Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
17-06-2022 14:41
Static task
static1
Behavioral task
behavioral1
Sample
Invoice.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Invoice.js
Resource
win10-20220414-en
General
-
Target
Invoice.js
-
Size
29KB
-
MD5
b52ee9fc1494a1c1df13f015fa582808
-
SHA1
d4cb49d300c4caf339e6db3d9e977800799f8b25
-
SHA256
fd7d8b358ce1f40005f46b6e297b224c35f26d9a267d91c263b25472461feafd
-
SHA512
882bb1cd72b505055748776800f5aa0b2aade2e01e98e5e3ce5756c8d00e9ae29fa766638207da356384fe6a3a19034e8ec3e80355358f6293d0b3c2dd8a4dff
Malware Config
Extracted
vjw0rm
http://104.168.7.110:7974
http://franmhort.duia.ro:8152
Signatures
-
Blocklisted process makes network request 16 IoCs
Processes:
wscript.exewscript.exeflow pid process 6 1748 wscript.exe 7 1924 wscript.exe 8 1748 wscript.exe 10 1748 wscript.exe 13 1748 wscript.exe 14 1748 wscript.exe 15 1748 wscript.exe 16 1924 wscript.exe 19 1748 wscript.exe 20 1748 wscript.exe 22 1748 wscript.exe 24 1748 wscript.exe 25 1748 wscript.exe 26 1748 wscript.exe 28 1748 wscript.exe 29 1748 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gfpiBmTEHb.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gfpiBmTEHb.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\gfpiBmTEHb.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1924 wrote to memory of 1748 1924 wscript.exe wscript.exe PID 1924 wrote to memory of 1748 1924 wscript.exe wscript.exe PID 1924 wrote to memory of 1748 1924 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Invoice.js1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\gfpiBmTEHb.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\gfpiBmTEHb.jsFilesize
10KB
MD575f3821ef96d7cb3ee0be246db880526
SHA146b6a26d42bfde161932e3c5fb0976e2df827597
SHA256e521b10f8ebb515cd835c0e87306205bd1e1b5f7259159f9afcfba11e435c56d
SHA512f368bb446aa54a9663d8d8f1553f103a970e59eb6a3415f6878def4b994d24ad52d506475bb58d4f91ca98d5b402c2678d1e0b5d23fd7e71dc9dbab591e77600
-
memory/1748-55-0x0000000000000000-mapping.dmp
-
memory/1924-54-0x000007FEFBC11000-0x000007FEFBC13000-memory.dmpFilesize
8KB