Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
30-08-2021 00:02
Static task
static1
Behavioral task
behavioral1
Sample
Invoice-2.js
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Invoice-2.js
Resource
win10v20210408
General
-
Target
Invoice-2.js
-
Size
32KB
-
MD5
23d1f183e50e7ea2393fa5eded265813
-
SHA1
a85f64b11fe641fd18bb4b79f2779b11dd4c0869
-
SHA256
47fd8e31ecf0c8243056163d6e17962156875c680d534756f4155e478526d2bb
-
SHA512
740fd98898e225fe70f107c21eab6867436054e152e58828be39f0de022fc670150add5b6034a3bae3b91af91dacbfb230d47732c4b4fb7bfefee8a0175fef43
Malware Config
Signatures
-
Blocklisted process makes network request 19 IoCs
Processes:
wscript.exewscript.exeflow pid process 9 3888 wscript.exe 10 3984 wscript.exe 18 3984 wscript.exe 19 3984 wscript.exe 20 3984 wscript.exe 21 3984 wscript.exe 22 3984 wscript.exe 23 3984 wscript.exe 24 3984 wscript.exe 25 3984 wscript.exe 26 3984 wscript.exe 27 3984 wscript.exe 28 3984 wscript.exe 29 3984 wscript.exe 30 3984 wscript.exe 31 3984 wscript.exe 32 3984 wscript.exe 33 3984 wscript.exe 34 3984 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MuCMRJfbWc.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MuCMRJfbWc.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\MuCMRJfbWc.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 740 wrote to memory of 3984 740 wscript.exe wscript.exe PID 740 wrote to memory of 3984 740 wscript.exe wscript.exe PID 740 wrote to memory of 3888 740 wscript.exe wscript.exe PID 740 wrote to memory of 3888 740 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Invoice-2.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\MuCMRJfbWc.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\VLK.vbs"2⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\VLK.vbsMD5
6dfc3b5e6d03b18f354fca422f625c72
SHA1b62e9bd385f2ab06fc0fa0bcf48ef41b6cd5bc1d
SHA2562f47caad055b12872d1501f273fe4b86bb641a1f9c1f257dcb0c12f70c1870a9
SHA51265dc64def37722cadd37bd0020d18b30697fe36a5a402f775d4bf3975066064264189cb39d09d25d57cfe86ef33b1ce1b16aa8ae8c780bb4e6e80fd794fa0ba9
-
C:\Users\Admin\AppData\Roaming\MuCMRJfbWc.jsMD5
ef6faacbf40e1fe1de245177065a4f68
SHA1d3d4baa744b10d39ddb7b4e048e18149d689e47c
SHA2565b5fe15c592a94116c3aca25c92c8e17b16245898bb3557a620449a16091a2d9
SHA512dbd55abb487f5860ea4d8517092acd80c508aa69b9a6f6876465d80d5cb8dfdaed02619f6459c23a43781da6d23efc3998a1f9b4c11e2ddbe5b4b1e36a5af9ab
-
memory/3888-115-0x0000000000000000-mapping.dmp
-
memory/3984-114-0x0000000000000000-mapping.dmp