Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
24-03-2021 14:45
Static task
static1
Behavioral task
behavioral1
Sample
INVOICEPO.js
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
INVOICEPO.js
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
INVOICEPO.js
-
Size
3KB
-
MD5
63b736392f35d1b9309dfe20a0e2d8dc
-
SHA1
a1500ae4b662aa28d60f962dbd3b3bd6b06c48a6
-
SHA256
606656c147d1ea9f8018334f622aff12dddbbb286664617d0e637fd8890c9ed1
-
SHA512
438f7434c3b071fb7fe9b7956724c68c1f012b0442d34dc65010f9d015955f61dff9e057bb879ee5863e82d3a1935df6b48ae88395075b3c4b2af7881d635e0a
Score
10/10
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 6 912 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\INVOICEPO.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\INVOICEPO.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Z7HOBN3PPI = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\INVOICEPO.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1624-2-0x000007FEF7850000-0x000007FEF7ACA000-memory.dmpFilesize
2.5MB