Analysis
-
max time kernel
136s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
07-05-2021 15:02
Static task
static1
Behavioral task
behavioral1
Sample
Invoice.js
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Invoice.js
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
Invoice.js
-
Size
3KB
-
MD5
29805cb77711c2d3ce8f364ade7996d6
-
SHA1
d22674b1971799ed5c5cbc54fd5b14de98ac1d96
-
SHA256
0ddfa19149e6fe2a1a8357b7019d5c2debcea3d5abd6739c0a9c16a989785a4a
-
SHA512
6b9ad6d698de973e6592144a0dc7d692525d9fcbb3a12cdcd4645d3c3b64863f1831bbea50300b76595ee6e6a5129738dedfd9bef6e3c93d23b9958fd82fbd3a
Score
10/10
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 5 1996 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoice.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoice.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\5NJ8WG0CSO = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Invoice.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1996 wrote to memory of 1608 1996 wscript.exe schtasks.exe PID 1996 wrote to memory of 1608 1996 wscript.exe schtasks.exe PID 1996 wrote to memory of 1608 1996 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Invoice.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\Invoice.js2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1608-59-0x0000000000000000-mapping.dmp