Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
08-02-2023 01:47
Static task
static1
Behavioral task
behavioral1
Sample
209384WURN02_INVOICE.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
209384WURN02_INVOICE.js
Resource
win10v2004-20220812-en
General
-
Target
209384WURN02_INVOICE.js
-
Size
300.4MB
-
MD5
324ea4563c1f9f8349dfd6592048ef95
-
SHA1
505733b71723992f01d2d9dd17bbffd279778df0
-
SHA256
56a714a8faadd448fb07af73ff8b5dc332af64509be712d7358553eee4878497
-
SHA512
cb8b5ecb2abf0318628b2c313343ff8372c85a306a3395a41785a23c4f58349d594ab4c58b95a2f3d46615d24817a487c7c941c690c63925490bdb346d1d0169
-
SSDEEP
192:OgmprDK00bmKUsJS4rw8kmwTb2aH2iApc747+ha1Vt7ClNrbkylrGpUfa1SXYoKt:LEkbU5j8VAHJAcN3mo+4Do
Malware Config
Signatures
-
Blocklisted process makes network request 13 IoCs
Processes:
wscript.exeflow pid process 25 1828 wscript.exe 68 1828 wscript.exe 85 1828 wscript.exe 87 1828 wscript.exe 90 1828 wscript.exe 95 1828 wscript.exe 96 1828 wscript.exe 97 1828 wscript.exe 98 1828 wscript.exe 99 1828 wscript.exe 100 1828 wscript.exe 101 1828 wscript.exe 102 1828 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\209384WURN02_INVOICE.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\209384WURN02_INVOICE.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LQWBC5KZO3 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\209384WURN02_INVOICE.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 1828 wrote to memory of 4296 1828 wscript.exe schtasks.exe PID 1828 wrote to memory of 4296 1828 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\209384WURN02_INVOICE.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\209384WURN02_INVOICE.js2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4296-132-0x0000000000000000-mapping.dmp