Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26/09/2022, 08:20
Static task
static1
Behavioral task
behavioral1
Sample
Payments Pending July2022.js
Resource
win7-20220901-en
General
-
Target
Payments Pending July2022.js
-
Size
117KB
-
MD5
0689e4e89cc239978a0fd64e6d7562c2
-
SHA1
c4d44aa767b00e4df3e167e663d53efbb38e65cd
-
SHA256
b9b4fc0d7e86072d0bccd0a50fbe65fb407f3f713dc6841fe708f5675e10f3fd
-
SHA512
87ca1e8ca3b345d448d7531c15a222d7603d8fd2a6c86b97596a07612f5a280c6b3006623b93797dc1d1f988547f8f5c6ce31a5da7d010af1ec5ea3cb23cbf09
-
SSDEEP
1536:xutYJwehB1pUB+x6sgo7XQ526va9X9zqhnG+QMkOucOLv1lWm7ezwhcPQO:weTvUULw2VtOosux1I6ePQO
Malware Config
Extracted
formbook
te2r
Fd9/7zupFcFsmNMDWQ==
7VlRReDWtbu4LUTd5fNe/zPDyw==
jQgurOY8oCSzrjSP+2/F1jU=
xTMzpNwUaiHAy4+Anaz1
RcLapxVS9iOZhw==
lfLSnVItJp+5ImXLvcrLFTUXRmDxTnik
vj9fMOxFLjrOtdhP1GZo0KXIQ388
/91mgBbtxFIxtQk=
4FZ0aRyH/rEdFibAy+VjQyWIUIZaHBQ=
ScHdt3/t4FIxtQk=
/M9svqdL9iOZhw==
iFX1abANxkj893bVWA==
KzjvVANMpiTBmg==
aEKKEue7E9JtmNMDWQ==
+Mdhw6992svnUbzeo5y0zSn+B2co
albc98wrE0xtKjOoOOQ=
DV6CgU6omcjeZ6bJEG/F1jU=
NH981rm1JdyUNRd1
yi0xIqrxV83bmNMDWQ==
v8l52aXp4VIxtQk=
WMLesyFk2GDrymHL6sJhSA==
mwPvLC+p9iOZhw==
sRcXd1s8v+8ZeG/MtdpqB8uqeVfTxWqJgA==
NrXLmPbOmdX7f7oO2+HlKBajNSM=
rA4qraHeGwuv
81Vavo7TvrmUNRd1
6zFRRxZbN3eOC4Hr/tbSAmYB
NZ20hOzkzFIxtQk=
4W5EBEiJ/efwW2CAnaz1
jvkGKZ7zYuVfhLMOmEQgQA==
n40TaKr5UdZhmNMDWQ==
QL3juFq3IR6LgQ==
ovf90FAiAW3yz0Op6sJhSA==
6dF92/I1XmyZCQxr
pqRGRv1Rfm+K3wY=
ziAsyBFi9iOZhw==
j/n54WNFS/ujqXbX6sJhSA==
uBkjoeEzjwWGVsU+u1ku/zPDyw==
Ani5vYjvBambKG6rJLhY/zPDyw==
bewGzHnhwLTDLE+1kLrcJRajNSM=
Z7W1bBp0c6WV8SJFWjIzlT0=
1lZ79TmoGbM5AakYEza8lVG3hCW40A==
69WD6MoYDTxPzSiZELCTchajNSM=
QkTq40YlGuHCQ8H3Tddh/zPDyw==
XjK6Kjgdi4EUFlG6kKTIJRajNSM=
o/0L0WnZUQwEis1i
l51TzuC8OmWF8kZbKF4kQA==
pvUA6lqaFcVbWC2nwdvkciMJ
qPv9bbUJYOMYapyxk6/9
WiWSlWa+q9bHStE9wmAu/zPDyw==
+Op+6vPJLmbVxmPGUQ==
cjzGJW/JPy3ftZT1u9dd/zPDyw==
aseyfK4eDFIxtQk=
8uikGFKVGmLmwx4=
UZ2tszMF83SrDTxrgn2zXw==
LkLuU1I9trBxN5uA+qri
cvkoGOM9Gxivj3rgt+Jy/6KzTYDG1g==
qqdGxb3/ATVGjH28oW/F1jU=
E1lmbvY2kxZDodQ3KkV52EnisfrxTnik
EVpoA7vkSf+jqXbX6sJhSA==
/E5pOdTcxTFIksP9X9xm/zPDyw==
Mf2d+QmwiFgEis1i
A/2zGEmV7Z4/QFdu0W/F1jU=
Kn+6hS0A7PeUNRd1
riskstudio.uk
Signatures
-
Blocklisted process makes network request 6 IoCs
flow pid Process 5 2128 WScript.exe 33 2128 WScript.exe 42 2128 WScript.exe 44 2128 WScript.exe 45 2128 WScript.exe 46 2128 WScript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 4772 dl-17096158396911694833019677680.exe 2304 dl-17096158396911694833019677680.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation dl-17096158396911694833019677680.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XFQJBzLSvS.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XFQJBzLSvS.js WScript.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Coifnvjxl = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mnwphrqjh\\Coifnvjxl.exe\"" dl-17096158396911694833019677680.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4772 set thread context of 2304 4772 dl-17096158396911694833019677680.exe 90 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings wscript.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1176 powershell.exe 1176 powershell.exe 2304 dl-17096158396911694833019677680.exe 2304 dl-17096158396911694833019677680.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4772 dl-17096158396911694833019677680.exe Token: SeDebugPrivilege 1176 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4700 javaw.