Analysis
-
max time kernel
128s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25/08/2022, 10:59
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Invoice.js
Resource
win7-20220812-en
General
-
Target
Purchase Invoice.js
-
Size
60KB
-
MD5
141484b1be6eb2fe39f6b810c8adea75
-
SHA1
294f6b489e8b0201845e8e2c794f5c024c818065
-
SHA256
c52320fc195a224294899543e52212f4cbe3026a467ff2438bfba5011ba1e987
-
SHA512
8a5cd665c13b855c1678c92afc1f511455fa3b84de7425d276b3493c53b11c7ecd4a6c566fe8b5207d3f280d8ac8f149672e0ecb9bea98a2a16db6c80bdcd57a
-
SSDEEP
1536:5YJm4ERgktGIefDKehgzpG6dGjsCtStW2zHyMdQ+HKrTzKpjCYD80zdNF8Dxl6:KJm4FhKdpG7Jr+8sdf
Malware Config
Extracted
vjw0rm
http://harold.jetos.com:3609
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 4 2024 wscript.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchase Invoice.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchase Invoice.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2024 wrote to memory of 1656 2024 wscript.exe 26 PID 2024 wrote to memory of 1656 2024 wscript.exe 26 PID 2024 wrote to memory of 1656 2024 wscript.exe 26
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Invoice.js"1⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\BukjbJDPyc.js"2⤵PID:1656
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD5941e8d1fbdde43c2ee8c905440206d8f
SHA101c5e045561277dd05756208d4363aa9017fa72b
SHA2569a025c2741429e4b0f13efa81c92f3684e700f380c44fded2860d19e819b3791
SHA5127fe76383ebca021bd46c9b7c00fd8e355886cca2c23a729e7d7814078134216e42706860199b52c23a3e85b9d95f0b558059c503aa47bf04e46635d216135c24