Analysis
-
max time kernel
593s -
max time network
602s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
21-07-2023 10:47
Static task
static1
Behavioral task
behavioral1
Sample
Specifikace objednvky.js
Resource
win7-20230712-en
windows7-x64
Behavioral task
behavioral2
Sample
Specifikace objednvky.js
Resource
win10v2004-20230703-en
windows10-2004-x64
General
-
Target
Specifikace objednvky.js
-
Size
24KB
-
MD5
4272d76e2efed7d323e14bccef987913
-
SHA1
a8cde379b41cfafb036896484844620a7fcc11c6
-
SHA256
39372ec10b2720511f8ca94e8aed43273c507637ec03f9a1eac279aadeb22c55
-
SHA512
717ca100e5f2463b8aa675185e2dbd743a015fffe7654dab2b227691ed66e9443a3e387d31c3eeed63a22d1b3f77b213feec3c3fe6c1438ddf5313066f2583a9
-
SSDEEP
384:0B+UO8kwlbBtHS0ihYvG3bMZcCOQHp4aIX6xEzWZNxFlumanjjjIYNFLD5zvOJ:09ewl7tGr+Oy4aPOL13IoFLdzGJ
Malware Config
Signatures
-
Blocklisted process makes network request 64 IoCs
flow pid Process 29 2920 wscript.exe 36 2920 wscript.exe 37 2920 wscript.exe 43 2920 wscript.exe 61 2920 wscript.exe 62 2920 wscript.exe 63 2920 wscript.exe 67 2920 wscript.exe 71 2920 wscript.exe 72 2920 wscript.exe 73 2920 wscript.exe 74 2920 wscript.exe 75 2920 wscript.exe 76 2920 wscript.exe 81 2920 wscript.exe 82 2920 wscript.exe 83 2920 wscript.exe 84 2920 wscript.exe 90 2920 wscript.exe 93 2920 wscript.exe 94 2920 wscript.exe 95 2920 wscript.exe 96 2920 wscript.exe 97 2920 wscript.exe 98 2920 wscript.exe 99 2920 wscript.exe 100 2920 wscript.exe 101 2920 wscript.exe 102 2920 wscript.exe 103 2920 wscript.exe 104 2920 wscript.exe 105 2920 wscript.exe 106 2920 wscript.exe 107 2920 wscript.exe 108 2920 wscript.exe 109 2920 wscript.exe 110 2920 wscript.exe 111 2920 wscript.exe 112 2920 wscript.exe 113 2920 wscript.exe 114 2920 wscript.exe 115 2920 wscript.exe 116 2920 wscript.exe 117 2920 wscript.exe 118 2920 wscript.exe 119 2920 wscript.exe 121 2920 wscript.exe 122 2920 wscript.exe 123 2920 wscript.exe 124 2920 wscript.exe 125 2920 wscript.exe 126 2920 wscript.exe 127 2920 wscript.exe 128 2920 wscript.exe 129 2920 wscript.exe 130 2920 wscript.exe 131 2920 wscript.exe 132 2920 wscript.exe 133 2920 wscript.exe 134 2920 wscript.exe 135 2920 wscript.exe 136 2920 wscript.exe 137 2920 wscript.exe 138 2920 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Specifikace objednvky.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1CYH0WDT4T = "\"C:\\Users\\Admin\\AppData\\Roaming\\Specifikace objedn?vky.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4492 schtasks.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2920 wrote to memory of 4492 2920 wscript.exe 87 PID 2920 wrote to memory of 4492 2920 wscript.exe 87 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Specifikace objednvky.js"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Specifikace objednvky.js2⤵
- Creates scheduled task(s)
PID:4492
-