Analysis
-
max time kernel
150s -
max time network
195s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
30-08-2021 12:52
Static task
static1
Behavioral task
behavioral1
Sample
Order inquiry_0374_08_30_21.js
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Order inquiry_0374_08_30_21.js
Resource
win10v20210408
General
-
Target
Order inquiry_0374_08_30_21.js
-
Size
21KB
-
MD5
9590451d9db0f6b02577b7dbec449850
-
SHA1
997317bed5f018f9ae87d4594d681eef32e8988c
-
SHA256
7385592ac66818d908a5591d21fdf11ad4e8006685bd81009823166d2560db9d
-
SHA512
f299ad64205ce9f70b37f8432f538702eb373e939acc666fac511b229f406470d5a62b4ca2abc4eb9aec8bbc96d4e8181f0d88cc22a7d3742b0a5b4e05b18ea9
Malware Config
Signatures
-
Blocklisted process makes network request 17 IoCs
Processes:
wscript.exeflow pid process 6 1984 wscript.exe 7 1984 wscript.exe 8 1984 wscript.exe 10 1984 wscript.exe 11 1984 wscript.exe 12 1984 wscript.exe 14 1984 wscript.exe 15 1984 wscript.exe 16 1984 wscript.exe 18 1984 wscript.exe 19 1984 wscript.exe 20 1984 wscript.exe 22 1984 wscript.exe 23 1984 wscript.exe 24 1984 wscript.exe 26 1984 wscript.exe 27 1984 wscript.exe -
Drops startup file 1 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order inquiry_0374_08_30_21.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\P7EKOWB6GH = "\"C:\\ProgramData\\Order inquiry_0374_08_30_21.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1984 wrote to memory of 516 1984 wscript.exe schtasks.exe PID 1984 wrote to memory of 516 1984 wscript.exe schtasks.exe PID 1984 wrote to memory of 516 1984 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Order inquiry_0374_08_30_21.js"1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\ProgramData\Order inquiry_0374_08_30_21.js2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/516-59-0x0000000000000000-mapping.dmp