Analysis
-
max time kernel
133s -
max time network
135s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
29-04-2021 18:04
Static task
static1
Behavioral task
behavioral1
Sample
Invoice B2023B.js
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Invoice B2023B.js
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
Invoice B2023B.js
-
Size
3KB
-
MD5
0d155eb2cdaf42d5f145343cb3dd09ad
-
SHA1
d9499f3e148c1426961adcccb42f2f1c89d9c6fb
-
SHA256
a7aea824310617598f8685bdb14a01fd962d3cb7a80227f434025540f6f43a2d
-
SHA512
76881dc768bba5bae6edfea142986b48022e4c67e03fc8ab9cc1599fe81b2d14b429682990ff7c9885a6e797c01c6d8f91f86220e2361f992375fd4552eaba87
Score
10/10
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 5 1100 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoice B2023B.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoice B2023B.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\CWI41JI7HU = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Invoice B2023B.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1100 wrote to memory of 1708 1100 wscript.exe schtasks.exe PID 1100 wrote to memory of 1708 1100 wscript.exe schtasks.exe PID 1100 wrote to memory of 1708 1100 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Invoice B2023B.js"1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\Invoice B2023B.js2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1708-59-0x0000000000000000-mapping.dmp