Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
07-06-2021 16:08
Static task
static1
Behavioral task
behavioral1
Sample
Invoice ADP70619.js
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Invoice ADP70619.js
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
Invoice ADP70619.js
-
Size
3KB
-
MD5
43059a61dd9f2a43b72be4ba04c48104
-
SHA1
e79db9eed8cdab5c4b7d3e3ab4ff2663cb8c004e
-
SHA256
32182e80111bcf11598afd083771f670236aa170f125f0d94504280703838c72
-
SHA512
7f898081815bb5f6d55757f73b88dc10eb174464788580d29c4da9ccf160337aa88c31e0049e8081a3732e98311853cd67ab6347bc5d2cdbbc3ec49942174b99
Score
10/10
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 6 1020 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoice ADP70619.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoice ADP70619.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\3NP6JB1CQ6 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Invoice ADP70619.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1020 wrote to memory of 1196 1020 wscript.exe schtasks.exe PID 1020 wrote to memory of 1196 1020 wscript.exe schtasks.exe PID 1020 wrote to memory of 1196 1020 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Invoice ADP70619.js"1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\Invoice ADP70619.js2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1196-59-0x0000000000000000-mapping.dmp