Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
21-10-2021 18:31
Static task
static1
Behavioral task
behavioral1
Sample
invoice.js
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
invoice.js
Resource
win10-en-20211014
General
-
Target
invoice.js
-
Size
23KB
-
MD5
dabe050bb51ca8ac34498a176ac8227a
-
SHA1
b07d715fb5daac27e9d55c570ed3707d3858124c
-
SHA256
2e05ea8c7d2121d1af64ae0a03a8cd42aca8a17be7775678c2d214f47d8dbfc1
-
SHA512
cbb58f3f962659b91e7ffc72e3ee1d01fd31da0a9c28653d947a6285cfe5da0ceec978c00c7ed667f5bccf476cccf0d25e26dc1e673e06a41d44c7976a67cf6a
Malware Config
Signatures
-
Blocklisted process makes network request 35 IoCs
Processes:
wscript.exewscript.exeflow pid process 8 1896 wscript.exe 9 1256 wscript.exe 10 1896 wscript.exe 11 1256 wscript.exe 13 1896 wscript.exe 14 1256 wscript.exe 18 1896 wscript.exe 19 1256 wscript.exe 21 1896 wscript.exe 23 1256 wscript.exe 24 1896 wscript.exe 26 1256 wscript.exe 29 1896 wscript.exe 30 1256 wscript.exe 32 1896 wscript.exe 34 1256 wscript.exe 35 1896 wscript.exe 38 1256 wscript.exe 40 1896 wscript.exe 41 1256 wscript.exe 43 1896 wscript.exe 45 1256 wscript.exe 46 1896 wscript.exe 49 1256 wscript.exe 51 1896 wscript.exe 53 1256 wscript.exe 54 1896 wscript.exe 56 1256 wscript.exe 57 1256 wscript.exe 60 1896 wscript.exe 63 1256 wscript.exe 64 1896 wscript.exe 65 1256 wscript.exe 67 1896 wscript.exe 69 1256 wscript.exe -
Drops startup file 3 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\invoice.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ztRjTeZckf.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ztRjTeZckf.js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\ztRjTeZckf.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\3W2CQPM6PM = "\"C:\\Users\\Admin\\AppData\\Roaming\\invoice.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1896 wrote to memory of 1256 1896 wscript.exe wscript.exe PID 1896 wrote to memory of 1256 1896 wscript.exe wscript.exe PID 1896 wrote to memory of 1256 1896 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\invoice.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ztRjTeZckf.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ztRjTeZckf.jsMD5
2697845d2c7ec6c8544bf5479d8b5d7f
SHA193bb2256e2c2402d0cc121e3c2d385fa87c43e9d
SHA2560a779aefb4dcf1ebf73544e0a59cbf6584490e7954d2dd82772b5ef9b6a446da
SHA512d1d4fdfd9c7b2e0284b977bdd33956c8d49c840b7dc0e618ef8f8dcc67974f2e78d7652db0ea25ad7379b3d1f33274559d648ae2b371ddeedc4a96f98bb91cec
-
memory/1256-54-0x0000000000000000-mapping.dmp