Analysis
-
max time kernel
140s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
05-04-2023 05:51
Static task
static1
Behavioral task
behavioral1
Sample
customerinvoice.js
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
customerinvoice.js
Resource
win10v2004-20230220-en
General
-
Target
customerinvoice.js
-
Size
3KB
-
MD5
ba46627336f749aef1adfd78f958212f
-
SHA1
7fce56ef8cbbf08e12c645d01fa0df595af04cc6
-
SHA256
f1f985bd12efabd68532363a591006c7d6731eb81c3b4dfde0c87923d9d544b0
-
SHA512
bb9fcb11217b045266028693f5028082e3511a12761fb760583886e9fe6ce54f0d082c21fd3a7de8f5c4e31d18a772ccfc34755b6122a2b0bca77b4642e2bfd2
Malware Config
Extracted
vjw0rm
http://198.12.123.17:2402
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 3 820 wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\QBB0QPSPE2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\customerinvoice.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 820 wrote to memory of 1928 820 wscript.exe schtasks.exe PID 820 wrote to memory of 1928 820 wscript.exe schtasks.exe PID 820 wrote to memory of 1928 820 wscript.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\customerinvoice.js1⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\customerinvoice.js2⤵
- Creates scheduled task(s)