Analysis
-
max time kernel
594s -
max time network
602s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
21-07-2023 10:49
Static task
static1
Behavioral task
behavioral1
Sample
Specifikace objednvky.js
Resource
win7-20230712-en
windows7-x64
Behavioral task
behavioral2
Sample
Specifikace objednvky.js
Resource
win10v2004-20230703-en
windows10-2004-x64
General
-
Target
Specifikace objednvky.js
-
Size
24KB
-
MD5
4272d76e2efed7d323e14bccef987913
-
SHA1
a8cde379b41cfafb036896484844620a7fcc11c6
-
SHA256
39372ec10b2720511f8ca94e8aed43273c507637ec03f9a1eac279aadeb22c55
-
SHA512
717ca100e5f2463b8aa675185e2dbd743a015fffe7654dab2b227691ed66e9443a3e387d31c3eeed63a22d1b3f77b213feec3c3fe6c1438ddf5313066f2583a9
-
SSDEEP
384:0B+UO8kwlbBtHS0ihYvG3bMZcCOQHp4aIX6xEzWZNxFlumanjjjIYNFLD5zvOJ:09ewl7tGr+Oy4aPOL13IoFLdzGJ
Malware Config
Signatures
-
Blocklisted process makes network request 64 IoCs
flow pid Process 26 4764 wscript.exe 32 4764 wscript.exe 33 4764 wscript.exe 41 4764 wscript.exe 56 4764 wscript.exe 57 4764 wscript.exe 58 4764 wscript.exe 61 4764 wscript.exe 65 4764 wscript.exe 66 4764 wscript.exe 69 4764 wscript.exe 70 4764 wscript.exe 71 4764 wscript.exe 72 4764 wscript.exe 76 4764 wscript.exe 77 4764 wscript.exe 78 4764 wscript.exe 79 4764 wscript.exe 80 4764 wscript.exe 81 4764 wscript.exe 82 4764 wscript.exe 83 4764 wscript.exe 84 4764 wscript.exe 85 4764 wscript.exe 86 4764 wscript.exe 87 4764 wscript.exe 88 4764 wscript.exe 89 4764 wscript.exe 90 4764 wscript.exe 91 4764 wscript.exe 92 4764 wscript.exe 93 4764 wscript.exe 94 4764 wscript.exe 95 4764 wscript.exe 96 4764 wscript.exe 97 4764 wscript.exe 98 4764 wscript.exe 99 4764 wscript.exe 100 4764 wscript.exe 101 4764 wscript.exe 102 4764 wscript.exe 103 4764 wscript.exe 104 4764 wscript.exe 105 4764 wscript.exe 106 4764 wscript.exe 108 4764 wscript.exe 109 4764 wscript.exe 110 4764 wscript.exe 111 4764 wscript.exe 112 4764 wscript.exe 113 4764 wscript.exe 114 4764 wscript.exe 115 4764 wscript.exe 116 4764 wscript.exe 117 4764 wscript.exe 118 4764 wscript.exe 119 4764 wscript.exe 120 4764 wscript.exe 121 4764 wscript.exe 122 4764 wscript.exe 123 4764 wscript.exe 124 4764 wscript.exe 125 4764 wscript.exe 126 4764 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Specifikace objednvky.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1CYH0WDT4T = "\"C:\\Users\\Admin\\AppData\\Roaming\\Specifikace objedn?vky.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1448 schtasks.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4764 wrote to memory of 1448 4764 wscript.exe 87 PID 4764 wrote to memory of 1448 4764 wscript.exe 87 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Specifikace objednvky.js"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Specifikace objednvky.js2⤵
- Creates scheduled task(s)
PID:1448
-