Analysis
-
max time kernel
155s -
max time network
166s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
30-08-2021 16:58
Static task
static1
Behavioral task
behavioral1
Sample
Order inquiry_0374_08_30_21.js
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Order inquiry_0374_08_30_21.js
Resource
win10v20210408
General
-
Target
Order inquiry_0374_08_30_21.js
-
Size
21KB
-
MD5
9590451d9db0f6b02577b7dbec449850
-
SHA1
997317bed5f018f9ae87d4594d681eef32e8988c
-
SHA256
7385592ac66818d908a5591d21fdf11ad4e8006685bd81009823166d2560db9d
-
SHA512
f299ad64205ce9f70b37f8432f538702eb373e939acc666fac511b229f406470d5a62b4ca2abc4eb9aec8bbc96d4e8181f0d88cc22a7d3742b0a5b4e05b18ea9
Malware Config
Signatures
-
Blocklisted process makes network request 15 IoCs
Processes:
wscript.exeflow pid process 13 644 wscript.exe 17 644 wscript.exe 18 644 wscript.exe 19 644 wscript.exe 20 644 wscript.exe 21 644 wscript.exe 22 644 wscript.exe 23 644 wscript.exe 24 644 wscript.exe 25 644 wscript.exe 26 644 wscript.exe 27 644 wscript.exe 28 644 wscript.exe 29 644 wscript.exe 30 644 wscript.exe -
Drops startup file 1 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order inquiry_0374_08_30_21.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\P7EKOWB6GH = "\"C:\\ProgramData\\Order inquiry_0374_08_30_21.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 644 wrote to memory of 576 644 wscript.exe schtasks.exe PID 644 wrote to memory of 576 644 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Order inquiry_0374_08_30_21.js"1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\ProgramData\Order inquiry_0374_08_30_21.js2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/576-114-0x0000000000000000-mapping.dmp