Analysis
-
max time kernel
144s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
22/09/2022, 10:31
Static task
static1
Behavioral task
behavioral1
Sample
Wire_payment00121.js
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Wire_payment00121.js
Resource
win10v2004-20220812-en
General
-
Target
Wire_payment00121.js
-
Size
122KB
-
MD5
2e9bd6a3ba6f438cb52e02eb57dfabec
-
SHA1
756d8111e06785e10b3b16b9bb57fe1200793952
-
SHA256
b94ffe4623401b130c6d61df228148995ca4c9c5e0549b930da379faaf7ed608
-
SHA512
8dd16f125e41a7dc3f0bd8126818e1ae3c4a42ae74e4010ea9f22151d5dd321075b8bfd845bbaaceef86a87eef8afdb954cacd598255c569465095b949dc4b83
-
SSDEEP
3072:IHkMqQkkzkjAhWA9NPLeATG8Hu/ep2niX1P8Ji:IHkl3APPb12iXGi
Malware Config
Signatures
-
Blocklisted process makes network request 13 IoCs
flow pid Process 4 948 WScript.exe 5 948 WScript.exe 9 948 WScript.exe 11 948 WScript.exe 12 948 WScript.exe 13 948 WScript.exe 15 948 WScript.exe 16 948 WScript.exe 17 948 WScript.exe 19 948 WScript.exe 20 948 WScript.exe 21 948 WScript.exe 23 948 WScript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdkSHVkGHl.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdkSHVkGHl.js WScript.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\logo = "C:\\Program Files\\Java\\jre7\\bin\\javaw -jar \"C:\\Users\\Admin\\AppData\\Local\\Temp\\logo670358334554939628.jar\"" javaw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1388 javaw.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1364 wrote to memory of 948 1364 wscript.exe 26 PID 1364 wrote to memory of 948 1364 wscript.exe 26 PID 1364 wrote to memory of 948 1364 wscript.exe 26 PID 1364 wrote to memory of 1296 1364 wscript.exe 27 PID 1364 wrote to memory of 1296 1364 wscript.exe 27 PID 1364 wrote to memory of 1296 1364 wscript.exe 27 PID 1296 wrote to memory of 1388 1296 javaw.exe 31 PID 1296 wrote to memory of 1388 1296 javaw.exe 31 PID 1296 wrote to memory of 1388 1296 javaw.exe 31
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Wire_payment00121.js1⤵
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\xdkSHVkGHl.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:948
-
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\vkuilxi.txt"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw" -jar "C:\Users\Admin\AppData\Local\Temp\logo670358334554939628.jar"3⤵
- Suspicious use of SetWindowsHookEx
PID:1388
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
51KB
MD5fca3dc4c73f67ec888aafc37a4464739
SHA12511a3e134f2c64e1f94fefc44db06523debdaf9
SHA256a233f20270742df1df1b135933a9155602802e459a663393b1a34c99496ae916
SHA512f48b2604772384a0c2c070fd9c76d78d542132a63ebf0e5ba457689d12ea7c5026b52a9cdbd093746dc1d1a2b255095a9e60cd4f8a9dda8852e4436050273831
-
Filesize
57KB
MD559752f841ad1eac6caa86af34a5ae05f
SHA1e0e64838635f83cc207abada5b6301cb136b85dc
SHA256c0d3b3af1c8133018422f65bcce05864d0f8f446f8ed7c6adafb6832d7be0a85
SHA512675ed6a022d62a0bd81500bd5592be7373a13f67f26367ad2f4a3ee18fe01a8d3171a759e99bf00db7145ac8b6509c99bd8a3e3da98aaef7253a951d2a5c3431
-
Filesize
5KB
MD53f105e8206e44ccdd4dece8261834b92
SHA195b3f3ab53aff4ac98e4e617ab3176a661ec3030
SHA256aa73976ca89d1e98b4032da92adb7229d90f14b7f649443b87205a0b542bed75
SHA5127c4f203852623c7dcf15b780487a42bdcde25855aac5061813af59cf36f8379d429e917e0f7704176104f62e562e3b6c552197db7b229fef50a561acec85267f