Analysis
-
max time kernel
597s -
max time network
601s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
31-05-2023 15:46
Static task
static1
Behavioral task
behavioral1
Sample
Bank_Credit_authorization_letter_pdf.js
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral2
Sample
Bank_Credit_authorization_letter_pdf.js
Resource
win10v2004-20230220-en
windows10-2004-x64
General
-
Target
Bank_Credit_authorization_letter_pdf.js
-
Size
237KB
-
MD5
244939587914af01d24ef6a3e14581af
-
SHA1
45ec0fb28d93363e9e17818bc7cfaafdc3c680b1
-
SHA256
b9ecbdc46ba03daf23a6b2c0a32b6c950bef2d1d4ab967dcf901d65a48e835fb
-
SHA512
1bd8d0a00dc70936e2238115b41da10f791819e19c6582810132fa8cfca478264a867bdc1f65db278c75358aa7b21b304ac0b9f0aa7d72d0a09080008205ad4e
-
SSDEEP
3072:MhYgNripx58ev3jK5Kk00LvVPdTg9r2e9XSg6ZSjglFfgKCuAQkvXI0:MEx5jv324tYvtdTUNsxZ9lFoKCuAlXl
Malware Config
Signatures
-
Blocklisted process makes network request 64 IoCs
flow pid Process 2 1596 wscript.exe 4 1596 wscript.exe 6 1596 wscript.exe 7 1596 wscript.exe 9 1596 wscript.exe 10 1596 wscript.exe 11 1596 wscript.exe 12 1596 wscript.exe 14 1596 wscript.exe 15 1596 wscript.exe 19 1596 wscript.exe 20 1596 wscript.exe 21 1596 wscript.exe 22 1596 wscript.exe 23 1596 wscript.exe 24 1596 wscript.exe 25 1596 wscript.exe 26 1596 wscript.exe 27 1596 wscript.exe 28 1596 wscript.exe 29 1596 wscript.exe 30 1596 wscript.exe 31 1596 wscript.exe 32 1596 wscript.exe 33 1596 wscript.exe 34 1596 wscript.exe 35 1596 wscript.exe 36 1596 wscript.exe 37 1596 wscript.exe 38 1596 wscript.exe 39 1596 wscript.exe 40 1596 wscript.exe 41 1596 wscript.exe 42 1596 wscript.exe 43 1596 wscript.exe 44 1596 wscript.exe 45 1596 wscript.exe 46 1596 wscript.exe 47 1596 wscript.exe 48 1596 wscript.exe 49 1596 wscript.exe 50 1596 wscript.exe 51 1596 wscript.exe 52 1596 wscript.exe 53 1596 wscript.exe 54 1596 wscript.exe 55 1596 wscript.exe 56 1596 wscript.exe 57 1596 wscript.exe 58 1596 wscript.exe 59 1596 wscript.exe 60 1596 wscript.exe 61 1596 wscript.exe 66 1596 wscript.exe 69 1596 wscript.exe 70 1596 wscript.exe 71 1596 wscript.exe 72 1596 wscript.exe 73 1596 wscript.exe 74 1596 wscript.exe 75 1596 wscript.exe 76 1596 wscript.exe 77 1596 wscript.exe 80 1596 wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bank_Credit_authorization_letter_pdf.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bank_Credit_authorization_letter_pdf.js wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
Processes
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bank_Credit_authorization_letter_pdf.js
Filesize237KB
MD5244939587914af01d24ef6a3e14581af
SHA145ec0fb28d93363e9e17818bc7cfaafdc3c680b1
SHA256b9ecbdc46ba03daf23a6b2c0a32b6c950bef2d1d4ab967dcf901d65a48e835fb
SHA5121bd8d0a00dc70936e2238115b41da10f791819e19c6582810132fa8cfca478264a867bdc1f65db278c75358aa7b21b304ac0b9f0aa7d72d0a09080008205ad4e