Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
18/10/2022, 11:09
Static task
static1
Behavioral task
behavioral1
Sample
Foriegn Payment_swift.js
Resource
win7-20220901-en
General
-
Target
Foriegn Payment_swift.js
-
Size
355KB
-
MD5
2e7136980055602233a13801274f2a84
-
SHA1
b913cf35176a707b3f6609a25c1ae3194bcae02c
-
SHA256
819a81aabd1c014d5f27ba2ba1265dce1f667093279565d43f76a5e82d3ed7a9
-
SHA512
d01edb5d308ef39678d42ad07e90f9c2456c8da7105b71c9da3101991b3f8bbd61d04554a2de3a88389d985cc8166a942a1fc43a4231d45a06513e50b15f09c6
-
SSDEEP
6144:xH3/F20qAbAFBJPF9NSil2+lO08e3wRiiH9NbyB7iGF2r0OPuub:l3woAjJPF9Jl/A08e3piHvY7iGwj2ub
Malware Config
Extracted
formbook
xrob
dV8FCtdWdnfMJ9thh8l/
IJG6Bh4iMeHVBHNp2MrpTA==
NhPKKtmQxnHYF/80
f4M2RhGEf3Ot13+qLrKqxb9f3dXj9Q==
A/689/MibSRBgkPkx07m+H+g
e8OOkUu9y/uYCMsdrR3s0mODmGw3d8t9Og==
gLN5bn+Zq1VQXmOOvw==
NFcQGvViY5sxmkty83Fde4GQhg==
XWMfFSM3f7GT9w==
Ih6vvqf9R8gDObM=
FGAlLASHlpLaUUKUJIwm9ABQ2Js=
v8R615LDC8iWchwv
m+u3rLUxScgDObM=
jc3eahERf7GT9w==
TYNBVDadkpTF76HeNl/rbwWtLSbyPzM=
j6NQmhWeOi2B
aqJocUfM3v97ryScY6EiSMbVyBak
V7nYOyEZKa2J/KKh5RMhJrbyK/eC/Q==
8zPsAt3ejcgDObM=
Rpe+BrGBzpGa9q8FHKpi
/WmW2322D7fNRPTILa58Juqk/ZM=
+RXDz2RnrG6J
G2uU9LualUtez4NigNITbgyuIybyPzM=
edeuu22xD1rTFu+ci/JLpyGuIybyPzM=
pP8hbRJZqelZrXS+HWDm+H+g
8STQ6HSb4lE4XmOOvw==
hr/lDpXMc4jYF/80
zQ/HzrVdryLZMvhEZ+Y=
HV4gPCecmZPFL8v1N6x1
LEf38qRZvLgqVfTXPa19
7euZ5pxpp2ZtrYb1N6x1
iqU5LgL782FBXmOOvw==
gtbwN+MldLRNoQZhh8l/
WUgMbA3KHBFYvlM6xk7m+H+g
b1zuBfz/FgrL92U4
Q6jeIxKBj5a+66DmTJCE7LZkK/eC/Q==
5BnV1pTXMa+W8aXGFVdhe4GQhg==
0UIRgvizzg8=
Cf/BDgD1/4JpqGQveZhw
+SPb0ojBEZzzTLk=
1ihEmlgPYYcJPPhEZ+Y=
va9ioKotR8gDObM=
66NR6ZvZGVfLLgOkSXLm+H+g
s7Ftp5/JE9zxPsv1N6x1
OZjAEbHmQr57flVNog==
SWYQJhbPGKdlXmOOvw==
D2UxQCXKFoVIoSu9IHUrWw==
ISLrKBL7AbPbCiJc5FAkMhM=
yhErdYm07KzDN9oFHKpi
vL5nTlhRf7GT9w==
p/wcbinhJe3eP90FHKpi
JCG1tJvLI+MUMwHVtw==
YKGzBi9gqWJ7tXgqW9cve4GQhg==
GzDd8t2F3lM7nzQw0Urm+H+g
gHo/fQEoa6tAVjiEqA==
zQ7U6cY1RYcJPPhEZ+Y=
BEEFEwEwYhkxlEUD+TMJnhs=
wfubpSsNjM5t4sOGqWbFp+K6pc/n9Q==
NntHSf0ybNuawX/q4Blh68nzK/eC/Q==
BVRywXVfdfjPK+DImLD3SQBQ2Js=
pOOyL/izzg8=
2c2Sxo8iuKv0L78=
wRU0iU8CRLSS9Q==
+Sjk78IvKRNv364HcZ4l+bAXxhes
pauloeamanda.com
Signatures
-
Blocklisted process makes network request 6 IoCs
flow pid Process 6 820 wscript.exe 20 820 wscript.exe 50 820 wscript.exe 66 820 wscript.exe 79 820 wscript.exe 93 820 wscript.exe -
Executes dropped EXE 1 IoCs
