Analysis
-
max time kernel
139s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
26/09/2022, 08:20
Static task
static1
Behavioral task
behavioral1
Sample
Payments Pending July2022.js
Resource
win7-20220901-en
General
-
Target
Payments Pending July2022.js
-
Size
117KB
-
MD5
0689e4e89cc239978a0fd64e6d7562c2
-
SHA1
c4d44aa767b00e4df3e167e663d53efbb38e65cd
-
SHA256
b9b4fc0d7e86072d0bccd0a50fbe65fb407f3f713dc6841fe708f5675e10f3fd
-
SHA512
87ca1e8ca3b345d448d7531c15a222d7603d8fd2a6c86b97596a07612f5a280c6b3006623b93797dc1d1f988547f8f5c6ce31a5da7d010af1ec5ea3cb23cbf09
-
SSDEEP
1536:xutYJwehB1pUB+x6sgo7XQ526va9X9zqhnG+QMkOucOLv1lWm7ezwhcPQO:weTvUULw2VtOosux1I6ePQO
Malware Config
Extracted
formbook
te2r
Fd9/7zupFcFsmNMDWQ==
7VlRReDWtbu4LUTd5fNe/zPDyw==
jQgurOY8oCSzrjSP+2/F1jU=
xTMzpNwUaiHAy4+Anaz1
RcLapxVS9iOZhw==
lfLSnVItJp+5ImXLvcrLFTUXRmDxTnik
vj9fMOxFLjrOtdhP1GZo0KXIQ388
/91mgBbtxFIxtQk=
4FZ0aRyH/rEdFibAy+VjQyWIUIZaHBQ=
ScHdt3/t4FIxtQk=
/M9svqdL9iOZhw==
iFX1abANxkj893bVWA==
KzjvVANMpiTBmg==
aEKKEue7E9JtmNMDWQ==
+Mdhw6992svnUbzeo5y0zSn+B2co
albc98wrE0xtKjOoOOQ=
DV6CgU6omcjeZ6bJEG/F1jU=
NH981rm1JdyUNRd1
yi0xIqrxV83bmNMDWQ==
v8l52aXp4VIxtQk=
WMLesyFk2GDrymHL6sJhSA==
mwPvLC+p9iOZhw==
sRcXd1s8v+8ZeG/MtdpqB8uqeVfTxWqJgA==
NrXLmPbOmdX7f7oO2+HlKBajNSM=
rA4qraHeGwuv
81Vavo7TvrmUNRd1
6zFRRxZbN3eOC4Hr/tbSAmYB
NZ20hOzkzFIxtQk=
4W5EBEiJ/efwW2CAnaz1
jvkGKZ7zYuVfhLMOmEQgQA==
n40TaKr5UdZhmNMDWQ==
QL3juFq3IR6LgQ==
ovf90FAiAW3yz0Op6sJhSA==
6dF92/I1XmyZCQxr
pqRGRv1Rfm+K3wY=
ziAsyBFi9iOZhw==
j/n54WNFS/ujqXbX6sJhSA==
uBkjoeEzjwWGVsU+u1ku/zPDyw==
Ani5vYjvBambKG6rJLhY/zPDyw==
bewGzHnhwLTDLE+1kLrcJRajNSM=
Z7W1bBp0c6WV8SJFWjIzlT0=
1lZ79TmoGbM5AakYEza8lVG3hCW40A==
69WD6MoYDTxPzSiZELCTchajNSM=
QkTq40YlGuHCQ8H3Tddh/zPDyw==
XjK6Kjgdi4EUFlG6kKTIJRajNSM=
o/0L0WnZUQwEis1i
l51TzuC8OmWF8kZbKF4kQA==
pvUA6lqaFcVbWC2nwdvkciMJ
qPv9bbUJYOMYapyxk6/9
WiWSlWa+q9bHStE9wmAu/zPDyw==
+Op+6vPJLmbVxmPGUQ==
cjzGJW/JPy3ftZT1u9dd/zPDyw==
aseyfK4eDFIxtQk=
8uikGFKVGmLmwx4=
UZ2tszMF83SrDTxrgn2zXw==
LkLuU1I9trBxN5uA+qri
cvkoGOM9Gxivj3rgt+Jy/6KzTYDG1g==
qqdGxb3/ATVGjH28oW/F1jU=
E1lmbvY2kxZDodQ3KkV52EnisfrxTnik
EVpoA7vkSf+jqXbX6sJhSA==
/E5pOdTcxTFIksP9X9xm/zPDyw==
Mf2d+QmwiFgEis1i
A/2zGEmV7Z4/QFdu0W/F1jU=
Kn+6hS0A7PeUNRd1
riskstudio.uk
Signatures
-
Blocklisted process makes network request 5 IoCs
flow pid Process 4 960 WScript.exe 10 960 WScript.exe 11 960 WScript.exe 13 960 WScript.exe 14 960 WScript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 1656 dl-15151331247720787836844007150.exe 1480 dl-15151331247720787836844007150.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XFQJBzLSvS.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XFQJBzLSvS.js WScript.exe -
Loads dropped DLL 1 IoCs
pid Process 1656 dl-15151331247720787836844007150.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Coifnvjxl = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mnwphrqjh\\Coifnvjxl.exe\"" dl-15151331247720787836844007150.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1656 set thread context of 1480 1656 dl-15151331247720787836844007150.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1528 powershell.exe 1480 dl-15151331247720787836844007150.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1656 dl-15151331247720787836844007150.exe Token: SeDebugPrivilege 1528 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 600 javaw.