Analysis
-
max time kernel
149s -
max time network
207s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
30-08-2021 06:23
Static task
static1
Behavioral task
behavioral1
Sample
Invoice-7.js
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Invoice-7.js
Resource
win10v20210408
General
-
Target
Invoice-7.js
-
Size
26KB
-
MD5
0518c4dcdd42ff9853e7698488b73128
-
SHA1
2207755fb06fae33421089558f89e93912dbe041
-
SHA256
9f3cce73e846d61935128bfbd96014818b9be2d800d3fb13d5649f5eec38df1b
-
SHA512
0d0457f52dedd5c3b24e7d7c0700562c4df3e8a260f96d5e83890a8008a33c3ee00f392697f10fcab5c0c3599dd247042d6713bafd94653cce4ab9165b59e31d
Malware Config
Signatures
-
Blocklisted process makes network request 16 IoCs
Processes:
wscript.exewscript.exeflow pid process 8 1980 wscript.exe 9 472 wscript.exe 10 472 wscript.exe 12 472 wscript.exe 14 472 wscript.exe 15 472 wscript.exe 16 472 wscript.exe 18 472 wscript.exe 19 472 wscript.exe 20 472 wscript.exe 23 472 wscript.exe 25 472 wscript.exe 26 472 wscript.exe 29 472 wscript.exe 30 472 wscript.exe 31 472 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BzcPYMcTBP.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BzcPYMcTBP.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\BzcPYMcTBP.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1980 wrote to memory of 472 1980 wscript.exe wscript.exe PID 1980 wrote to memory of 472 1980 wscript.exe wscript.exe PID 1980 wrote to memory of 472 1980 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Invoice-7.js1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\BzcPYMcTBP.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:472
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\BzcPYMcTBP.jsMD5
859e2baede14ce52a245894fb546b02b
SHA105a23854492ef59f0c704c9c8c677ab1eda554e5
SHA25657bd7852e743f0de266aeaee04a94b1bd4fdd16f49355c1959f7a4ccaa7f5606
SHA51229b426ec5279616cfb2777881989e7435a59bb26aca8406a856996e92ca8790a1dd66562a01720dab91b61c17d9dc9b156f07c82a8feb84f6fccda8bb1450a5e
-
memory/472-59-0x0000000000000000-mapping.dmp