Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
05-04-2021 14:27
Static task
static1
Behavioral task
behavioral1
Sample
odk_Order_Receipt.js
Resource
win7v20201028
Behavioral task
behavioral2
Sample
odk_Order_Receipt.js
Resource
win10v20201028
General
-
Target
odk_Order_Receipt.js
-
Size
102KB
-
MD5
2f61bc230d26d4d859eba0dbce48017a
-
SHA1
a36db7281117c9e25ccdef23274ab2a27eb561b2
-
SHA256
95a9a156f90360d08a2dab95b21a77bdc614ae73035026aac8993b9b46ae521a
-
SHA512
1dcc2aa46ab5da579443301689f517367ddd0569b9609ed48d90b083bc8e97fdae9de82e92d5d0cc8b49b182a361ead93cb3984158af02c0e2ba0534648c63f3
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 6 644 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\odk_Order_Receipt.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\odk_Order_Receipt.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\UKRZWF15HK = "'C:\\Users\\Admin\\AppData\\Local\\Temp\\odk_Order_Receipt.js'" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 644 wrote to memory of 1352 644 wscript.exe schtasks.exe PID 644 wrote to memory of 1352 644 wscript.exe schtasks.exe PID 644 wrote to memory of 1352 644 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\odk_Order_Receipt.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\Admin\AppData\Local\Temp\odk_Order_Receipt.js2⤵
- Creates scheduled task(s)