Analysis
-
max time kernel
137s -
max time network
179s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
19-06-2021 09:05
Static task
static1
Behavioral task
behavioral1
Sample
Invoice001.js
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Invoice001.js
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
Invoice001.js
-
Size
9KB
-
MD5
7ea6e792dbaaaf67e864f7aee557745d
-
SHA1
d321bc0bb336dec5e2d7ca27e52717a9eaabb59b
-
SHA256
31a22a19a1ef086c201b20f728673fce60815484e2b1be8bacaa878e74a796e1
-
SHA512
84bb06242aad130ea33eb146acca226a28c286834c8e798241a91c9ca2943a3601bec128cdcfc1ab2de415e860d8c244361ccae55002d8a5ab238df802d5224b
Score
10/10
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 5 1120 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoice001.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoice001.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\VK4NKWEXF7 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Invoice001.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1120 wrote to memory of 1644 1120 wscript.exe schtasks.exe PID 1120 wrote to memory of 1644 1120 wscript.exe schtasks.exe PID 1120 wrote to memory of 1644 1120 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Invoice001.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\Invoice001.js2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1644-60-0x0000000000000000-mapping.dmp