Analysis
-
max time kernel
142s -
max time network
200s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
16-07-2021 18:40
Static task
static1
Behavioral task
behavioral1
Sample
RECEIPT_SHIPPING_009898766.js
Resource
win7v20210408
Behavioral task
behavioral2
Sample
RECEIPT_SHIPPING_009898766.js
Resource
win10v20210410
General
-
Target
RECEIPT_SHIPPING_009898766.js
-
Size
5KB
-
MD5
6c675ed9076cdfe383565ce2aa744d8b
-
SHA1
1e241c076f98a877805aead8c10ec1eb93c758d8
-
SHA256
c7f0fcb6edc78e2ab1e6d54d3a5f420785e3cfb2ffef15cd5dda15ef3fe51b0a
-
SHA512
c721ae27bd565f08621b6cd533fa36e1cc97f1a16b7ad741022852c31af1fa277858181d446fd2deb272b5670e0cb8a7c02cac39724e2278c80bd46c1aff1af3
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 7 1884 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RECEIPT_SHIPPING_009898766.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RECEIPT_SHIPPING_009898766.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\FRZKHEKJV3 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RECEIPT_SHIPPING_009898766.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1884 wrote to memory of 1592 1884 wscript.exe schtasks.exe PID 1884 wrote to memory of 1592 1884 wscript.exe schtasks.exe PID 1884 wrote to memory of 1592 1884 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\RECEIPT_SHIPPING_009898766.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\RECEIPT_SHIPPING_009898766.js2⤵
- Creates scheduled task(s)