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1340 wrote to memory of 960 1340 wscript.exe 27 PID 1340 wrote to memory of 960 1340 wscript.exe 27 PID 1340 wrote to memory of 960 1340 wscript.exe 27 PID 1340 wrote to memory of 600 1340 wscript.exe 28 PID 1340 wrote to memory of 600 1340 wscript.exe 28 PID 1340 wrote to memory of 600 1340 wscript.exe 28 PID 600 wrote to memory of 1656 600 javaw.exe 32 PID 600 wrote to memory of 1656 600 javaw.exe 32 PID 600 wrote to memory of 1656 600 javaw.exe 32 PID 600 wrote to memory of 1656 600 javaw.exe 32 PID 1656 wrote to memory of 1528 1656 dl-15151331247720787836844007150.exe 33 PID 1656 wrote to memory of 1528 1656 dl-15151331247720787836844007150.exe 33 PID 1656 wrote to memory of 1528 1656 dl-15151331247720787836844007150.exe 33 PID 1656 wrote to memory of 1528 1656 dl-15151331247720787836844007150.exe 33 PID 1656 wrote to memory of 1480 1656 dl-15151331247720787836844007150.exe 35 PID 1656 wrote to memory of 1480 1656 dl-15151331247720787836844007150.exe 35 PID 1656 wrote to memory of 1480 1656 dl-15151331247720787836844007150.exe 35 PID 1656 wrote to memory of 1480 1656 dl-15151331247720787836844007150.exe 35 PID 1656 wrote to memory of 1480 1656 dl-15151331247720787836844007150.exe 35 PID 1656 wrote to memory of 1480 1656 dl-15151331247720787836844007150.exe 35 PID 1656 wrote to memory of 1480 1656 dl-15151331247720787836844007150.exe 35
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Payments Pending July2022.js"1⤵
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\XFQJBzLSvS.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:960
-
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\mljrbnp.txt"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Users\Admin\AppData\Local\Temp\dl-15151331247720787836844007150.exeC:\Users\Admin\AppData\Local\Temp\dl-15151331247720787836844007150.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528
-
-
C:\Users\Admin\AppData\Local\Temp\dl-15151331247720787836844007150.exeC:\Users\Admin\AppData\Local\Temp\dl-15151331247720787836844007150.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1480
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD57ef3ca7c2d9d16855398bc4a40ffbf18
SHA1b3f197e1f447a582a527d209fa0e1b5a7fc7d5d8
SHA2566ffada93e4930ec9519c825c43f876015e0b9065e19a4b6356a8f575d62b6e54
SHA5128d4dc7503026819c92b19f2208e88ce63afc8cdf413adaa8c29c0a6c9d721a0d0424f86377c3ebfcd4023c8be730da74ea849b574b7c653f5150ac7592fcbfdf
-
Filesize
7KB
MD57ef3ca7c2d9d16855398bc4a40ffbf18
SHA1b3f197e1f447a582a527d209fa0e1b5a7fc7d5d8
SHA2566ffada93e4930ec9519c825c43f876015e0b9065e19a4b6356a8f575d62b6e54
SHA5128d4dc7503026819c92b19f2208e88ce63afc8cdf413adaa8c29c0a6c9d721a0d0424f86377c3ebfcd4023c8be730da74ea849b574b7c653f5150ac7592fcbfdf
-
Filesize
7KB
MD57ef3ca7c2d9d16855398bc4a40ffbf18
SHA1b3f197e1f447a582a527d209fa0e1b5a7fc7d5d8
SHA2566ffada93e4930ec9519c825c43f876015e0b9065e19a4b6356a8f575d62b6e54
SHA5128d4dc7503026819c92b19f2208e88ce63afc8cdf413adaa8c29c0a6c9d721a0d0424f86377c3ebfcd4023c8be730da74ea849b574b7c653f5150ac7592fcbfdf
-
Filesize
6KB
MD51c3b0b42763f83a240f6b119d3b15c2f
SHA14d70ed8dba182021d7392822e9adfec9559d6a10
SHA256477266506c73225a2e83e2bbe231b98d21a1bff91ca05f7f1c531d8e82f75cd7
SHA51261073136d0082ed4341200ceb4ee6bbb6a0fe237626576ba298db17ca1fc8c2ab3fb58d0a84387fdaef2126fc98d2d424f4600093c378720892acaa182418779
-
Filesize
51KB
MD5195f235d676a9e8c3195d5e5e99487e4
SHA1829cde6ad78db81138dc93f31ca2e7c94b5d6f64
SHA256f68ca9305c322ff38d1043d48311ad49f9ae1ad2d7d12c88bf84d1187078448c
SHA51248e681a9d15ca3867db4805412ba3f5916d1c5cbe8f6325285055aa65f6573130028308913f7be68e8ca51a205d2702f522bf0b6fc8bc03aa7014ce677aa8270
-
Filesize
7KB
MD57ef3ca7c2d9d16855398bc4a40ffbf18
SHA1b3f197e1f447a582a527d209fa0e1b5a7fc7d5d8
SHA2566ffada93e4930ec9519c825c43f876015e0b9065e19a4b6356a8f575d62b6e54
SHA5128d4dc7503026819c92b19f2208e88ce63afc8cdf413adaa8c29c0a6c9d721a0d0424f86377c3ebfcd4023c8be730da74ea849b574b7c653f5150ac7592fcbfdf