99806dffcac81a0036f89ac02826ef83ab0c0affe42f9d3276c7a73416712e99

General

Target

SwiftCopies.js
Size

249KB
MD5

c64283d97b88c7596e77dbe2cf07aa96
SHA1

adc39012adf334ae763bed7d3986b7c5488e610f
SHA256

99806dffcac81a0036f89ac02826ef83ab0c0affe42f9d3276c7a73416712e99
SHA512

e6f31cea207546b9bc8e04a86e17e6a3b1d7185fda4a0e1186c113e523109f83d55a6979996a9123e6b55c65755a760571c21808c8326d3bad288ba926d8552a

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 69 IoCs

Processes:

wscript.exeWScript.exe

flow	pid	process
8	1580	wscript.exe
9	1932	WScript.exe
10	1580	wscript.exe
11	1932	WScript.exe
12	1580	wscript.exe
13	1580	wscript.exe
14	1580	wscript.exe
15	1932	WScript.exe
17	1932	WScript.exe
18	1580	wscript.exe
19	1580	wscript.exe
22	1932	WScript.exe
23	1932	WScript.exe
25	1580	wscript.exe
26	1580	wscript.exe
28	1932	WScript.exe
29	1932	WScript.exe
30	1580	wscript.exe
31	1580	wscript.exe
32	1580	wscript.exe
34	1932	WScript.exe
35	1580	wscript.exe
36	1932	WScript.exe
38	1580	wscript.exe
39	1580	wscript.exe
41	1932	WScript.exe
42	1932	WScript.exe
44	1580	wscript.exe
45	1580	wscript.exe
47	1932	WScript.exe
48	1932	WScript.exe
49	1580	wscript.exe
50	1580	wscript.exe
53	1932	WScript.exe
54	1580	wscript.exe
55	1932	WScript.exe
56	1580	wscript.exe
57	1580	wscript.exe
59	1932	WScript.exe
60	1580	wscript.exe
61	1932	WScript.exe
63	1580	wscript.exe
64	1580	wscript.exe
67	1932	WScript.exe
68	1932	WScript.exe
69	1580	wscript.exe
70	1580	wscript.exe
72	1932	WScript.exe
73	1932	WScript.exe
74	1580	wscript.exe
75	1580	wscript.exe
77	1932	WScript.exe
78	1580	wscript.exe
79	1932	WScript.exe
80	1580	wscript.exe
83	1580	wscript.exe
85	1932	WScript.exe
86	1580	wscript.exe
87	1932	WScript.exe
88	1580	wscript.exe
89	1580	wscript.exe
91	1932	WScript.exe
92	1932	WScript.exe
93	1580	wscript.exe

Drops startup file 4 IoCs

Processes:

wscript.exeWScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftCopies.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftCopies.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sing.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sing.js	WScript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\SwiftCopies = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\SwiftCopies.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SwiftCopies = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\SwiftCopies.js\""	wscript.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ip-api.com

flow	ioc
7	ip-api.com

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 1580 wrote to memory of 1932	1580	wscript.exe	WScript.exe
PID 1580 wrote to memory of 1932	1580	wscript.exe	WScript.exe
PID 1580 wrote to memory of 1932	1580	wscript.exe	WScript.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\SwiftCopies.js
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sing.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:1932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sing.js

MD5
32b1accd6a263f1b850e52bffac047a5

SHA1
f8be4389b327be9e742e618eceae6919e0144b2e

SHA256
67be2d8895a4d7a72e14c45d127c4784be588eff872dc04cb055a6f3fb816a92

SHA512
bee63cf8981e71d9005f9068a37438e16b8b8c0caa3603b50d5f41f2c9b86cacff362b34c6b3bb57da91e6ef883098a6a36e411db2f6b33bdcf35c61cddf3fee

Download Submit
memory/1516-4-0x000007FEF6780000-0x000007FEF69FA000-memory.dmp

Filesize
2.5MB

Download
memory/1932-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads