Analysis
-
max time kernel
159s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16-06-2022 03:18
Static task
static1
Behavioral task
behavioral1
Sample
Invoice.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Invoice.js
Resource
win10v2004-20220414-en
General
-
Target
Invoice.js
-
Size
29KB
-
MD5
b52ee9fc1494a1c1df13f015fa582808
-
SHA1
d4cb49d300c4caf339e6db3d9e977800799f8b25
-
SHA256
fd7d8b358ce1f40005f46b6e297b224c35f26d9a267d91c263b25472461feafd
-
SHA512
882bb1cd72b505055748776800f5aa0b2aade2e01e98e5e3ce5756c8d00e9ae29fa766638207da356384fe6a3a19034e8ec3e80355358f6293d0b3c2dd8a4dff
Malware Config
Extracted
vjw0rm
http://104.168.7.110:7974
Signatures
-
Blocklisted process makes network request 7 IoCs
Processes:
wscript.exewscript.exeflow pid process 5 2648 wscript.exe 6 2856 wscript.exe 16 2856 wscript.exe 17 2856 wscript.exe 20 2856 wscript.exe 22 2856 wscript.exe 23 2856 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gfpiBmTEHb.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gfpiBmTEHb.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\gfpiBmTEHb.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 2648 wrote to memory of 2856 2648 wscript.exe wscript.exe PID 2648 wrote to memory of 2856 2648 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Invoice.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\gfpiBmTEHb.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:2856
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\gfpiBmTEHb.jsFilesize
10KB
MD575f3821ef96d7cb3ee0be246db880526
SHA146b6a26d42bfde161932e3c5fb0976e2df827597
SHA256e521b10f8ebb515cd835c0e87306205bd1e1b5f7259159f9afcfba11e435c56d
SHA512f368bb446aa54a9663d8d8f1553f103a970e59eb6a3415f6878def4b994d24ad52d506475bb58d4f91ca98d5b402c2678d1e0b5d23fd7e71dc9dbab591e77600
-
memory/2856-130-0x0000000000000000-mapping.dmp