-2022 17:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Document Payment.js

  • Size

    252KB

  • MD5

    76c1c36c47ced1f2e3c9528b4a45fc42

  • SHA1

    bf8e742e9e99d7814988dadc809847c624d098ed

  • SHA256

    abb0ca8ed8cb040eb69d4837c26fca5efe130711346859b86641b45da7de31b6

  • SHA512

    066c4d3508b3c3c816c0909eb1c20fed76d908b4f94fa36e36dff2711515f63ae41cad0bc5a971fa4bda2162014f853fb4d8a9fa809d14afb9fd56a0d834fe8a

  • SSDEEP

    1536:B4QRV0AphDu3651pCC6T5IYx9btSutuiLL5dve/OC67OMOMM8hMM/0m6tWcSukqE:BnTeK1qRfOgkKtlQi

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • NetWire RAT payload 4 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 7 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Document Payment.js"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4708
    • C:\Users\Admin\AppData\Roaming\Document Payment.exe
      "C:\Users\Admin\AppData\Roaming\Document Payment.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4508
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2328
      • C:\Users\Admin\AppData\Roaming\Document Payment.exe
        "C:\Users\Admin\AppData\Roaming\Document Payment.exe"
        3⤵
        • Executes dropped EXE
        PID:260
      • C:\Users\Admin\AppData\Roaming\Document Payment.exe
        "C:\Users\Admin\AppData\Roaming\Document Payment.exe"
        3⤵
        • Executes dropped EXE
        PID:4348
      • C:\Users\Admin\AppData\Roaming\Document Payment.exe
        "C:\Users\Admin\AppData\Roaming\Document Payment.exe"
        3⤵
        • Executes dropped EXE
        PID:1336
      • C:\Users\Admin\AppData\Roaming\Document Payment.exe
        "C:\Users\Admin\AppData\Roaming\Document Payment.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:3232
        • C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe
          "C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2392
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4656
          • C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe
            C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe
            5⤵
            • Executes dropped EXE
            • Drops startup file
            • Adds Run key to start application
            PID:3576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    1KB

    MD5

    4280e36a29fa31c01e4d8b2ba726a0d8

    SHA1

    c485c2c9ce0a99747b18d899b71dfa9a64dabe32

    SHA256

    e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

    SHA512

    494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    Filesize

    53KB

    MD5

    06ad34f9739c5159b4d92d702545bd49

    SHA1

    9152a0d4f153f3f40f7e606be75f81b582ee0c17

    SHA256

    474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

    SHA512

    c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    16KB

    MD5

    feee6cbc4e014617a0fa16c3ac74d9b1

    SHA1

    d95ed1dc8073b93a6a2500b2bd241042e321a145

    SHA256

    b06d4d58984c08a0691c9ad438d0c7c3ce1798dd1bf2e28ba0c1503c6ec36b43

    SHA512

    ca45659f58314ea1af5d248bff391902ab69670b15d48f01033abd1f708fca2b703f73f39e0374c187b29aa49d9f816d861cc3379c82403ac4873426c3c10411

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Chrome\Google.exe
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Document Payment.exe
    Filesize

    189KB

    MD5

    55737658022dfde028de54f8f34c9c56

    SHA1

    922890a964cb16b18174561bab63e27f248ed7c1

    SHA256

    c5cba4155b3dd74151724b3571101881fcd756af12b95a14538843845c9fde35

    SHA512

    6099080c7f12ee87ccc7964154d922215aab24d2c6c3e36c1de322597083c0f8d28ffd7fa0434436ee45d2c9bc0ebb047f736ed8d1124fee1eb1b6ccf5c825ba

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Document Payment.exe
    Filesize

    189KB

    MD5

    55737658022dfde028de54f8f34c9c56

    SHA1

    922890a964cb16b18174561bab63e27f248ed7c1

    SHA256

    c5cba4155b3dd74151724b3571101881fcd756af12b95a14538843845c9fde35

    SHA512

    6099080c7f12ee87ccc7964154d922215aab24d2c6c3e36c1de322597083c0f8d28ffd7fa0434436ee45d2c9bc0ebb047f736ed8d1124fee1eb1b6ccf5c825ba

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Document Payment.exe
    Filesize

    189KB

    MD5

    55737658022dfde028de54f8f34c9c56

    SHA1

    922890a964cb16b18174561bab63e27f248ed7c1

    SHA256

    c5cba4155b3dd74151724b3571101881fcd756af12b95a14538843845c9fde35

    SHA512

    6099080c7f12ee87ccc7964154d922215aab24d2c6c3e36c1de322597083c0f8d28ffd7fa0434436ee45d2c9bc0ebb047f736ed8d1124fee1eb1b6ccf5c825ba

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Document Payment.exe
    Filesize

