Analysis
-
max time kernel
146s -
max time network
156s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
30-08-2021 12:52
Static task
static1
Behavioral task
behavioral1
Sample
Order inquiry_0374_08_30_21.js
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Order inquiry_0374_08_30_21.js
Resource
win10v20210408
General
-
Target
Order inquiry_0374_08_30_21.js
-
Size
21KB
-
MD5
9590451d9db0f6b02577b7dbec449850
-
SHA1
997317bed5f018f9ae87d4594d681eef32e8988c
-
SHA256
7385592ac66818d908a5591d21fdf11ad4e8006685bd81009823166d2560db9d
-
SHA512
f299ad64205ce9f70b37f8432f538702eb373e939acc666fac511b229f406470d5a62b4ca2abc4eb9aec8bbc96d4e8181f0d88cc22a7d3742b0a5b4e05b18ea9
Malware Config
Signatures
-
Blocklisted process makes network request 18 IoCs
Processes:
wscript.exeflow pid process 8 568 wscript.exe 15 568 wscript.exe 17 568 wscript.exe 18 568 wscript.exe 19 568 wscript.exe 20 568 wscript.exe 21 568 wscript.exe 22 568 wscript.exe 23 568 wscript.exe 24 568 wscript.exe 25 568 wscript.exe 26 568 wscript.exe 27 568 wscript.exe 28 568 wscript.exe 29 568 wscript.exe 30 568 wscript.exe 31 568 wscript.exe 32 568 wscript.exe -
Drops startup file 1 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order inquiry_0374_08_30_21.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\P7EKOWB6GH = "\"C:\\ProgramData\\Order inquiry_0374_08_30_21.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 568 wrote to memory of 2352 568 wscript.exe schtasks.exe PID 568 wrote to memory of 2352 568 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Order inquiry_0374_08_30_21.js"1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\ProgramData\Order inquiry_0374_08_30_21.js2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2352-114-0x0000000000000000-mapping.dmp