Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23/09/2022, 09:01
Static task
static1
Behavioral task
behavioral1
Sample
PROFORMA INVOICE COPY WA09272.js
Resource
win7-20220812-en
General
-
Target
PROFORMA INVOICE COPY WA09272.js
-
Size
12KB
-
MD5
b1f70d48db73570f4ccc1c3f8565f2d6
-
SHA1
65ae40fdc9d4f7ea360ad11cea0ed5293b9bd21b
-
SHA256
3a16f4af6cfdbb6dcb6f70d1a2f5297a69fa2154397b8d30cee7c701950a817c
-
SHA512
2e0d902fcc620a287229156f6913c343cec473c2096a8185b0137c5811511c13ebb0b000f55134ba2fcd4dd9dcd97eaa30ff580a28c5c9a7a313054a0bce95b1
-
SSDEEP
384:U9nTaRzxzbXaLhVtBmgOzqWdZr1sXvGJNHG:sUXoyLR1sXvGLHG
Malware Config
Signatures
-
Blocklisted process makes network request 17 IoCs
flow pid Process 6 4964 wscript.exe 13 4964 wscript.exe 19 4964 wscript.exe 24 4964 wscript.exe 33 4964 wscript.exe 34 4964 wscript.exe 37 4964 wscript.exe 39 4964 wscript.exe 40 4964 wscript.exe 41 4964 wscript.exe 43 4964 wscript.exe 44 4964 wscript.exe 45 4964 wscript.exe 46 4964 wscript.exe 47 4964 wscript.exe 48 4964 wscript.exe 49 4964 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PROFORMA INVOICE COPY WA09272.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PROFORMA INVOICE COPY WA09272.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4964 wrote to memory of 3928 4964 wscript.exe 80 PID 4964 wrote to memory of 3928 4964 wscript.exe 80
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE COPY WA09272.js"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\dhQWBviQOI.js"2⤵PID:3928
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5fd184d31c7f2558d05dccf36c900622a
SHA1faf3169e2352555e7bf2503531fc9e61552383db
SHA256145d40636321f7ebf1abd9ac5daec213322ca1f5fbf8f884928c2a8bebd6f22b
SHA5128f6e66cb854d09c226c615eb3ca6339ef0f6cda97ee3072321f308c85420f2b82193c2d6e44d78e9665e956d0212ba122aea7f0fd4e7f86e4051fd257056ab77