Analysis
-
max time kernel
284s -
max time network
317s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
12-10-2021 16:31
Static task
static1
Behavioral task
behavioral1
Sample
C0083_Invoice_Copy.js
Resource
win7v20210408
Behavioral task
behavioral2
Sample
C0083_Invoice_Copy.js
Resource
win10-en-20210920
General
-
Target
C0083_Invoice_Copy.js
-
Size
12KB
-
MD5
7db9fe7b332f94b2c50ce2761b40abfc
-
SHA1
277de0d07f6080d096fe3b2ece7c99ee3167f3ed
-
SHA256
9af04e365ed1f2e0ea04dc71729f0e3341f0f981405c9f3ddd6d6d7b693fb733
-
SHA512
b735fc8a216ba8833ebaa00d7f67969645f78a572d5c92052de36e5433d0842ed73e481aec3a58484d7a3ee36033fe83cfaa9565b70472b6b9247a4d7d640c1b
Malware Config
Extracted
vjw0rm
http://mchristopherr83.duckdns.org:7922
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 5 1972 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C0083_Invoice_Copy.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C0083_Invoice_Copy.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\JX0T7EQ31M = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\C0083_Invoice_Copy.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1972 wrote to memory of 848 1972 wscript.exe schtasks.exe PID 1972 wrote to memory of 848 1972 wscript.exe schtasks.exe PID 1972 wrote to memory of 848 1972 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\C0083_Invoice_Copy.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\C0083_Invoice_Copy.js2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/848-60-0x0000000000000000-mapping.dmp