Analysis
-
max time kernel
143s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
13-04-2021 03:31
Static task
static1
Behavioral task
behavioral1
Sample
Invoice.js
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Invoice.js
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
Invoice.js
-
Size
3KB
-
MD5
015f5153e12c7c2af015276690188d1c
-
SHA1
c2a1a42b90ff4235898d92b68a4b3217a0321d4c
-
SHA256
de9b4dcb5d1d41d031f4e66730d9dd51f4b447d66d736c6219bb5e5d02d27f2d
-
SHA512
7a540e840eae97e2c80d02017ae3a4d5e931e2f47a3b520106de59292fb64935e6ab3666be470ff0d8a0a8a4c8c1df1f4b097e9840a4da4cf34d981e10988419
Score
10/10
Malware Config
Signatures
-
Blocklisted process makes network request 17 IoCs
Processes:
wscript.exeflow pid process 7 3260 wscript.exe 12 3260 wscript.exe 15 3260 wscript.exe 17 3260 wscript.exe 18 3260 wscript.exe 19 3260 wscript.exe 20 3260 wscript.exe 21 3260 wscript.exe 22 3260 wscript.exe 23 3260 wscript.exe 24 3260 wscript.exe 25 3260 wscript.exe 27 3260 wscript.exe 28 3260 wscript.exe 29 3260 wscript.exe 31 3260 wscript.exe 32 3260 wscript.exe -
Drops startup file 1 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoice.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\AJX04XO7JW = "\"C:\\Users\\Admin\\AppData\\Roaming\\Invoice.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 3260 wrote to memory of 1396 3260 wscript.exe schtasks.exe PID 3260 wrote to memory of 1396 3260 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Invoice.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Invoice.js2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1396-114-0x0000000000000000-mapping.dmp