Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
08-02-2023 18:41
Static task
static1
Behavioral task
behavioral1
Sample
SOA and invoices.js
Resource
win7-20221111-en
General
-
Target
SOA and invoices.js
-
Size
4.4MB
-
MD5
08ec6390255e658106aac7aae7114b6c
-
SHA1
b8f85e4daf4461f6ee5c69ff95bc51c24b33fff0
-
SHA256
64394d6cb0b1ac69cddc943ae96e755184d20a60428372e24e0df466c2debfa9
-
SHA512
b1834040f984b200b3686cb97d846ecc894bd1af3fd06bc21de00cd0613d3ad9b85f780b6b5b5a4d1345ade5a1acdb36b13f55e803b654eb576e980cce534152
-
SSDEEP
24576:rDg0p0xod7eN0L23S6z4/WBXVFbPUzgvQ/vZSoKJ6hU:18N0IZTBnbPe1KJ6hU
Malware Config
Signatures
-
Blocklisted process makes network request 13 IoCs
Processes:
wscript.exeflow pid process 4 1400 wscript.exe 5 1400 wscript.exe 6 1400 wscript.exe 9 1400 wscript.exe 10 1400 wscript.exe 11 1400 wscript.exe 13 1400 wscript.exe 14 1400 wscript.exe 15 1400 wscript.exe 17 1400 wscript.exe 18 1400 wscript.exe 19 1400 wscript.exe 21 1400 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ICTuIejIrh.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ICTuIejIrh.js wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
Payload u.exepid process 1204 Payload u.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Payload u.exedescription pid process Token: SeDebugPrivilege 1204 Payload u.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
wscript.exedescription pid process target process PID 1704 wrote to memory of 1400 1704 wscript.exe wscript.exe PID 1704 wrote to memory of 1400 1704 wscript.exe wscript.exe PID 1704 wrote to memory of 1400 1704 wscript.exe wscript.exe PID 1704 wrote to memory of 1204 1704 wscript.exe Payload u.exe PID 1704 wrote to memory of 1204 1704 wscript.exe Payload u.exe PID 1704 wrote to memory of 1204 1704 wscript.exe Payload u.exe PID 1704 wrote to memory of 1204 1704 wscript.exe Payload u.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\SOA and invoices.js"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ICTuIejIrh.js"2⤵
- Blocklisted process makes network request
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\Payload u.exe"C:\Users\Admin\AppData\Local\Temp\Payload u.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Payload u.exeFilesize
756KB
MD577bc4d2c99082b7398c25ce09291b03e
SHA1e9c2882cc3c1b58855428d513331b4be64b3ae7c
SHA256a6e8cfe4af4de47ac8158b8adbc25a65f37de05946c5ff363179b4b556f5d169
SHA5120d901deb1af1a0624b466acb765697ce16e214a5b8311444f75c8b3b68c1c5dc849a140999274cf30a8c9fc0b8b0bb24aeff49dd944bcd7c019593f6a8ce6ee2
-
C:\Users\Admin\AppData\Local\Temp\Payload u.exeFilesize
756KB
MD577bc4d2c99082b7398c25ce09291b03e
SHA1e9c2882cc3c1b58855428d513331b4be64b3ae7c
SHA256a6e8cfe4af4de47ac8158b8adbc25a65f37de05946c5ff363179b4b556f5d169
SHA5120d901deb1af1a0624b466acb765697ce16e214a5b8311444f75c8b3b68c1c5dc849a140999274cf30a8c9fc0b8b0bb24aeff49dd944bcd7c019593f6a8ce6ee2
-
C:\Users\Admin\AppData\Roaming\ICTuIejIrh.jsFilesize
1.1MB
MD5640aa973998c99a7b71afebb45592e9d
SHA1f5a27a38c147df3223a9e4c358ec895f312b96cd
SHA2568cdf54167ac9581f34374b06adf16ad4069e760606c6dc854db84e53e8006f92
SHA51230d57466971ffcf9edcd45a45a95012d073874cf606a9590f67695caaf1f4836bac9f52b58e9445b2e932d797bea97ca844358dfc8bf437851d572f967ef8866
-
memory/1204-57-0x0000000000000000-mapping.dmp
-
memory/1204-60-0x00000000003A0000-0x0000000000464000-memory.dmpFilesize
784KB
-
memory/1204-62-0x0000000075831000-0x0000000075833000-memory.dmpFilesize
8KB
-
memory/1400-55-0x0000000000000000-mapping.dmp
-
memory/1704-54-0x000007FEFB741000-0x000007FEFB743000-memory.dmpFilesize
8KB