Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07-07-2022 05:35
Static task
static1
Behavioral task
behavioral1
Sample
Transfer_receipt_jpg.js
Resource
win7-20220414-en
General
-
Target
Transfer_receipt_jpg.js
-
Size
29KB
-
MD5
5333fab02eabde7a8e9c0d8a0b838237
-
SHA1
9ac71fd8fa80f40f88a1b4e9e8800db9e8c579fe
-
SHA256
f6cf2d7c500799688ffa713b0a82e8d5625ce73dc0c16ab0aecc6bdf20b38458
-
SHA512
3693afd65f6c1e578f35bacd9aa894a77fef91202d5a1542f95e40b7d250b953adc737a378f4bff98604b9ad50d32b6da95039ad004ee46bae6f6522b1b14f16
Malware Config
Signatures
-
Blocklisted process makes network request 17 IoCs
Processes:
wscript.exeflow pid process 6 776 wscript.exe 14 776 wscript.exe 26 776 wscript.exe 36 776 wscript.exe 38 776 wscript.exe 41 776 wscript.exe 44 776 wscript.exe 47 776 wscript.exe 48 776 wscript.exe 49 776 wscript.exe 51 776 wscript.exe 52 776 wscript.exe 53 776 wscript.exe 54 776 wscript.exe 55 776 wscript.exe 56 776 wscript.exe 57 776 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Transfer_receipt_jpg.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Transfer_receipt_jpg.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 776 wrote to memory of 64 776 wscript.exe wscript.exe PID 776 wrote to memory of 64 776 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Transfer_receipt_jpg.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\MxFmKSzNKl.js"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\MxFmKSzNKl.jsFilesize
8KB
MD53f011675c4087298e1fcf32859d4449c
SHA17786493022e231a55e5588ae22c6b8006bc070c2
SHA256a508df80606c93588c0278b2fbb88bef2315963dcfe2276347baa1a5dc078405
SHA512aff5ad1afb97f55303a2dc7f83443d6806cd294a119d68b4d464ab2b6884fed0c13a40127d3dbfda095fad14f72ec0bb2194154807eacbfc61026ab4acfd107c
-
memory/64-130-0x0000000000000000-mapping.dmp