Analysis
-
max time kernel
158s -
max time network
191s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16-06-2022 03:18
Static task
static1
Behavioral task
behavioral1
Sample
Invoice.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Invoice.js
Resource
win10v2004-20220414-en
General
-
Target
Invoice.js
-
Size
29KB
-
MD5
b52ee9fc1494a1c1df13f015fa582808
-
SHA1
d4cb49d300c4caf339e6db3d9e977800799f8b25
-
SHA256
fd7d8b358ce1f40005f46b6e297b224c35f26d9a267d91c263b25472461feafd
-
SHA512
882bb1cd72b505055748776800f5aa0b2aade2e01e98e5e3ce5756c8d00e9ae29fa766638207da356384fe6a3a19034e8ec3e80355358f6293d0b3c2dd8a4dff
Malware Config
Extracted
vjw0rm
http://104.168.7.110:7974
Signatures
-
Blocklisted process makes network request 6 IoCs
Processes:
wscript.exewscript.exeflow pid process 8 1664 wscript.exe 9 1700 wscript.exe 12 1664 wscript.exe 15 1664 wscript.exe 18 1664 wscript.exe 20 1664 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gfpiBmTEHb.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gfpiBmTEHb.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\gfpiBmTEHb.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1700 wrote to memory of 1664 1700 wscript.exe wscript.exe PID 1700 wrote to memory of 1664 1700 wscript.exe wscript.exe PID 1700 wrote to memory of 1664 1700 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Invoice.js1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\gfpiBmTEHb.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1664
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\gfpiBmTEHb.jsFilesize
10KB
MD575f3821ef96d7cb3ee0be246db880526
SHA146b6a26d42bfde161932e3c5fb0976e2df827597
SHA256e521b10f8ebb515cd835c0e87306205bd1e1b5f7259159f9afcfba11e435c56d
SHA512f368bb446aa54a9663d8d8f1553f103a970e59eb6a3415f6878def4b994d24ad52d506475bb58d4f91ca98d5b402c2678d1e0b5d23fd7e71dc9dbab591e77600
-
memory/1664-55-0x0000000000000000-mapping.dmp
-
memory/1700-54-0x000007FEFBD41000-0x000007FEFBD43000-memory.dmpFilesize
8KB