Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2022, 10:06
Static task
static1
Behavioral task
behavioral1
Sample
Payment Swift-MT103101122.js
Resource
win7-20220901-en
General
-
Target
Payment Swift-MT103101122.js
-
Size
15KB
-
MD5
1d7e2346c393a498d60d3a43095d3b8e
-
SHA1
729fe8f9886c020c6a1d61fcf68a6acd02c43515
-
SHA256
22125214857ca13a8cb91e5c920d2018db792d57356537234487ad47e66ae0e0
-
SHA512
74f6434c8cc87403504c7d42b5d6811f46a817416e4ce285ad50d2fb842d91636ca68e74d6cff2b23b98578e8016260d47f8d4ec5c8471b23907a7cc4b276d3e
-
SSDEEP
384:12zXBxnmXyv1X1QuJRVKJbyfMZU8Hyi939s3:16RAyXZRVfMse9s3
Malware Config
Extracted
vjw0rm
http://185.216.71.62:52054
Signatures
-
Blocklisted process makes network request 7 IoCs
flow pid Process 4 4832 wscript.exe 5 4808 wscript.exe 21 4808 wscript.exe 35 4808 wscript.exe 39 4808 wscript.exe 41 4808 wscript.exe 42 4808 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FeyQENosfv.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FeyQENosfv.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4832 wrote to memory of 4808 4832 wscript.exe 82 PID 4832 wrote to memory of 4808 4832 wscript.exe 82
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Payment Swift-MT103101122.js"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\FeyQENosfv.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:4808
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5f008c6822efc36d36773c28c6648531a
SHA1e2346b75ee7d0ab6106a519f652d1b55f3fd2a28
SHA2562f5f6b4f2a873a414a1541572c41ff23339fd055b46e0edffcf4adf42985ec7e
SHA512cd4464839b668ce3218d803f6b10c5b932b964d951d29689979c673d7e002c727f239600e6f7dc62f6d291f7612531df802660bc23ac415926f3eecefdc5fa80