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2672 wrote to memory of 2128 2672 wscript.exe 78 PID 2672 wrote to memory of 2128 2672 wscript.exe 78 PID 2672 wrote to memory of 4700 2672 wscript.exe 79 PID 2672 wrote to memory of 4700 2672 wscript.exe 79 PID 4700 wrote to memory of 4772 4700 javaw.exe 82 PID 4700 wrote to memory of 4772 4700 javaw.exe 82 PID 4700 wrote to memory of 4772 4700 javaw.exe 82 PID 4772 wrote to memory of 1176 4772 dl-17096158396911694833019677680.exe 85 PID 4772 wrote to memory of 1176 4772 dl-17096158396911694833019677680.exe 85 PID 4772 wrote to memory of 1176 4772 dl-17096158396911694833019677680.exe 85 PID 4772 wrote to memory of 2304 4772 dl-17096158396911694833019677680.exe 90 PID 4772 wrote to memory of 2304 4772 dl-17096158396911694833019677680.exe 90 PID 4772 wrote to memory of 2304 4772 dl-17096158396911694833019677680.exe 90 PID 4772 wrote to memory of 2304 4772 dl-17096158396911694833019677680.exe 90 PID 4772 wrote to memory of 2304 4772 dl-17096158396911694833019677680.exe 90 PID 4772 wrote to memory of 2304 4772 dl-17096158396911694833019677680.exe 90
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Payments Pending July2022.js"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\XFQJBzLSvS.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:2128
-
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\dqvpmqlbj.txt"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Users\Admin\AppData\Local\Temp\dl-17096158396911694833019677680.exeC:\Users\Admin\AppData\Local\Temp\dl-17096158396911694833019677680.exe3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1176
-
-
C:\Users\Admin\AppData\Local\Temp\dl-17096158396911694833019677680.exeC:\Users\Admin\AppData\Local\Temp\dl-17096158396911694833019677680.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2304
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD57ef3ca7c2d9d16855398bc4a40ffbf18
SHA1b3f197e1f447a582a527d209fa0e1b5a7fc7d5d8
SHA2566ffada93e4930ec9519c825c43f876015e0b9065e19a4b6356a8f575d62b6e54
SHA5128d4dc7503026819c92b19f2208e88ce63afc8cdf413adaa8c29c0a6c9d721a0d0424f86377c3ebfcd4023c8be730da74ea849b574b7c653f5150ac7592fcbfdf
-
Filesize
7KB
MD57ef3ca7c2d9d16855398bc4a40ffbf18
SHA1b3f197e1f447a582a527d209fa0e1b5a7fc7d5d8
SHA2566ffada93e4930ec9519c825c43f876015e0b9065e19a4b6356a8f575d62b6e54
SHA5128d4dc7503026819c92b19f2208e88ce63afc8cdf413adaa8c29c0a6c9d721a0d0424f86377c3ebfcd4023c8be730da74ea849b574b7c653f5150ac7592fcbfdf
-
Filesize
7KB
MD57ef3ca7c2d9d16855398bc4a40ffbf18
SHA1b3f197e1f447a582a527d209fa0e1b5a7fc7d5d8
SHA2566ffada93e4930ec9519c825c43f876015e0b9065e19a4b6356a8f575d62b6e54
SHA5128d4dc7503026819c92b19f2208e88ce63afc8cdf413adaa8c29c0a6c9d721a0d0424f86377c3ebfcd4023c8be730da74ea849b574b7c653f5150ac7592fcbfdf
-
Filesize
6KB
MD51c3b0b42763f83a240f6b119d3b15c2f
SHA14d70ed8dba182021d7392822e9adfec9559d6a10
SHA256477266506c73225a2e83e2bbe231b98d21a1bff91ca05f7f1c531d8e82f75cd7
SHA51261073136d0082ed4341200ceb4ee6bbb6a0fe237626576ba298db17ca1fc8c2ab3fb58d0a84387fdaef2126fc98d2d424f4600093c378720892acaa182418779
-
Filesize
51KB
MD5195f235d676a9e8c3195d5e5e99487e4
SHA1829cde6ad78db81138dc93f31ca2e7c94b5d6f64
SHA256f68ca9305c322ff38d1043d48311ad49f9ae1ad2d7d12c88bf84d1187078448c
SHA51248e681a9d15ca3867db4805412ba3f5916d1c5cbe8f6325285055aa65f6573130028308913f7be68e8ca51a205d2702f522bf0b6fc8bc03aa7014ce677aa8270