Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
24-01-2023 07:15
Static task
static1
Behavioral task
behavioral1
Sample
Proforma Invoice 3001855006.js
Resource
win7-20221111-en
General
-
Target
Proforma Invoice 3001855006.js
-
Size
48KB
-
MD5
c64b396e9cb42b2234a3bbce8728de92
-
SHA1
71c018361c833fb31b8160059f95516fdaed5e2d
-
SHA256
c956e252ffa7148f6c075e639297ab2df080920edc53e28021f3156827249ae6
-
SHA512
b64c3b866497325c49dcb6c11987cf7bb0e55439d792fa8c520b97b8ebcb4d8f6d24d3715acfaeb4b51f8275c835959e81741bf928baa97804f351ad98f7501e
-
SSDEEP
1536:Ub5m/DuD+CWJbBG7MPI7MMdHl8aFzMKhKyM+anvJKa5YYUfMFfqUagMlGeMqmN34:Ub1uBAMPI7MMdHl8aFzMKhKyM+anvJKz
Malware Config
Signatures
-
Blocklisted process makes network request 16 IoCs
Processes:
wscript.exeflow pid process 4 1440 wscript.exe 5 1440 wscript.exe 6 1440 wscript.exe 9 1440 wscript.exe 10 1440 wscript.exe 11 1440 wscript.exe 13 1440 wscript.exe 14 1440 wscript.exe 15 1440 wscript.exe 17 1440 wscript.exe 18 1440 wscript.exe 19 1440 wscript.exe 21 1440 wscript.exe 22 1440 wscript.exe 23 1440 wscript.exe 25 1440 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tKxfBQLFjK.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tKxfBQLFjK.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1340 wrote to memory of 1440 1340 wscript.exe wscript.exe PID 1340 wrote to memory of 1440 1340 wscript.exe wscript.exe PID 1340 wrote to memory of 1440 1340 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Proforma Invoice 3001855006.js"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\tKxfBQLFjK.js"2⤵
- Blocklisted process makes network request
- Drops startup file
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\tKxfBQLFjK.jsFilesize
18KB
MD5135ed79b9eea21fa24a2517885b8745b
SHA117ce07b47b0fa1212f30f3879850ec5e7625fbb0
SHA2569feca465d427fa36019bf8e1ce0cbb6f18646d1c4f76b81b5f832bc063447257
SHA5123d1b80e4aa41c0cdeba5c2885f333db7d1e7afdf83015f1100ab1e1c9e198673da1ab33f500b85e07c7e50cd99acceef1ee8dcb64cf0443693a4aae80cadc0c3
-
memory/1440-54-0x0000000000000000-mapping.dmp
-
memory/1440-56-0x000007FEFC181000-0x000007FEFC183000-memory.dmpFilesize
8KB