Analysis
-
max time kernel
153s -
max time network
161s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
30-08-2021 16:58
Static task
static1
Behavioral task
behavioral1
Sample
Order inquiry_0374_08_30_21.js
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Order inquiry_0374_08_30_21.js
Resource
win10v20210408
General
-
Target
Order inquiry_0374_08_30_21.js
-
Size
21KB
-
MD5
9590451d9db0f6b02577b7dbec449850
-
SHA1
997317bed5f018f9ae87d4594d681eef32e8988c
-
SHA256
7385592ac66818d908a5591d21fdf11ad4e8006685bd81009823166d2560db9d
-
SHA512
f299ad64205ce9f70b37f8432f538702eb373e939acc666fac511b229f406470d5a62b4ca2abc4eb9aec8bbc96d4e8181f0d88cc22a7d3742b0a5b4e05b18ea9
Malware Config
Signatures
-
Blocklisted process makes network request 15 IoCs
Processes:
wscript.exeflow pid process 6 2032 wscript.exe 7 2032 wscript.exe 8 2032 wscript.exe 10 2032 wscript.exe 11 2032 wscript.exe 12 2032 wscript.exe 14 2032 wscript.exe 15 2032 wscript.exe 16 2032 wscript.exe 18 2032 wscript.exe 19 2032 wscript.exe 20 2032 wscript.exe 22 2032 wscript.exe 23 2032 wscript.exe 24 2032 wscript.exe -
Drops startup file 1 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order inquiry_0374_08_30_21.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\P7EKOWB6GH = "\"C:\\ProgramData\\Order inquiry_0374_08_30_21.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 2032 wrote to memory of 1776 2032 wscript.exe schtasks.exe PID 2032 wrote to memory of 1776 2032 wscript.exe schtasks.exe PID 2032 wrote to memory of 1776 2032 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Order inquiry_0374_08_30_21.js"1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\ProgramData\Order inquiry_0374_08_30_21.js2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1776-60-0x0000000000000000-mapping.dmp