Analysis
-
max time kernel
132s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24/08/2022, 15:53
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Invoice.js
Resource
win7-20220812-en
General
-
Target
Purchase Invoice.js
-
Size
25KB
-
MD5
9aca2a4ff7b8ac6189ecd97173dd8d90
-
SHA1
b32bcdc674d7f27285a14291f5a12ba2b47f7102
-
SHA256
d90554b8cf36add67ceaaedfdcab5507eca5951197aed9b2a851485736640779
-
SHA512
c35295f93ea3b103a20ea4613d7c4392d09fd819fc785dc47e4799ffa1d7b125af616e29dd35505e5ed857eaefd4a37ef3892f4d6d92c567c1d80b099d6abaf4
-
SSDEEP
768:dLqQvBf5oPGTyMJsijesb02xFIIxo8rUURwkUOV8igT8dHVT/l5Q:pAPsb02xFIIT/wkUOV8ige2
Malware Config
Extracted
vjw0rm
http://harold.jetos.com:3609
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 4 1972 wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchase Invoice.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchase Invoice.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1972 wrote to memory of 1936 1972 wscript.exe 27 PID 1972 wrote to memory of 1936 1972 wscript.exe 27 PID 1972 wrote to memory of 1936 1972 wscript.exe 27
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Invoice.js"1⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\UWdKpbrkDF.js"2⤵PID:1936
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD51214283010a75e6bf30c48c99722ee00
SHA1baf927af2f820cf90a38bb0093097a18c7430fc6
SHA256a87f39cd2f3017d5ab87295a437448f840c972e8a92363008ce342ccd9a7c8df
SHA512ec8be42a8fb7ec0ea971fe266f6c7f8121e2c105df6b4ecb329c67960f3d1b638c49d5381cde81badd25e82dd76f33c08253e50f47bc822e808d47f20f9f1156