Analysis
-
max time kernel
135s -
max time network
138s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
15-04-2021 17:52
Static task
static1
Behavioral task
behavioral1
Sample
dcfbOrderReceipt.js
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
dcfbOrderReceipt.js
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
dcfbOrderReceipt.js
-
Size
100KB
-
MD5
5a4a84e1a479495eb777655eda9079d0
-
SHA1
8e7174ee55fa09fc7943c4e7116077354696de00
-
SHA256
fe600a14c248e3b48d78d1d5672e666f4de42a43e741c052a679b70ba21db345
-
SHA512
dc5662bb79e7faf0dcb1c5c621173fd7f864872c26e8ad2e1cafc02ac1ea9a9fecee05bb122a35846e3643d2d23cc9702d6ab0b443b4040354c2d2124af21475
Score
10/10
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 7 1820 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dcfbOrderReceipt.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dcfbOrderReceipt.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\UKRZWF15HK = "'C:\\Users\\Admin\\AppData\\Local\\Temp\\dcfbOrderReceipt.js'" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1820 wrote to memory of 668 1820 wscript.exe schtasks.exe PID 1820 wrote to memory of 668 1820 wscript.exe schtasks.exe PID 1820 wrote to memory of 668 1820 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\dcfbOrderReceipt.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\Admin\AppData\Local\Temp\dcfbOrderReceipt.js2⤵
- Creates scheduled task(s)