Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
07-07-2022 05:37
Static task
static1
Behavioral task
behavioral1
Sample
Transfer_receipt_jpg.js
Resource
win7-20220414-en
General
-
Target
Transfer_receipt_jpg.js
-
Size
29KB
-
MD5
5333fab02eabde7a8e9c0d8a0b838237
-
SHA1
9ac71fd8fa80f40f88a1b4e9e8800db9e8c579fe
-
SHA256
f6cf2d7c500799688ffa713b0a82e8d5625ce73dc0c16ab0aecc6bdf20b38458
-
SHA512
3693afd65f6c1e578f35bacd9aa894a77fef91202d5a1542f95e40b7d250b953adc737a378f4bff98604b9ad50d32b6da95039ad004ee46bae6f6522b1b14f16
Malware Config
Signatures
-
Blocklisted process makes network request 15 IoCs
Processes:
wscript.exeflow pid process 4 1120 wscript.exe 5 1120 wscript.exe 6 1120 wscript.exe 9 1120 wscript.exe 10 1120 wscript.exe 11 1120 wscript.exe 13 1120 wscript.exe 14 1120 wscript.exe 15 1120 wscript.exe 17 1120 wscript.exe 18 1120 wscript.exe 19 1120 wscript.exe 21 1120 wscript.exe 22 1120 wscript.exe 23 1120 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Transfer_receipt_jpg.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Transfer_receipt_jpg.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1120 wrote to memory of 1272 1120 wscript.exe wscript.exe PID 1120 wrote to memory of 1272 1120 wscript.exe wscript.exe PID 1120 wrote to memory of 1272 1120 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Transfer_receipt_jpg.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\MxFmKSzNKl.js"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\MxFmKSzNKl.jsFilesize
8KB
MD53f011675c4087298e1fcf32859d4449c
SHA17786493022e231a55e5588ae22c6b8006bc070c2
SHA256a508df80606c93588c0278b2fbb88bef2315963dcfe2276347baa1a5dc078405
SHA512aff5ad1afb97f55303a2dc7f83443d6806cd294a119d68b4d464ab2b6884fed0c13a40127d3dbfda095fad14f72ec0bb2194154807eacbfc61026ab4acfd107c
-
memory/1120-54-0x000007FEFC0C1000-0x000007FEFC0C3000-memory.dmpFilesize
8KB
-
memory/1272-55-0x0000000000000000-mapping.dmp