Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
17-06-2022 14:41
Static task
static1
Behavioral task
behavioral1
Sample
Invoice.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Invoice.js
Resource
win10-20220414-en
General
-
Target
Invoice.js
-
Size
29KB
-
MD5
b52ee9fc1494a1c1df13f015fa582808
-
SHA1
d4cb49d300c4caf339e6db3d9e977800799f8b25
-
SHA256
fd7d8b358ce1f40005f46b6e297b224c35f26d9a267d91c263b25472461feafd
-
SHA512
882bb1cd72b505055748776800f5aa0b2aade2e01e98e5e3ce5756c8d00e9ae29fa766638207da356384fe6a3a19034e8ec3e80355358f6293d0b3c2dd8a4dff
Malware Config
Extracted
vjw0rm
http://franmhort.duia.ro:8152
http://104.168.7.110:7974
Signatures
-
Blocklisted process makes network request 17 IoCs
Processes:
wscript.exewscript.exeflow pid process 2 3472 wscript.exe 3 1420 wscript.exe 5 1420 wscript.exe 7 1420 wscript.exe 11 1420 wscript.exe 12 1420 wscript.exe 13 1420 wscript.exe 14 1420 wscript.exe 15 1420 wscript.exe 16 1420 wscript.exe 17 1420 wscript.exe 18 1420 wscript.exe 19 1420 wscript.exe 20 1420 wscript.exe 21 1420 wscript.exe 22 3472 wscript.exe 23 1420 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gfpiBmTEHb.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gfpiBmTEHb.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\gfpiBmTEHb.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 3472 wrote to memory of 1420 3472 wscript.exe wscript.exe PID 3472 wrote to memory of 1420 3472 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Invoice.js1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\gfpiBmTEHb.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1420
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\gfpiBmTEHb.jsFilesize
10KB
MD575f3821ef96d7cb3ee0be246db880526
SHA146b6a26d42bfde161932e3c5fb0976e2df827597
SHA256e521b10f8ebb515cd835c0e87306205bd1e1b5f7259159f9afcfba11e435c56d
SHA512f368bb446aa54a9663d8d8f1553f103a970e59eb6a3415f6878def4b994d24ad52d506475bb58d4f91ca98d5b402c2678d1e0b5d23fd7e71dc9dbab591e77600
-
memory/1420-116-0x0000000000000000-mapping.dmp