Analysis
-
max time kernel
123s -
max time network
179s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
03-06-2021 17:02
Static task
static1
Behavioral task
behavioral1
Sample
D939065332_Invoice.js
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
General
-
Target
D939065332_Invoice.js
-
Size
3KB
-
MD5
d4de5dc8ff47ccb10f1465c056da29b7
-
SHA1
df833e94a7e8613fbbce2b0bb21a0a0176a72371
-
SHA256
5491810d64aecff4eb29aa664014704c1cf3687868629ad9156bed5923d5e358
-
SHA512
8c2a199cbb6f86b694805df1af8dfa5c666d3cfd280af7d7a853f15babee3a33efc417669cd2e15b354649b631a22507c97a9bfbc4c89ea92d3fdc461bf8c318
Score
10/10
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 5 332 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\D939065332_Invoice.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\D939065332_Invoice.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\UKRZWF15HK = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\D939065332_Invoice.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 332 wrote to memory of 1244 332 wscript.exe schtasks.exe PID 332 wrote to memory of 1244 332 wscript.exe schtasks.exe PID 332 wrote to memory of 1244 332 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\D939065332_Invoice.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\D939065332_Invoice.js2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1244-59-0x0000000000000000-mapping.dmp