Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-01-2021 06:51
Static task
static1
Behavioral task
behavioral1
Sample
SWIFT TRSF EUR2763O.PDF.js
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
SWIFT TRSF EUR2763O.PDF.js
-
Size
24KB
-
MD5
5858b1c3f3a59e6f8974138e16abbc34
-
SHA1
09242052cec1f1c6dc0f9a2927513962f4e2b944
-
SHA256
03f82590c595df2bb4247b1b9489713773fa800cacfbf38b811b35f97e9c4504
-
SHA512
1a3f0212ad754d5338ebdf7021ecc5d22f3e30f33cc9ef006d0a44aaffe3f4e68a8d77d5d27b2cd4d931734e7d36f92df808736c0649ac7baf19e9e99da30714
Malware Config
Signatures
-
Blocklisted process makes network request 21 IoCs
Processes:
wscript.exeflow pid process 7 812 wscript.exe 9 812 wscript.exe 11 812 wscript.exe 15 812 wscript.exe 20 812 wscript.exe 23 812 wscript.exe 24 812 wscript.exe 25 812 wscript.exe 26 812 wscript.exe 27 812 wscript.exe 28 812 wscript.exe 32 812 wscript.exe 33 812 wscript.exe 34 812 wscript.exe 35 812 wscript.exe 36 812 wscript.exe 37 812 wscript.exe 38 812 wscript.exe 39 812 wscript.exe 40 812 wscript.exe 41 812 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SWIFT TRSF EUR2763O.PDF.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SWIFT TRSF EUR2763O.PDF.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
Processes
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/812-2-0x00000275F07B0000-0x00000275F07B4000-memory.dmpFilesize
16KB