Analysis
-
max time kernel
143s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
01-02-2023 08:27
Static task
static1
Behavioral task
behavioral1
Sample
corrected the terms of payment.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
corrected the terms of payment.js
Resource
win10v2004-20221111-en
General
-
Target
corrected the terms of payment.js
-
Size
226KB
-
MD5
280e79b75c74e2449baf87a246927342
-
SHA1
5b5376e5c25f25d65ba2717908ca0f559a0f0446
-
SHA256
3033956fcd540bc6d9f64fe4bce35b626deb627f7cc8394c19d1e3c07485ef61
-
SHA512
a6eecca1695fd32ba91c58b028342d96731bb3e8f7641fba00cdceebdedd32e95555eda6cbc29711c5dcd437763129e080666bb037141356e162da5391a49061
-
SSDEEP
6144:dKWuABY4W3vLv93KN4bwG0CehURoxNRHyM3:dKlIYu4UG7axWM3
Malware Config
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/5044-142-0x0000000000400000-0x0000000000427000-memory.dmp asyncrat -
Executes dropped EXE 3 IoCs
Processes:
corrected the terms of payment.exefiomns.exefiomns.exepid process 4488 corrected the terms of payment.exe 5068 fiomns.exe 5044 fiomns.exe -
Processes:
resource yara_rule behavioral2/memory/5044-142-0x0000000000400000-0x0000000000427000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation wscript.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
fiomns.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wwgkhtl = "C:\\Users\\Admin\\AppData\\Roaming\\xuuncym\\ktdvudbcvsiab.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\fiomns.exe\" C:\\Users\\Admin\\AppData\\Loc" fiomns.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
fiomns.exedescription pid process target process PID 5068 set thread context of 5044 5068 fiomns.exe fiomns.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
fiomns.exepid process 5068 fiomns.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
wscript.execorrected the terms of payment.exefiomns.exedescription pid process target process PID 4880 wrote to memory of 4488 4880 wscript.exe corrected the terms of payment.exe PID 4880 wrote to memory of 4488 4880 wscript.exe corrected the terms of payment.exe PID 4880 wrote to memory of 4488 4880 wscript.exe corrected the terms of payment.exe PID 4488 wrote to memory of 5068 4488 corrected the terms of payment.exe fiomns.exe PID 4488 wrote to memory of 5068 4488 corrected the terms of payment.exe fiomns.exe PID 4488 wrote to memory of 5068 4488 corrected the terms of payment.exe fiomns.exe PID 5068 wrote to memory of 5044 5068 fiomns.exe fiomns.exe PID 5068 wrote to memory of 5044 5068 fiomns.exe fiomns.exe PID 5068 wrote to memory of 5044 5068 fiomns.exe fiomns.exe PID 5068 wrote to memory of 5044 5068 fiomns.exe fiomns.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\corrected the terms of payment.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\corrected the terms of payment.exe"C:\Users\Admin\AppData\Roaming\corrected the terms of payment.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fiomns.exe"C:\Users\Admin\AppData\Local\Temp\fiomns.exe" C:\Users\Admin\AppData\Local\Temp\sfzptila.k3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fiomns.exe"C:\Users\Admin\AppData\Local\Temp\fiomns.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\fiomns.exeFilesize
79KB
MD538439b052a6d88388b3b1f0488125415
SHA1b85ac7eaf1b1e7f2a60a0ba81f8517e4fd5f5b77
SHA2569aae0d4712fbe49fa510a9fc6005e6d089f6c6c81e7b3f8b7c142a8b9c374011
SHA512885433f1522f21329661cb93d25e79c134146bf6669b5ce6cbe8ec40d5c75a3bcabb855a456c357d577ce63ff66e7ed22caabcae88da5dee48a16110d06a954a
-
C:\Users\Admin\AppData\Local\Temp\fiomns.exeFilesize
79KB
MD538439b052a6d88388b3b1f0488125415
SHA1b85ac7eaf1b1e7f2a60a0ba81f8517e4fd5f5b77
SHA2569aae0d4712fbe49fa510a9fc6005e6d089f6c6c81e7b3f8b7c142a8b9c374011
SHA512885433f1522f21329661cb93d25e79c134146bf6669b5ce6cbe8ec40d5c75a3bcabb855a456c357d577ce63ff66e7ed22caabcae88da5dee48a16110d06a954a
-
C:\Users\Admin\AppData\Local\Temp\fiomns.exeFilesize
79KB
MD538439b052a6d88388b3b1f0488125415
SHA1b85ac7eaf1b1e7f2a60a0ba81f8517e4fd5f5b77
SHA2569aae0d4712fbe49fa510a9fc6005e6d089f6c6c81e7b3f8b7c142a8b9c374011
SHA512885433f1522f21329661cb93d25e79c134146bf6669b5ce6cbe8ec40d5c75a3bcabb855a456c357d577ce63ff66e7ed22caabcae88da5dee48a16110d06a954a
-
C:\Users\Admin\AppData\Local\Temp\muwrlvoxh.iFilesize
86KB
MD575cb1145b5c982d69117a652be2fba74
SHA1337872e05566140584ef7a18d9117e30d82d8210
SHA256b8b087db90792d4e1c24abeb4fff4641b850605f20d5886311efc052ceee1a2b
SHA512889d95db94f0c5ca2381e53ccc2ad2aa8819e60201469ffa9dbb479eaa9e041d5da55a7746f54ef2f8cd73896dd7635bdf2acd772ba2205f4e3dc06c05a8bbc8
-
C:\Users\Admin\AppData\Local\Temp\sfzptila.kFilesize
7KB
MD5787a0d646c90be5bdfb7d5d1d995b2ab
SHA1eadf98a286e77264b367be608294fe7a1d12495d
SHA256c9b542f94efcb6e178f5ec2a296a5e38c7ae537258564f7ca9a99887b5604625
SHA512ec14069aac96b4fcde4c6be9f0dfe1b5c0a64eb27fa2e7f57e2d4694a2738b8c93fdc8a436a812813b7156b967f393f260db63f1da6390200252838dd73c8449
-
C:\Users\Admin\AppData\Roaming\corrected the terms of payment.exeFilesize
169KB
MD5bce338955b526be6f1068b1f4683b784
SHA1f0b7d34426c02a5e8dd32b64d74ad36412ec135d
SHA2566862138d0d12b55f99890e3560a68e5afa342c04b03138d935346b90ac1a2f9f
SHA512f94aaae0072cdcbd18ae1d29a23baae5ff0d91bc602a7433892bd186210fc04e1124996b869a0aaf24cbf25ddafece95ff54eda1be33adf1e55579ddb69d098b
-
C:\Users\Admin\AppData\Roaming\corrected the terms of payment.exeFilesize
169KB
MD5bce338955b526be6f1068b1f4683b784
SHA1f0b7d34426c02a5e8dd32b64d74ad36412ec135d
SHA2566862138d0d12b55f99890e3560a68e5afa342c04b03138d935346b90ac1a2f9f
SHA512f94aaae0072cdcbd18ae1d29a23baae5ff0d91bc602a7433892bd186210fc04e1124996b869a0aaf24cbf25ddafece95ff54eda1be33adf1e55579ddb69d098b
-
memory/4488-132-0x0000000000000000-mapping.dmp
-
memory/5044-140-0x0000000000000000-mapping.dmp
-
memory/5044-142-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/5068-135-0x0000000000000000-mapping.dmp