Analysis
-
max time kernel
152s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-01-2021 06:51
Static task
static1
Behavioral task
behavioral1
Sample
SWIFT TRSF EUR2763O.PDF.js
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
SWIFT TRSF EUR2763O.PDF.js
-
Size
24KB
-
MD5
5858b1c3f3a59e6f8974138e16abbc34
-
SHA1
09242052cec1f1c6dc0f9a2927513962f4e2b944
-
SHA256
03f82590c595df2bb4247b1b9489713773fa800cacfbf38b811b35f97e9c4504
-
SHA512
1a3f0212ad754d5338ebdf7021ecc5d22f3e30f33cc9ef006d0a44aaffe3f4e68a8d77d5d27b2cd4d931734e7d36f92df808736c0649ac7baf19e9e99da30714
Malware Config
Signatures
-
Blocklisted process makes network request 20 IoCs
Processes:
wscript.exeflow pid process 5 1068 wscript.exe 7 1068 wscript.exe 9 1068 wscript.exe 10 1068 wscript.exe 11 1068 wscript.exe 13 1068 wscript.exe 14 1068 wscript.exe 15 1068 wscript.exe 17 1068 wscript.exe 18 1068 wscript.exe 19 1068 wscript.exe 21 1068 wscript.exe 22 1068 wscript.exe 23 1068 wscript.exe 25 1068 wscript.exe 26 1068 wscript.exe 27 1068 wscript.exe 29 1068 wscript.exe 30 1068 wscript.exe 31 1068 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SWIFT TRSF EUR2763O.PDF.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SWIFT TRSF EUR2763O.PDF.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
Processes
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1968-2-0x000007FEF7E60000-0x000007FEF80DA000-memory.dmpFilesize
2.5MB