Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
01-07-2021 16:02
Static task
static1
Behavioral task
behavioral1
Sample
Inoice #022392.js
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Inoice #022392.js
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
Inoice #022392.js
-
Size
3KB
-
MD5
8f5e8de1f67cff6eaf2842d8a9d38fa5
-
SHA1
73c5d2068856ddd941e75ae3dc15879821552276
-
SHA256
b021b6f11e1b6ae8110693f27e0d1f638b1d7ec2e51b2f74a17acf29bf457190
-
SHA512
38e2af31212253d73f874f38bcafb589fcedbf0c9f7a28247944ee4b96a3590a67bbb027beded3a084fcf29e9a8cdf63a9347d50c914d741d4ca7e78c8027669
Score
10/10
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
wscript.exeflow pid process 5 940 wscript.exe 6 940 wscript.exe 7 940 wscript.exe 8 940 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Inoice #022392.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Inoice #022392.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\IHQI1BOYEF = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Inoice #022392.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 940 wrote to memory of 1852 940 wscript.exe schtasks.exe PID 940 wrote to memory of 1852 940 wscript.exe schtasks.exe PID 940 wrote to memory of 1852 940 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Inoice #022392.js"1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\Inoice #022392.js2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1852-59-0x0000000000000000-mapping.dmp