Analysis
-
max time kernel
138s -
max time network
182s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
21-08-2021 21:30
Static task
static1
Behavioral task
behavioral1
Sample
W00902_Invoice_Payment.js
Resource
win7v20210410
Behavioral task
behavioral2
Sample
W00902_Invoice_Payment.js
Resource
win10v20210408
General
-
Target
W00902_Invoice_Payment.js
-
Size
12KB
-
MD5
2d59355fbdada25c304edf911a63281d
-
SHA1
2200956e98b3b32e0693ed54af08b3372f541f37
-
SHA256
0fe50396b25c43452630b9cac1e2ddda31a9358cb7be5e8145cf382fc6e8d95c
-
SHA512
27b74c61783b8f97d55f89759bb6407eba558675ae2287f3df1572473b31578a3dd6eaa2222d45fb29b0518602b42a274b56f325447febcff6eac29bd7c498ff
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 5 1216 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\W00902_Invoice_Payment.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\W00902_Invoice_Payment.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\O3FNWNFPWY = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\W00902_Invoice_Payment.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1216 wrote to memory of 844 1216 wscript.exe schtasks.exe PID 1216 wrote to memory of 844 1216 wscript.exe schtasks.exe PID 1216 wrote to memory of 844 1216 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\W00902_Invoice_Payment.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\W00902_Invoice_Payment.js2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/844-60-0x0000000000000000-mapping.dmp