Analysis
-
max time kernel
299s -
max time network
351s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
12-10-2021 18:05
Static task
static1
Behavioral task
behavioral1
Sample
C0083_Invoice_Copy.js
Resource
win7v20210408
General
-
Target
C0083_Invoice_Copy.js
-
Size
12KB
-
MD5
7db9fe7b332f94b2c50ce2761b40abfc
-
SHA1
277de0d07f6080d096fe3b2ece7c99ee3167f3ed
-
SHA256
9af04e365ed1f2e0ea04dc71729f0e3341f0f981405c9f3ddd6d6d7b693fb733
-
SHA512
b735fc8a216ba8833ebaa00d7f67969645f78a572d5c92052de36e5433d0842ed73e481aec3a58484d7a3ee36033fe83cfaa9565b70472b6b9247a4d7d640c1b
Malware Config
Extracted
vjw0rm
http://mchristopherr83.duckdns.org:7922
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
wscript.exeWScript.execscript.exeflow pid process 6 1268 wscript.exe 8 1488 WScript.exe 10 1756 cscript.exe -
Drops startup file 4 IoCs
Processes:
cscript.exewscript.exeWScript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C0083_Invoice_Copy.js cscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C0083_Invoice_Copy.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C0083_Invoice_Copy.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C0083_Invoice_Copy.js WScript.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
cscript.exewscript.exeWScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run cscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\JX0T7EQ31M = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\C0083_Invoice_Copy.js\"" cscript.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\JX0T7EQ31M = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\C0083_Invoice_Copy.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\JX0T7EQ31M = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\C0083_Invoice_Copy.js\"" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 1812 schtasks.exe 916 schtasks.exe 1392 schtasks.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
wscript.exeWScript.execscript.exedescription pid process target process PID 1268 wrote to memory of 1812 1268 wscript.exe schtasks.exe PID 1268 wrote to memory of 1812 1268 wscript.exe schtasks.exe PID 1268 wrote to memory of 1812 1268 wscript.exe schtasks.exe PID 1488 wrote to memory of 916 1488 WScript.exe schtasks.exe PID 1488 wrote to memory of 916 1488 WScript.exe schtasks.exe PID 1488 wrote to memory of 916 1488 WScript.exe schtasks.exe PID 1756 wrote to memory of 1392 1756 cscript.exe schtasks.exe PID 1756 wrote to memory of 1392 1756 cscript.exe schtasks.exe PID 1756 wrote to memory of 1392 1756 cscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\C0083_Invoice_Copy.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\C0083_Invoice_Copy.js2⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\C0083_Invoice_Copy.js"1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\C0083_Invoice_Copy.js2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cscript.execscript C0083_Invoice_Copy.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\C0083_Invoice_Copy.js2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C0083_Invoice_Copy.jsMD5
7db9fe7b332f94b2c50ce2761b40abfc
SHA1277de0d07f6080d096fe3b2ece7c99ee3167f3ed
SHA2569af04e365ed1f2e0ea04dc71729f0e3341f0f981405c9f3ddd6d6d7b693fb733
SHA512b735fc8a216ba8833ebaa00d7f67969645f78a572d5c92052de36e5433d0842ed73e481aec3a58484d7a3ee36033fe83cfaa9565b70472b6b9247a4d7d640c1b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C0083_Invoice_Copy.jsMD5
7db9fe7b332f94b2c50ce2761b40abfc
SHA1277de0d07f6080d096fe3b2ece7c99ee3167f3ed
SHA2569af04e365ed1f2e0ea04dc71729f0e3341f0f981405c9f3ddd6d6d7b693fb733
SHA512b735fc8a216ba8833ebaa00d7f67969645f78a572d5c92052de36e5433d0842ed73e481aec3a58484d7a3ee36033fe83cfaa9565b70472b6b9247a4d7d640c1b
-
memory/916-61-0x0000000000000000-mapping.dmp
-
memory/1392-63-0x0000000000000000-mapping.dmp
-
memory/1812-60-0x0000000000000000-mapping.dmp