Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07-07-2022 05:37
Static task
static1
Behavioral task
behavioral1
Sample
Transfer_receipt_jpg.js
Resource
win7-20220414-en
General
-
Target
Transfer_receipt_jpg.js
-
Size
29KB
-
MD5
5333fab02eabde7a8e9c0d8a0b838237
-
SHA1
9ac71fd8fa80f40f88a1b4e9e8800db9e8c579fe
-
SHA256
f6cf2d7c500799688ffa713b0a82e8d5625ce73dc0c16ab0aecc6bdf20b38458
-
SHA512
3693afd65f6c1e578f35bacd9aa894a77fef91202d5a1542f95e40b7d250b953adc737a378f4bff98604b9ad50d32b6da95039ad004ee46bae6f6522b1b14f16
Malware Config
Signatures
-
Blocklisted process makes network request 9 IoCs
Processes:
wscript.exeflow pid process 6 2152 wscript.exe 12 2152 wscript.exe 21 2152 wscript.exe 23 2152 wscript.exe 35 2152 wscript.exe 42 2152 wscript.exe 47 2152 wscript.exe 57 2152 wscript.exe 61 2152 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Transfer_receipt_jpg.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Transfer_receipt_jpg.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 2152 wrote to memory of 5100 2152 wscript.exe wscript.exe PID 2152 wrote to memory of 5100 2152 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Transfer_receipt_jpg.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\MxFmKSzNKl.js"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\MxFmKSzNKl.jsFilesize
8KB
MD53f011675c4087298e1fcf32859d4449c
SHA17786493022e231a55e5588ae22c6b8006bc070c2
SHA256a508df80606c93588c0278b2fbb88bef2315963dcfe2276347baa1a5dc078405
SHA512aff5ad1afb97f55303a2dc7f83443d6806cd294a119d68b4d464ab2b6884fed0c13a40127d3dbfda095fad14f72ec0bb2194154807eacbfc61026ab4acfd107c
-
memory/5100-130-0x0000000000000000-mapping.dmp