Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
22/09/2022, 10:31
Static task
static1
Behavioral task
behavioral1
Sample
Wire_payment00121.js
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Wire_payment00121.js
Resource
win10v2004-20220812-en
General
-
Target
Wire_payment00121.js
-
Size
122KB
-
MD5
2e9bd6a3ba6f438cb52e02eb57dfabec
-
SHA1
756d8111e06785e10b3b16b9bb57fe1200793952
-
SHA256
b94ffe4623401b130c6d61df228148995ca4c9c5e0549b930da379faaf7ed608
-
SHA512
8dd16f125e41a7dc3f0bd8126818e1ae3c4a42ae74e4010ea9f22151d5dd321075b8bfd845bbaaceef86a87eef8afdb954cacd598255c569465095b949dc4b83
-
SSDEEP
3072:IHkMqQkkzkjAhWA9NPLeATG8Hu/ep2niX1P8Ji:IHkl3APPb12iXGi
Malware Config
Signatures
-
Blocklisted process makes network request 15 IoCs
flow pid Process 8 2988 WScript.exe 15 2988 WScript.exe 22 2988 WScript.exe 33 2988 WScript.exe 37 2988 WScript.exe 40 2988 WScript.exe 42 2988 WScript.exe 43 2988 WScript.exe 44 2988 WScript.exe 45 2988 WScript.exe 46 2988 WScript.exe 47 2988 WScript.exe 48 2988 WScript.exe 49 2988 WScript.exe 50 2988 WScript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdkSHVkGHl.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdkSHVkGHl.js WScript.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\logo = "C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw -jar \"C:\\Users\\Admin\\AppData\\Local\\Temp\\logo3856353070004354294.jar\"" javaw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings wscript.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1672 javaw.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3168 wrote to memory of 2988 3168 wscript.exe 82 PID 3168 wrote to memory of 2988 3168 wscript.exe 82 PID 3168 wrote to memory of 4784 3168 wscript.exe 83 PID 3168 wrote to memory of 4784 3168 wscript.exe 83 PID 4784 wrote to memory of 1672 4784 javaw.exe 90 PID 4784 wrote to memory of 1672 4784 javaw.exe 90
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Wire_payment00121.js1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\xdkSHVkGHl.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:2988
-
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\wjrvkex.txt"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw" -jar "C:\Users\Admin\AppData\Local\Temp\logo3856353070004354294.jar"3⤵
- Suspicious use of SetWindowsHookEx
PID:1672
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50B
MD55fd00f4882ffad65530dbc44424b4ed5
SHA1421e76ccd92dd52a0b0c857ca8cd9956f0b4f310
SHA25660483f621fbbadcbb348498d9b15caa888112bad8b3b5c92207c44c8f02c01ee
SHA512fa0bbd2b85d274107ee305f147ef32722f44684f1644838be2a334daead074b58ea49043ea910e10c0aa844ccd12bb1340bbef279ef6526d6b33f93e7ae6ea0f
-
Filesize
51KB
MD5fca3dc4c73f67ec888aafc37a4464739
SHA12511a3e134f2c64e1f94fefc44db06523debdaf9
SHA256a233f20270742df1df1b135933a9155602802e459a663393b1a34c99496ae916
SHA512f48b2604772384a0c2c070fd9c76d78d542132a63ebf0e5ba457689d12ea7c5026b52a9cdbd093746dc1d1a2b255095a9e60cd4f8a9dda8852e4436050273831
-
Filesize
57KB
MD559752f841ad1eac6caa86af34a5ae05f
SHA1e0e64838635f83cc207abada5b6301cb136b85dc
SHA256c0d3b3af1c8133018422f65bcce05864d0f8f446f8ed7c6adafb6832d7be0a85
SHA512675ed6a022d62a0bd81500bd5592be7373a13f67f26367ad2f4a3ee18fe01a8d3171a759e99bf00db7145ac8b6509c99bd8a3e3da98aaef7253a951d2a5c3431
-
Filesize
5KB
MD53f105e8206e44ccdd4dece8261834b92
SHA195b3f3ab53aff4ac98e4e617ab3176a661ec3030
SHA256aa73976ca89d1e98b4032da92adb7229d90f14b7f649443b87205a0b542bed75
SHA5127c4f203852623c7dcf15b780487a42bdcde25855aac5061813af59cf36f8379d429e917e0f7704176104f62e562e3b6c552197db7b229fef50a561acec85267f