Analysis
-
max time kernel
162s -
max time network
206s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
30-08-2021 06:14
Static task
static1
Behavioral task
behavioral1
Sample
CSBM_Invoice-m567.js
Resource
win7v20210408
Behavioral task
behavioral2
Sample
CSBM_Invoice-m567.js
Resource
win10v20210408
General
-
Target
CSBM_Invoice-m567.js
-
Size
23KB
-
MD5
ef55fb87afa217b3e8852fba9f6254a4
-
SHA1
8bbcf900a8bffc595c56d02f5cc6bf156e48900e
-
SHA256
be9f6db4ab45c053b4abed96b5c9f6729603831bb0087229af68417a5b6414b8
-
SHA512
491c96096b48a8fd164ff9761914a62043175ccfaebdf545b868492e8f78ca12a0a59cc04f78f4ab2a384091aae8d16c5dc4f392edb18e832c0716ae1e336cb2
Malware Config
Signatures
-
Blocklisted process makes network request 19 IoCs
Processes:
wscript.exewscript.exeflow pid process 7 1328 wscript.exe 11 1668 wscript.exe 12 1328 wscript.exe 13 1328 wscript.exe 14 1328 wscript.exe 16 1668 wscript.exe 18 1668 wscript.exe 21 1668 wscript.exe 22 1668 wscript.exe 25 1668 wscript.exe 28 1668 wscript.exe 30 1668 wscript.exe 31 1668 wscript.exe 34 1668 wscript.exe 37 1668 wscript.exe 39 1668 wscript.exe 42 1668 wscript.exe 44 1668 wscript.exe 46 1668 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OTzyMlFsEE.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OTzyMlFsEE.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\OTzyMlFsEE.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1328 wrote to memory of 1668 1328 wscript.exe wscript.exe PID 1328 wrote to memory of 1668 1328 wscript.exe wscript.exe PID 1328 wrote to memory of 1668 1328 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\CSBM_Invoice-m567.js1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\OTzyMlFsEE.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1668
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\OTzyMlFsEE.jsMD5
f6f3498b20a2bcf3e8936ff1157ccd25
SHA12933a45dcd0d39b926f0dadf65b2d8003288b488
SHA25624976e6f497b871e0697069df4bc110b4c2bd246d85934b9debfa9ce7a200f5b
SHA5121d1a11f84c9c72d87d98c3ac931b848dd8684ac91bb47d9199942544cfbc0fd94ed08c5e8fd8e54bbb3e6065f6e934023d3793697b0e7113ac5902e8ce1dad70
-
memory/1668-60-0x0000000000000000-mapping.dmp