Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23/09/2022, 09:01
Static task
static1
Behavioral task
behavioral1
Sample
PROFORMA INVOICE COPY WA09272.js
Resource
win7-20220812-en
General
-
Target
PROFORMA INVOICE COPY WA09272.js
-
Size
12KB
-
MD5
b1f70d48db73570f4ccc1c3f8565f2d6
-
SHA1
65ae40fdc9d4f7ea360ad11cea0ed5293b9bd21b
-
SHA256
3a16f4af6cfdbb6dcb6f70d1a2f5297a69fa2154397b8d30cee7c701950a817c
-
SHA512
2e0d902fcc620a287229156f6913c343cec473c2096a8185b0137c5811511c13ebb0b000f55134ba2fcd4dd9dcd97eaa30ff580a28c5c9a7a313054a0bce95b1
-
SSDEEP
384:U9nTaRzxzbXaLhVtBmgOzqWdZr1sXvGJNHG:sUXoyLR1sXvGLHG
Malware Config
Signatures
-
Blocklisted process makes network request 26 IoCs
flow pid Process 3 1976 wscript.exe 4 1976 wscript.exe 5 1976 wscript.exe 6 1976 wscript.exe 7 1976 wscript.exe 8 1976 wscript.exe 11 1976 wscript.exe 12 1976 wscript.exe 13 1976 wscript.exe 14 1976 wscript.exe 15 1976 wscript.exe 16 1976 wscript.exe 18 1976 wscript.exe 19 1976 wscript.exe 20 1976 wscript.exe 21 1976 wscript.exe 22 1976 wscript.exe 23 1976 wscript.exe 25 1976 wscript.exe 26 1976 wscript.exe 27 1976 wscript.exe 28 1976 wscript.exe 29 1976 wscript.exe 30 1976 wscript.exe 32 1976 wscript.exe 33 1976 wscript.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PROFORMA INVOICE COPY WA09272.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PROFORMA INVOICE COPY WA09272.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1976 wrote to memory of 1960 1976 wscript.exe 26 PID 1976 wrote to memory of 1960 1976 wscript.exe 26 PID 1976 wrote to memory of 1960 1976 wscript.exe 26
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE COPY WA09272.js"1⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\dhQWBviQOI.js"2⤵PID:1960
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5fd184d31c7f2558d05dccf36c900622a
SHA1faf3169e2352555e7bf2503531fc9e61552383db
SHA256145d40636321f7ebf1abd9ac5daec213322ca1f5fbf8f884928c2a8bebd6f22b
SHA5128f6e66cb854d09c226c615eb3ca6339ef0f6cda97ee3072321f308c85420f2b82193c2d6e44d78e9665e956d0212ba122aea7f0fd4e7f86e4051fd257056ab77