Analysis
-
max time kernel
201s -
max time network
208s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-07-2022 21:28
Static task
static1
Behavioral task
behavioral1
Sample
Statement-Invoice.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Statement-Invoice.js
Resource
win10v2004-20220414-en
General
-
Target
Statement-Invoice.js
-
Size
10KB
-
MD5
c94c70544e1792362319f444ff1969ba
-
SHA1
0b8712b610744c9bf0cb469662f7823ed71e84b9
-
SHA256
9296cb6b37e1aa570675bcc07519b5887d20ec6617efa84d900286a8a829c994
-
SHA512
001eb00bf2851c8cda1bbf2ccb9a7d624378896d6a8cce02e99af4e0c7c2751d2cbc496c3c98d0f0535d1c0413e06c5a72b542f7d4b5e2f2c78b4ac5b04a1512
Malware Config
Extracted
vjw0rm
http://hwprocessing.duckdns.org:9933
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 4 2000 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Statement-Invoice.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Statement-Invoice.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\8Z0TNMFXTR = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Statement-Invoice.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 2000 wrote to memory of 1532 2000 wscript.exe schtasks.exe PID 2000 wrote to memory of 1532 2000 wscript.exe schtasks.exe PID 2000 wrote to memory of 1532 2000 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Statement-Invoice.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\Statement-Invoice.js2⤵
- Creates scheduled task(s)