Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2022, 10:59
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Invoice.js
Resource
win7-20220812-en
General
-
Target
Purchase Invoice.js
-
Size
60KB
-
MD5
141484b1be6eb2fe39f6b810c8adea75
-
SHA1
294f6b489e8b0201845e8e2c794f5c024c818065
-
SHA256
c52320fc195a224294899543e52212f4cbe3026a467ff2438bfba5011ba1e987
-
SHA512
8a5cd665c13b855c1678c92afc1f511455fa3b84de7425d276b3493c53b11c7ecd4a6c566fe8b5207d3f280d8ac8f149672e0ecb9bea98a2a16db6c80bdcd57a
-
SSDEEP
1536:5YJm4ERgktGIefDKehgzpG6dGjsCtStW2zHyMdQ+HKrTzKpjCYD80zdNF8Dxl6:KJm4FhKdpG7Jr+8sdf
Malware Config
Extracted
vjw0rm
http://harold.jetos.com:3609
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 6 4928 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchase Invoice.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchase Invoice.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4928 wrote to memory of 4964 4928 wscript.exe 82 PID 4928 wrote to memory of 4964 4928 wscript.exe 82
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Invoice.js"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\BukjbJDPyc.js"2⤵PID:4964
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD5941e8d1fbdde43c2ee8c905440206d8f
SHA101c5e045561277dd05756208d4363aa9017fa72b
SHA2569a025c2741429e4b0f13efa81c92f3684e700f380c44fded2860d19e819b3791
SHA5127fe76383ebca021bd46c9b7c00fd8e355886cca2c23a729e7d7814078134216e42706860199b52c23a3e85b9d95f0b558059c503aa47bf04e46635d216135c24