Analysis
-
max time kernel
141s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-01-2023 07:15
Static task
static1
Behavioral task
behavioral1
Sample
Proforma Invoice 3001855006.js
Resource
win7-20221111-en
General
-
Target
Proforma Invoice 3001855006.js
-
Size
48KB
-
MD5
c64b396e9cb42b2234a3bbce8728de92
-
SHA1
71c018361c833fb31b8160059f95516fdaed5e2d
-
SHA256
c956e252ffa7148f6c075e639297ab2df080920edc53e28021f3156827249ae6
-
SHA512
b64c3b866497325c49dcb6c11987cf7bb0e55439d792fa8c520b97b8ebcb4d8f6d24d3715acfaeb4b51f8275c835959e81741bf928baa97804f351ad98f7501e
-
SSDEEP
1536:Ub5m/DuD+CWJbBG7MPI7MMdHl8aFzMKhKyM+anvJKa5YYUfMFfqUagMlGeMqmN34:Ub1uBAMPI7MMdHl8aFzMKhKyM+anvJKz
Malware Config
Signatures
-
Blocklisted process makes network request 7 IoCs
Processes:
wscript.exeflow pid process 7 4380 wscript.exe 14 4380 wscript.exe 25 4380 wscript.exe 33 4380 wscript.exe 36 4380 wscript.exe 41 4380 wscript.exe 45 4380 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tKxfBQLFjK.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tKxfBQLFjK.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 4888 wrote to memory of 4380 4888 wscript.exe wscript.exe PID 4888 wrote to memory of 4380 4888 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Proforma Invoice 3001855006.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\tKxfBQLFjK.js"2⤵
- Blocklisted process makes network request
- Drops startup file
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\tKxfBQLFjK.jsFilesize
18KB
MD5135ed79b9eea21fa24a2517885b8745b
SHA117ce07b47b0fa1212f30f3879850ec5e7625fbb0
SHA2569feca465d427fa36019bf8e1ce0cbb6f18646d1c4f76b81b5f832bc063447257
SHA5123d1b80e4aa41c0cdeba5c2885f333db7d1e7afdf83015f1100ab1e1c9e198673da1ab33f500b85e07c7e50cd99acceef1ee8dcb64cf0443693a4aae80cadc0c3
-
memory/4380-132-0x0000000000000000-mapping.dmp