Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-04-2021 14:08
Static task
static1
Behavioral task
behavioral1
Sample
receipt.js
Resource
win7v20210410
Behavioral task
behavioral2
Sample
receipt.js
Resource
win10v20210408
General
-
Target
receipt.js
-
Size
210KB
-
MD5
0d18f9a0a1605a34247be8918dd3d360
-
SHA1
1046c9c221468b1a8725d9e958ddf20b0ec3a6c1
-
SHA256
3001d3aea048d4624a808d041a483d0b5142772fa19412c1177e83ffc2e543de
-
SHA512
cc32e93e876ff536475cec9a0ceea4014d443b994dfe4c7be899745c15001ed86d6dc66e79fc281af0d1b4acaa35cb7f2c30df7f1f48a2cb6fbc8d79c35d7011
Malware Config
Signatures
-
WSHRAT Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\receipt.js family_wshrat C:\Users\Admin\AppData\Roaming\receipt.js family_wshrat C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\receipt.js family_wshrat -
Blocklisted process makes network request 29 IoCs
Processes:
wscript.exewscript.exeflow pid process 7 740 wscript.exe 8 740 wscript.exe 9 4056 wscript.exe 10 4056 wscript.exe 12 4056 wscript.exe 13 4056 wscript.exe 19 4056 wscript.exe 23 4056 wscript.exe 24 4056 wscript.exe 25 4056 wscript.exe 26 4056 wscript.exe 27 4056 wscript.exe 29 4056 wscript.exe 30 4056 wscript.exe 31 4056 wscript.exe 32 4056 wscript.exe 33 4056 wscript.exe 34 4056 wscript.exe 35 4056 wscript.exe 37 4056 wscript.exe 38 4056 wscript.exe 39 4056 wscript.exe 40 4056 wscript.exe 41 4056 wscript.exe 44 4056 wscript.exe 45 4056 wscript.exe 47 4056 wscript.exe 48 4056 wscript.exe 49 4056 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\receipt.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\receipt.js wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\receipt = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\receipt.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\receipt = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\receipt.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\receipt = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\receipt.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\receipt = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\receipt.js\"" wscript.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 7 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 8 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 9 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 10 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 740 wrote to memory of 4056 740 wscript.exe wscript.exe PID 740 wrote to memory of 4056 740 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\receipt.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\receipt.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\receipt.jsMD5
0d18f9a0a1605a34247be8918dd3d360
SHA11046c9c221468b1a8725d9e958ddf20b0ec3a6c1
SHA2563001d3aea048d4624a808d041a483d0b5142772fa19412c1177e83ffc2e543de
SHA512cc32e93e876ff536475cec9a0ceea4014d443b994dfe4c7be899745c15001ed86d6dc66e79fc281af0d1b4acaa35cb7f2c30df7f1f48a2cb6fbc8d79c35d7011
-
C:\Users\Admin\AppData\Roaming\receipt.jsMD5
0d18f9a0a1605a34247be8918dd3d360
SHA11046c9c221468b1a8725d9e958ddf20b0ec3a6c1
SHA2563001d3aea048d4624a808d041a483d0b5142772fa19412c1177e83ffc2e543de
SHA512cc32e93e876ff536475cec9a0ceea4014d443b994dfe4c7be899745c15001ed86d6dc66e79fc281af0d1b4acaa35cb7f2c30df7f1f48a2cb6fbc8d79c35d7011
-
C:\Users\Admin\AppData\Roaming\receipt.jsMD5
0d18f9a0a1605a34247be8918dd3d360
SHA11046c9c221468b1a8725d9e958ddf20b0ec3a6c1
SHA2563001d3aea048d4624a808d041a483d0b5142772fa19412c1177e83ffc2e543de
SHA512cc32e93e876ff536475cec9a0ceea4014d443b994dfe4c7be899745c15001ed86d6dc66e79fc281af0d1b4acaa35cb7f2c30df7f1f48a2cb6fbc8d79c35d7011
-
memory/4056-114-0x0000000000000000-mapping.dmp