Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2022, 14:27
Static task
static1
Behavioral task
behavioral1
Sample
Invoices & Supporting documents.js
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Invoices & Supporting documents.js
Resource
win10v2004-20220901-en
General
-
Target
Invoices & Supporting documents.js
-
Size
37KB
-
MD5
e0d2cbd0519e1f0dbf8c0b74c8ee1246
-
SHA1
35187b51e45f7466ae98c67900c7c14f7ba268a6
-
SHA256
45f0f33921e9e548f1df35f5d30855704de3542789c4c7d2c35f68cd8ab0166f
-
SHA512
9a6fd2345615d75963c8f13049a08ac3873a051e621c25fb13f25ddb12cf301412d28e4660f53ee6e2a02743ed1d6d87cadafb403cf66f5a524fa715327ef99f
-
SSDEEP
768:2buVp24R6SMkM4gF8wsZ1va/a9zcHEdYHzePC:2w2g6qMPCwsZ14a9zcH+IzePC
Malware Config
Signatures
-
Blocklisted process makes network request 25 IoCs
flow pid Process 5 3660 wscript.exe 6 640 wscript.exe 8 3552 wscript.exe 22 3552 wscript.exe 32 3660 wscript.exe 33 640 wscript.exe 40 3552 wscript.exe 41 3660 wscript.exe 42 640 wscript.exe 45 3552 wscript.exe 46 3660 wscript.exe 47 640 wscript.exe 48 3552 wscript.exe 51 3552 wscript.exe 52 3552 wscript.exe 53 3552 wscript.exe 54 3660 wscript.exe 55 640 wscript.exe 56 3552 wscript.exe 57 3552 wscript.exe 58 3552 wscript.exe 59 3552 wscript.exe 60 3660 wscript.exe 61 640 wscript.exe 62 3552 wscript.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 5 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nNRlQXvwxJ.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nNRlQXvwxJ.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoices & Supporting documents.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nNRlQXvwxJ.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoices & Supporting documents.js wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Invoices & Supporting documents = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoices & Supporting documents.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Invoices & Supporting documents = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoices & Supporting documents.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Invoices & Supporting documents = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoices & Supporting documents.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Invoices & Supporting documents = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoices & Supporting documents.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3180 wrote to memory of 3660 3180 wscript.exe 83 PID 3180 wrote to memory of 3660 3180 wscript.exe 83 PID 3180 wrote to memory of 3552 3180 wscript.exe 84 PID 3180 wrote to memory of 3552 3180 wscript.exe 84 PID 3552 wrote to memory of 640 3552 wscript.exe 85 PID 3552 wrote to memory of 640 3552 wscript.exe 85
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Invoices & Supporting documents.js"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\nNRlQXvwxJ.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:3660
-
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Invoices & Supporting documents.js"2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\nNRlQXvwxJ.js"3⤵
- Blocklisted process makes network request
- Drops startup file
PID:640
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD5e0d2cbd0519e1f0dbf8c0b74c8ee1246
SHA135187b51e45f7466ae98c67900c7c14f7ba268a6
SHA25645f0f33921e9e548f1df35f5d30855704de3542789c4c7d2c35f68cd8ab0166f
SHA5129a6fd2345615d75963c8f13049a08ac3873a051e621c25fb13f25ddb12cf301412d28e4660f53ee6e2a02743ed1d6d87cadafb403cf66f5a524fa715327ef99f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoices & Supporting documents.js
Filesize37KB
MD5e0d2cbd0519e1f0dbf8c0b74c8ee1246
SHA135187b51e45f7466ae98c67900c7c14f7ba268a6
SHA25645f0f33921e9e548f1df35f5d30855704de3542789c4c7d2c35f68cd8ab0166f
SHA5129a6fd2345615d75963c8f13049a08ac3873a051e621c25fb13f25ddb12cf301412d28e4660f53ee6e2a02743ed1d6d87cadafb403cf66f5a524fa715327ef99f
-
Filesize
5KB
MD57d8cc50c80e29db13ca0032d3e00a56d
SHA1d8d138717093b67b4d6205234c82a6fe4f801429
SHA2560ff424c14ee63e81e35e1431f9b5636b2bfe1e6f49e8fc5650260e9806f3402b
SHA512b1f2d71401d7d4cdc4bf55569c04b1ea2c49097bacd04b2bc24c0e84bfd6bd418ffb4aeadd171032944aaf1ac94c5b868bf9924ffe0e84fa60866c9e8b583b1c
-
Filesize
5KB
MD57d8cc50c80e29db13ca0032d3e00a56d
SHA1d8d138717093b67b4d6205234c82a6fe4f801429
SHA2560ff424c14ee63e81e35e1431f9b5636b2bfe1e6f49e8fc5650260e9806f3402b
SHA512b1f2d71401d7d4cdc4bf55569c04b1ea2c49097bacd04b2bc24c0e84bfd6bd418ffb4aeadd171032944aaf1ac94c5b868bf9924ffe0e84fa60866c9e8b583b1c
-
Filesize
5KB
MD57d8cc50c80e29db13ca0032d3e00a56d
SHA1d8d138717093b67b4d6205234c82a6fe4f801429
SHA2560ff424c14ee63e81e35e1431f9b5636b2bfe1e6f49e8fc5650260e9806f3402b
SHA512b1f2d71401d7d4cdc4bf55569c04b1ea2c49097bacd04b2bc24c0e84bfd6bd418ffb4aeadd171032944aaf1ac94c5b868bf9924ffe0e84fa60866c9e8b583b1c