Analysis
-
max time kernel
294s -
max time network
300s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19-01-2023 15:28
Static task
static1
Behavioral task
behavioral1
Sample
Proforma Invoice 3001855006.js
Resource
win7-20220812-en
General
-
Target
Proforma Invoice 3001855006.js
-
Size
48KB
-
MD5
c64b396e9cb42b2234a3bbce8728de92
-
SHA1
71c018361c833fb31b8160059f95516fdaed5e2d
-
SHA256
c956e252ffa7148f6c075e639297ab2df080920edc53e28021f3156827249ae6
-
SHA512
b64c3b866497325c49dcb6c11987cf7bb0e55439d792fa8c520b97b8ebcb4d8f6d24d3715acfaeb4b51f8275c835959e81741bf928baa97804f351ad98f7501e
-
SSDEEP
1536:Ub5m/DuD+CWJbBG7MPI7MMdHl8aFzMKhKyM+anvJKa5YYUfMFfqUagMlGeMqmN34:Ub1uBAMPI7MMdHl8aFzMKhKyM+anvJKz
Malware Config
Signatures
-
Blocklisted process makes network request 28 IoCs
Processes:
wscript.exeflow pid process 8 4964 wscript.exe 14 4964 wscript.exe 18 4964 wscript.exe 23 4964 wscript.exe 37 4964 wscript.exe 38 4964 wscript.exe 45 4964 wscript.exe 57 4964 wscript.exe 64 4964 wscript.exe 65 4964 wscript.exe 66 4964 wscript.exe 74 4964 wscript.exe 75 4964 wscript.exe 76 4964 wscript.exe 77 4964 wscript.exe 78 4964 wscript.exe 81 4964 wscript.exe 82 4964 wscript.exe 83 4964 wscript.exe 84 4964 wscript.exe 85 4964 wscript.exe 86 4964 wscript.exe 87 4964 wscript.exe 88 4964 wscript.exe 92 4964 wscript.exe 93 4964 wscript.exe 94 4964 wscript.exe 95 4964 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tKxfBQLFjK.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tKxfBQLFjK.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 5012 wrote to memory of 4964 5012 wscript.exe wscript.exe PID 5012 wrote to memory of 4964 5012 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Proforma Invoice 3001855006.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\tKxfBQLFjK.js"2⤵
- Blocklisted process makes network request
- Drops startup file
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\tKxfBQLFjK.jsFilesize
18KB
MD5135ed79b9eea21fa24a2517885b8745b
SHA117ce07b47b0fa1212f30f3879850ec5e7625fbb0
SHA2569feca465d427fa36019bf8e1ce0cbb6f18646d1c4f76b81b5f832bc063447257
SHA5123d1b80e4aa41c0cdeba5c2885f333db7d1e7afdf83015f1100ab1e1c9e198673da1ab33f500b85e07c7e50cd99acceef1ee8dcb64cf0443693a4aae80cadc0c3
-
memory/4964-132-0x0000000000000000-mapping.dmp