    189KB

    MD5

    55737658022dfde028de54f8f34c9c56

    SHA1

    922890a964cb16b18174561bab63e27f248ed7c1

    SHA256

    c5cba4155b3dd74151724b3571101881fcd756af12b95a14538843845c9fde35

    SHA512

    6099080c7f12ee87ccc7964154d922215aab24d2c6c3e36c1de322597083c0f8d28ffd7fa0434436ee45d2c9bc0ebb047f736ed8d1124fee1eb1b6ccf5c825ba

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Document Payment.exe
    Filesize

    189KB

    MD5

    55737658022dfde028de54f8f34c9c56

    SHA1

    922890a964cb16b18174561bab63e27f248ed7c1

    SHA256

    c5cba4155b3dd74151724b3571101881fcd756af12b95a14538843845c9fde35

    SHA512

    6099080c7f12ee87ccc7964154d922215aab24d2c6c3e36c1de322597083c0f8d28ffd7fa0434436ee45d2c9bc0ebb047f736ed8d1124fee1eb1b6ccf5c825ba

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Document Payment.exe
    Filesize

    189KB

    MD5

    55737658022dfde028de54f8f34c9c56

    SHA1

    922890a964cb16b18174561bab63e27f248ed7c1

    SHA256

    c5cba4155b3dd74151724b3571101881fcd756af12b95a14538843845c9fde35

    SHA512

    6099080c7f12ee87ccc7964154d922215aab24d2c6c3e36c1de322597083c0f8d28ffd7fa0434436ee45d2c9bc0ebb047f736ed8d1124fee1eb1b6ccf5c825ba

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe
    Filesize

    189KB

    MD5

    55737658022dfde028de54f8f34c9c56

    SHA1

    922890a964cb16b18174561bab63e27f248ed7c1

    SHA256

    c5cba4155b3dd74151724b3571101881fcd756af12b95a14538843845c9fde35

    SHA512

    6099080c7f12ee87ccc7964154d922215aab24d2c6c3e36c1de322597083c0f8d28ffd7fa0434436ee45d2c9bc0ebb047f736ed8d1124fee1eb1b6ccf5c825ba

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe
    Filesize

    189KB

    MD5

    55737658022dfde028de54f8f34c9c56

    SHA1

    922890a964cb16b18174561bab63e27f248ed7c1

    SHA256

    c5cba4155b3dd74151724b3571101881fcd756af12b95a14538843845c9fde35

    SHA512

    6099080c7f12ee87ccc7964154d922215aab24d2c6c3e36c1de322597083c0f8d28ffd7fa0434436ee45d2c9bc0ebb047f736ed8d1124fee1eb1b6ccf5c825ba

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe
    Filesize

    189KB

    MD5

    55737658022dfde028de54f8f34c9c56

    SHA1

    922890a964cb16b18174561bab63e27f248ed7c1

    SHA256

    c5cba4155b3dd74151724b3571101881fcd756af12b95a14538843845c9fde35

    SHA512

    6099080c7f12ee87ccc7964154d922215aab24d2c6c3e36c1de322597083c0f8d28ffd7fa0434436ee45d2c9bc0ebb047f736ed8d1124fee1eb1b6ccf5c825ba

    Download Submit
  • memory/260-147-0x0000000000000000-mapping.dmp
    Download
  • memory/1336-151-0x0000000000000000-mapping.dmp
    Download
  • memory/2328-141-0x00000000051D0000-0x00000000057F8000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2328-140-0x0000000002820000-0x0000000002856000-memory.dmp
    Filesize

    216KB

    Download
  • memory/2328-139-0x0000000000000000-mapping.dmp
    Download
  • memory/2328-145-0x0000000007640000-0x0000000007CBA000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/2328-144-0x0000000005DE0000-0x0000000005DFE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2328-143-0x0000000005800000-0x0000000005866000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2328-146-0x00000000062E0000-0x00000000062FA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2328-142-0x00000000050B0000-0x0000000005116000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2392-158-0x0000000000000000-mapping.dmp
    Download
  • memory/3232-153-0x0000000000000000-mapping.dmp
    Download
  • memory/3232-157-0x0000000000400000-0x0000000000444000-memory.dmp
    Filesize

    272KB

    Download
  • memory/3232-160-0x0000000000400000-0x0000000000444000-memory.dmp
    Filesize

    272KB

    Download
  • memory/3232-154-0x0000000000400000-0x0000000000444000-memory.dmp
    Filesize

    272KB

    Download
  • memory/3576-167-0x0000000000000000-mapping.dmp
    Download
  • memory/3576-172-0x0000000000400000-0x0000000000444000-memory.dmp
    Filesize

    272KB

    Download
  • memory/4348-149-0x0000000000000000-mapping.dmp
    Download
  • memory/4508-132-0x0000000000000000-mapping.dmp
    Download
  • memory/4508-138-0x00000000062D0000-0x00000000062F2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/4508-137-0x0000000006320000-0x00000000063B2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4508-136-0x0000000005210000-0x00000000057B4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4508-135-0x0000000000340000-0x0000000000374000-memory.dmp
    Filesize

    208KB

    Download
  • memory/4656-162-0x0000000000000000-mapping.dmp
    Download