pid Process 2496 bin.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation bin.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdnTARLxlP.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdnTARLxlP.js wscript.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2496 set thread context of 2720 2496 bin.exe 41 PID 4752 set thread context of 2720 4752 systray.exe 41 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \Registry\User\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 systray.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 2496 bin.exe 2496 bin.exe 2496 bin.exe 2496 bin.exe 2496 bin.exe 2496 bin.exe 2496 bin.exe 2496 bin.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2720 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 2496 bin.exe 2496 bin.exe 2496 bin.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe 4752 systray.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2496 bin.exe Token: SeDebugPrivilege 4752 systray.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2100 wrote to memory of 820 2100 wscript.exe 82 PID 2100 wrote to memory of 820 2100 wscript.exe 82 PID 2100 wrote to memory of 2496 2100 wscript.exe 83 PID 2100 wrote to memory of 2496 2100 wscript.exe 83 PID 2100 wrote to memory of 2496 2100 wscript.exe 83 PID 2720 wrote to memory of 4752 2720 Explorer.EXE 84 PID 2720 wrote to memory of 4752 2720 Explorer.EXE 84 PID 2720 wrote to memory of 4752 2720 Explorer.EXE 84 PID 4752 wrote to memory of 224 4752 systray.exe 91 PID 4752 wrote to memory of 224 4752 systray.exe 91 PID 4752 wrote to memory of 224 4752 systray.exe 91
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Foriegn Payment_swift.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\fdnTARLxlP.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:820
-
-
C:\Users\Admin\AppData\Local\Temp\bin.exe"C:\Users\Admin\AppData\Local\Temp\bin.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2496
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:224
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
185KB
MD526db0806c0871f293a77e5d5676e2fd8
SHA17c17ccce454d81bb999c04d45e9e4913969a73ee
SHA2562c623f8e02e0aef43501e320fd20a3b407dcf35676e6620574bf7e8ce4844e66
SHA5120dac19dab4827a036a4e42371807639a4c378b440c3edc9ae30171cfb62a894243dc55ad5145434fac384aa37dd32381d148757e35c08300bbfe45c4cb85c09f
-
Filesize
185KB
MD526db0806c0871f293a77e5d5676e2fd8
SHA17c17ccce454d81bb999c04d45e9e4913969a73ee
SHA2562c623f8e02e0aef43501e320fd20a3b407dcf35676e6620574bf7e8ce4844e66
SHA5120dac19dab4827a036a4e42371807639a4c378b440c3edc9ae30171cfb62a894243dc55ad5145434fac384aa37dd32381d148757e35c08300bbfe45c4cb85c09f
-
Filesize
7KB
MD56cc1717cad794e25164a2ba358fa22d3
SHA1c8fd430bcb92ff060a85ca4fd7a2b829b069a234
SHA2568d17a84d7c1174928e0365e78288e2356c0d99f2194ebb2f4634333d80fc24c9
SHA5122db6675ca2c685b4d7823714bc6b9474184a20b9733d160bf83c88bad419427151c80607fd1c05cc6152fa6d4c30d6204442d6b446421012db34aa0eb7ff7364