Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
11/10/2022, 10:06
Static task
static1
Behavioral task
behavioral1
Sample
Payment Swift-MT103101122.js
Resource
win7-20220901-en
General
-
Target
Payment Swift-MT103101122.js
-
Size
15KB
-
MD5
1d7e2346c393a498d60d3a43095d3b8e
-
SHA1
729fe8f9886c020c6a1d61fcf68a6acd02c43515
-
SHA256
22125214857ca13a8cb91e5c920d2018db792d57356537234487ad47e66ae0e0
-
SHA512
74f6434c8cc87403504c7d42b5d6811f46a817416e4ce285ad50d2fb842d91636ca68e74d6cff2b23b98578e8016260d47f8d4ec5c8471b23907a7cc4b276d3e
-
SSDEEP
384:12zXBxnmXyv1X1QuJRVKJbyfMZU8Hyi939s3:16RAyXZRVfMse9s3
Malware Config
Extracted
vjw0rm
http://185.216.71.62:52054
Signatures
-
Blocklisted process makes network request 6 IoCs
flow pid Process 4 668 wscript.exe 5 1324 wscript.exe 9 668 wscript.exe 13 668 wscript.exe 18 668 wscript.exe 22 668 wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FeyQENosfv.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FeyQENosfv.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1324 wrote to memory of 668 1324 wscript.exe 27 PID 1324 wrote to memory of 668 1324 wscript.exe 27 PID 1324 wrote to memory of 668 1324 wscript.exe 27
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Payment Swift-MT103101122.js"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\FeyQENosfv.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:668
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5f008c6822efc36d36773c28c6648531a
SHA1e2346b75ee7d0ab6106a519f652d1b55f3fd2a28
SHA2562f5f6b4f2a873a414a1541572c41ff23339fd055b46e0edffcf4adf42985ec7e
SHA512cd4464839b668ce3218d803f6b10c5b932b964d951d29689979c673d7e002c727f239600e6f7dc62f6d291f7612531df802660bc23ac415926f3eecefdc5fa80