Analysis
-
max time kernel
158s -
max time network
153s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
30-08-2021 00:02
Static task
static1
Behavioral task
behavioral1
Sample
Invoice-2.js
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Invoice-2.js
Resource
win10v20210408
General
-
Target
Invoice-2.js
-
Size
32KB
-
MD5
23d1f183e50e7ea2393fa5eded265813
-
SHA1
a85f64b11fe641fd18bb4b79f2779b11dd4c0869
-
SHA256
47fd8e31ecf0c8243056163d6e17962156875c680d534756f4155e478526d2bb
-
SHA512
740fd98898e225fe70f107c21eab6867436054e152e58828be39f0de022fc670150add5b6034a3bae3b91af91dacbfb230d47732c4b4fb7bfefee8a0175fef43
Malware Config
Signatures
-
Blocklisted process makes network request 19 IoCs
Processes:
wscript.exewscript.exeflow pid process 9 1248 wscript.exe 10 1992 wscript.exe 12 1248 wscript.exe 14 1248 wscript.exe 16 1248 wscript.exe 18 1248 wscript.exe 21 1248 wscript.exe 23 1248 wscript.exe 25 1248 wscript.exe 27 1248 wscript.exe 30 1248 wscript.exe 32 1248 wscript.exe 34 1248 wscript.exe 37 1248 wscript.exe 39 1248 wscript.exe 41 1248 wscript.exe 44 1248 wscript.exe 47 1248 wscript.exe 49 1248 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MuCMRJfbWc.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MuCMRJfbWc.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\MuCMRJfbWc.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.exedescription pid process target process PID 1920 wrote to memory of 1248 1920 wscript.exe wscript.exe PID 1920 wrote to memory of 1248 1920 wscript.exe wscript.exe PID 1920 wrote to memory of 1248 1920 wscript.exe wscript.exe PID 1920 wrote to memory of 1992 1920 wscript.exe wscript.exe PID 1920 wrote to memory of 1992 1920 wscript.exe wscript.exe PID 1920 wrote to memory of 1992 1920 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Invoice-2.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\MuCMRJfbWc.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\VLK.vbs"2⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\VLK.vbsMD5
6dfc3b5e6d03b18f354fca422f625c72
SHA1b62e9bd385f2ab06fc0fa0bcf48ef41b6cd5bc1d
SHA2562f47caad055b12872d1501f273fe4b86bb641a1f9c1f257dcb0c12f70c1870a9
SHA51265dc64def37722cadd37bd0020d18b30697fe36a5a402f775d4bf3975066064264189cb39d09d25d57cfe86ef33b1ce1b16aa8ae8c780bb4e6e80fd794fa0ba9
-
C:\Users\Admin\AppData\Roaming\MuCMRJfbWc.jsMD5
ef6faacbf40e1fe1de245177065a4f68
SHA1d3d4baa744b10d39ddb7b4e048e18149d689e47c
SHA2565b5fe15c592a94116c3aca25c92c8e17b16245898bb3557a620449a16091a2d9
SHA512dbd55abb487f5860ea4d8517092acd80c508aa69b9a6f6876465d80d5cb8dfdaed02619f6459c23a43781da6d23efc3998a1f9b4c11e2ddbe5b4b1e36a5af9ab
-
memory/1248-60-0x0000000000000000-mapping.dmp
-
memory/1992-62-0x0000000000000000-mapping.dmp