Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
08-02-2023 01:47
Static task
static1
Behavioral task
behavioral1
Sample
209384WURN02_INVOICE.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
209384WURN02_INVOICE.js
Resource
win10v2004-20220812-en
General
-
Target
209384WURN02_INVOICE.js
-
Size
300.4MB
-
MD5
324ea4563c1f9f8349dfd6592048ef95
-
SHA1
505733b71723992f01d2d9dd17bbffd279778df0
-
SHA256
56a714a8faadd448fb07af73ff8b5dc332af64509be712d7358553eee4878497
-
SHA512
cb8b5ecb2abf0318628b2c313343ff8372c85a306a3395a41785a23c4f58349d594ab4c58b95a2f3d46615d24817a487c7c941c690c63925490bdb346d1d0169
-
SSDEEP
192:OgmprDK00bmKUsJS4rw8kmwTb2aH2iApc747+ha1Vt7ClNrbkylrGpUfa1SXYoKt:LEkbU5j8VAHJAcN3mo+4Do
Malware Config
Signatures
-
Blocklisted process makes network request 13 IoCs
Processes:
wscript.exeflow pid process 4 1404 wscript.exe 5 1404 wscript.exe 7 1404 wscript.exe 9 1404 wscript.exe 10 1404 wscript.exe 11 1404 wscript.exe 13 1404 wscript.exe 14 1404 wscript.exe 15 1404 wscript.exe 17 1404 wscript.exe 18 1404 wscript.exe 19 1404 wscript.exe 21 1404 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\209384WURN02_INVOICE.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\209384WURN02_INVOICE.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\LQWBC5KZO3 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\209384WURN02_INVOICE.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1404 wrote to memory of 952 1404 wscript.exe schtasks.exe PID 1404 wrote to memory of 952 1404 wscript.exe schtasks.exe PID 1404 wrote to memory of 952 1404 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\209384WURN02_INVOICE.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\209384WURN02_INVOICE.js2⤵
- Creates scheduled task(s)