Analysis
-
max time kernel
136s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
20-04-2021 19:04
Static task
static1
Behavioral task
behavioral1
Sample
invoice ADP55192.js
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
invoice ADP55192.js
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
invoice ADP55192.js
-
Size
3KB
-
MD5
fde76f715ef9998d15cd7a628eb5e0c8
-
SHA1
2d3b29ad2314b28c2e716b129bd01cb8fa5c791f
-
SHA256
f70d57a798b932543ba16872ae572f41277b498df1bb6b9a851cf950e4df0f98
-
SHA512
d0eeb87421a635652cb07e8ff3267b45be3dd7784754c06467219282b74220a51353982ffc3899084790dffe9dc1cbf548f674b4c66da0ad8397ce6b7609ccd6
Score
10/10
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 6 1864 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\invoice ADP55192.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\invoice ADP55192.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\O2J71MVW3W = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\invoice ADP55192.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1864 wrote to memory of 316 1864 wscript.exe schtasks.exe PID 1864 wrote to memory of 316 1864 wscript.exe schtasks.exe PID 1864 wrote to memory of 316 1864 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\invoice ADP55192.js"1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\invoice ADP55192.js2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/316-60-0x0000000000000000-mapping.dmp