Analysis
-
max time kernel
598s -
max time network
601s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2023 15:46
Static task
static1
Behavioral task
behavioral1
Sample
Bank_Credit_authorization_letter_pdf.js
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral2
Sample
Bank_Credit_authorization_letter_pdf.js
Resource
win10v2004-20230220-en
windows10-2004-x64
General
-
Target
Bank_Credit_authorization_letter_pdf.js
-
Size
237KB
-
MD5
244939587914af01d24ef6a3e14581af
-
SHA1
45ec0fb28d93363e9e17818bc7cfaafdc3c680b1
-
SHA256
b9ecbdc46ba03daf23a6b2c0a32b6c950bef2d1d4ab967dcf901d65a48e835fb
-
SHA512
1bd8d0a00dc70936e2238115b41da10f791819e19c6582810132fa8cfca478264a867bdc1f65db278c75358aa7b21b304ac0b9f0aa7d72d0a09080008205ad4e
-
SSDEEP
3072:MhYgNripx58ev3jK5Kk00LvVPdTg9r2e9XSg6ZSjglFfgKCuAQkvXI0:MEx5jv324tYvtdTUNsxZ9lFoKCuAlXl
Malware Config
Signatures
-
Blocklisted process makes network request 64 IoCs
flow pid Process 2 4996 wscript.exe 4 4996 wscript.exe 6 4996 wscript.exe 9 4996 wscript.exe 10 4996 wscript.exe 12 4996 wscript.exe 30 4996 wscript.exe 31 4996 wscript.exe 32 4996 wscript.exe 38 4996 wscript.exe 39 4996 wscript.exe 40 4996 wscript.exe 41 4996 wscript.exe 42 4996 wscript.exe 46 4996 wscript.exe 47 4996 wscript.exe 48 4996 wscript.exe 50 4996 wscript.exe 51 4996 wscript.exe 52 4996 wscript.exe 53 4996 wscript.exe 54 4996 wscript.exe 55 4996 wscript.exe 56 4996 wscript.exe 57 4996 wscript.exe 58 4996 wscript.exe 59 4996 wscript.exe 60 4996 wscript.exe 61 4996 wscript.exe 62 4996 wscript.exe 63 4996 wscript.exe 64 4996 wscript.exe 65 4996 wscript.exe 66 4996 wscript.exe 67 4996 wscript.exe 68 4996 wscript.exe 69 4996 wscript.exe 70 4996 wscript.exe 71 4996 wscript.exe 72 4996 wscript.exe 73 4996 wscript.exe 74 4996 wscript.exe 81 4996 wscript.exe 82 4996 wscript.exe 83 4996 wscript.exe 84 4996 wscript.exe 85 4996 wscript.exe 86 4996 wscript.exe 87 4996 wscript.exe 88 4996 wscript.exe 89 4996 wscript.exe 90 4996 wscript.exe 91 4996 wscript.exe 92 4996 wscript.exe 93 4996 wscript.exe 94 4996 wscript.exe 95 4996 wscript.exe 96 4996 wscript.exe 97 4996 wscript.exe 98 4996 wscript.exe 99 4996 wscript.exe 100 4996 wscript.exe 101 4996 wscript.exe 102 4996 wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bank_Credit_authorization_letter_pdf.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bank_Credit_authorization_letter_pdf.js wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
Processes
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bank_Credit_authorization_letter_pdf.js
Filesize237KB
MD5244939587914af01d24ef6a3e14581af
SHA145ec0fb28d93363e9e17818bc7cfaafdc3c680b1
SHA256b9ecbdc46ba03daf23a6b2c0a32b6c950bef2d1d4ab967dcf901d65a48e835fb
SHA5121bd8d0a00dc70936e2238115b41da10f791819e19c6582810132fa8cfca478264a867bdc1f65db278c75358aa7b21b304ac0b9f0aa7d72d0a09080008205ad4e