Analysis
-
max time kernel
151s -
max time network
176s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
31-08-2021 19:20
Static task
static1
Behavioral task
behavioral1
Sample
eVoucher.js
Resource
win7v20210408
Behavioral task
behavioral2
Sample
eVoucher.js
Resource
win10v20210410
General
-
Target
eVoucher.js
-
Size
30KB
-
MD5
ef30d08be6b02f148da164e54892c8e3
-
SHA1
4998edfd067f343a56e03422d3913c1cc7066e4b
-
SHA256
e21dba51d9968a1073d43143b7acbd4179a8fa73fc5f48921eabac7ea9869daa
-
SHA512
9e1b1142248c8088c2ecb2bd33887136e4f39c3590ce3b95f2fa5e93b922a07c7ecd598650d91a7ee93c4f018b898a96e49ed41157be607abf1b1ce9845c72c1
Malware Config
Signatures
-
Blocklisted process makes network request 19 IoCs
Processes:
wscript.exewscript.exeflow pid process 8 516 wscript.exe 9 2040 wscript.exe 11 516 wscript.exe 13 516 wscript.exe 15 516 wscript.exe 17 516 wscript.exe 20 516 wscript.exe 23 516 wscript.exe 25 516 wscript.exe 27 516 wscript.exe 30 516 wscript.exe 32 516 wscript.exe 33 516 wscript.exe 37 516 wscript.exe 39 516 wscript.exe 41 516 wscript.exe 44 516 wscript.exe 45 516 wscript.exe 47 516 wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JMuHxVQRbU.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JMuHxVQRbU.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eVoucher.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eVoucher.js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\QTI627R350 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\eVoucher.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\JMuHxVQRbU.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 2040 wrote to memory of 516 2040 wscript.exe wscript.exe PID 2040 wrote to memory of 516 2040 wscript.exe wscript.exe PID 2040 wrote to memory of 516 2040 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\eVoucher.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\JMuHxVQRbU.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\JMuHxVQRbU.jsMD5
33f71afd870cab678bc8b4967a0bd77f
SHA1fa1f2f046d2daf22065a73232317aa5b0a155bdb
SHA256b45b6d0bad5cb0ec3aa0d3388014d9830e2db4162983772174be612aa2f3aefc
SHA51256021edf4b36a130c536e117b197943c78fa81922c383b952e240828ac7ad803338fef02670d1fdb56f0b5403198c36a46d4b1de430bdce00883eca595ee19d5
-
memory/516-60-0x0000000000000000-mapping.dmp