Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
08-10-2021 17:58
Static task
static1
Behavioral task
behavioral1
Sample
eReceipt.js
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
eReceipt.js
Resource
win10v20210408
General
-
Target
eReceipt.js
-
Size
25KB
-
MD5
da308c62cbd20f444b54464c47e74091
-
SHA1
496dc2eebcd81d7bf1ec3fb00ba3f9dbd819962e
-
SHA256
da496f93b454f899587298a910578d3c133dab195a298462ffbd2e1229b14abf
-
SHA512
d4b88169e88a0964a7f8c8ab99f1f03b80cbc121d10ed3089dbde92b4be2962a99d39807516575b0908d90fb17c30755cde2b6ea2b9253da42ec2706e41050dd
Malware Config
Signatures
-
Blocklisted process makes network request 36 IoCs
Processes:
wscript.exewscript.exeflow pid process 8 1740 wscript.exe 9 1884 wscript.exe 10 1740 wscript.exe 11 1884 wscript.exe 13 1740 wscript.exe 15 1884 wscript.exe 18 1740 wscript.exe 19 1884 wscript.exe 21 1740 wscript.exe 22 1884 wscript.exe 24 1740 wscript.exe 26 1884 wscript.exe 29 1740 wscript.exe 30 1884 wscript.exe 32 1740 wscript.exe 34 1884 wscript.exe 35 1740 wscript.exe 38 1884 wscript.exe 40 1740 wscript.exe 41 1884 wscript.exe 43 1740 wscript.exe 45 1884 wscript.exe 46 1740 wscript.exe 49 1884 wscript.exe 51 1740 wscript.exe 52 1884 wscript.exe 54 1740 wscript.exe 55 1884 wscript.exe 57 1740 wscript.exe 60 1884 wscript.exe 62 1740 wscript.exe 63 1884 wscript.exe 65 1740 wscript.exe 67 1884 wscript.exe 68 1740 wscript.exe 70 1884 wscript.exe -
Drops startup file 3 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eReceipt.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WsjTSEyKfj.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WsjTSEyKfj.js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\WsjTSEyKfj.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\3W2CQPM6PM = "\"C:\\Users\\Admin\\AppData\\Roaming\\eReceipt.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1740 wrote to memory of 1884 1740 wscript.exe wscript.exe PID 1740 wrote to memory of 1884 1740 wscript.exe wscript.exe PID 1740 wrote to memory of 1884 1740 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\eReceipt.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\WsjTSEyKfj.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\WsjTSEyKfj.jsMD5
25eb4a4c27a5fca5e512d6aecd8f66fa
SHA1dfad977ec05b9ce88d44650887841800257d55d8
SHA2568745266f0ab63b38d1e55aa5f6aa90c6620391050fac2d7800bbdb5c0ddddfd5
SHA512394d8cf1f910ca92ddfcb2917249d7d57af1fa85c83d7fdac1a03cd2c956906ee3c84e31c7136f3fb1bfb8a66e0413e3c3c6af185d314db366ee5b27b6bc3f1a
-
memory/1884-54-0x0000000000000000-mapping.dmp