Analysis
-
max time kernel
142s -
max time network
181s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
11-08-2021 07:02
Static task
static1
Behavioral task
behavioral1
Sample
SwiftTrans#7865307563.js
Resource
win7v20210410
Behavioral task
behavioral2
Sample
SwiftTrans#7865307563.js
Resource
win10v20210408
General
-
Target
SwiftTrans#7865307563.js
-
Size
195KB
-
MD5
a62376901c013b2cb5af5dacadca61a2
-
SHA1
2c174238c278aca33f2a4bf803a14c0a79dd08c1
-
SHA256
cebe7e5f4f23305a16a6665c42326a4fbad4347363eeaa53b5538dc9df7ad6dc
-
SHA512
8e3b033f45b941c8753733e0ef893fb70c5905dcc37ba86b1892d33d84e5a447394a3bd57a06a08a78349739a70471deafacfd1c50cc7b012a3f2cae236adfbc
Malware Config
Signatures
-
Blocklisted process makes network request 16 IoCs
Processes:
WScript.exeflow pid process 6 1232 WScript.exe 7 1232 WScript.exe 8 1232 WScript.exe 10 1232 WScript.exe 11 1232 WScript.exe 12 1232 WScript.exe 14 1232 WScript.exe 15 1232 WScript.exe 16 1232 WScript.exe 18 1232 WScript.exe 19 1232 WScript.exe 20 1232 WScript.exe 22 1232 WScript.exe 23 1232 WScript.exe 24 1232 WScript.exe 26 1232 WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lDuLgkracY.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lDuLgkracY.js WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\B02N3ZE1UL = "\"C:\\Users\\Admin\\AppData\\Roaming\\lDuLgkracY.js\"" WScript.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1912 2028 WerFault.exe javaw.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1912 WerFault.exe 1912 WerFault.exe 1912 WerFault.exe 1912 WerFault.exe 1912 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1912 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1912 WerFault.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
wscript.exejavaw.exedescription pid process target process PID 1104 wrote to memory of 1232 1104 wscript.exe WScript.exe PID 1104 wrote to memory of 1232 1104 wscript.exe WScript.exe PID 1104 wrote to memory of 1232 1104 wscript.exe WScript.exe PID 1104 wrote to memory of 2028 1104 wscript.exe javaw.exe PID 1104 wrote to memory of 2028 1104 wscript.exe javaw.exe PID 1104 wrote to memory of 2028 1104 wscript.exe javaw.exe PID 2028 wrote to memory of 1912 2028 javaw.exe WerFault.exe PID 2028 wrote to memory of 1912 2028 javaw.exe WerFault.exe PID 2028 wrote to memory of 1912 2028 javaw.exe WerFault.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\SwiftTrans#7865307563.js1⤵
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\lDuLgkracY.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1232 -
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ccksecba.txt"2⤵
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2028 -s 1403⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1912
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ccksecba.txtMD5
c0887f0887ddeefce4d2a310a82200a4
SHA157dec75936a83d0b4d7701141be6a880b4f3b339
SHA2564d9fa52af46d020276ab73a1759fab3d48d1c5dd5eded9cee5923e4a17f0f5b9
SHA512fab96055cb2cf967156a0766bcf8f4bc33ff8a22cb68874e6ab3a9e45419ef04f5be3fdecd6a15cc4a7e6a660091d5e5038cf3e7de09f75c9c289ba0b468b971
-
C:\Users\Admin\AppData\Roaming\lDuLgkracY.jsMD5
1db2128497f4cd412a6b882f616c9651
SHA1709d8587e58c93f089c10977ca717b80a88693cb
SHA256f7fd2cfba54252a085cad009b73f8deac7e984396b139c372dbaab72514d7a5a
SHA5127aa9b0b1b7f57a3a597a3a5661987f71002d68e8fde2b5b38e36bca49e780844391c2ca645610574309f0f633ec44ac31f4964a1674c2e0f73cd3c660a3d1dfb
-
memory/1104-59-0x000007FEFC181000-0x000007FEFC183000-memory.dmpFilesize
8KB
-
memory/1232-60-0x0000000000000000-mapping.dmp
-
memory/1912-64-0x0000000000000000-mapping.dmp
-
memory/1912-67-0x0000000000350000-0x0000000000351000-memory.dmpFilesize
4KB
-
memory/2028-61-0x0000000000000000-mapping.dmp