Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
15-10-2021 06:56
Static task
static1
Behavioral task
behavioral1
Sample
eReceipt.js
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
eReceipt.js
Resource
win10-en-20210920
General
-
Target
eReceipt.js
-
Size
24KB
-
MD5
53e80f5441f77abf03ac535d2ea55327
-
SHA1
d1accac81fc1e6afaa92a563bff1cd124dbc7ae2
-
SHA256
ec12c4a76b8aaaae0bc169b3a974d0b68dda705150fac4dbecd26486f157c039
-
SHA512
27495d649d80dd0814091cafddd067cd866fe9609684d4d2b1e3937aeb845e6403573dfba5d9ef971e94670b2eb8a7be4520b2caf6d142554c6578ad6eb91958
Malware Config
Signatures
-
Blocklisted process makes network request 36 IoCs
Processes:
wscript.exewscript.exeflow pid process 8 368 wscript.exe 9 1092 wscript.exe 10 1092 wscript.exe 12 368 wscript.exe 13 1092 wscript.exe 14 368 wscript.exe 18 1092 wscript.exe 20 368 wscript.exe 21 1092 wscript.exe 23 368 wscript.exe 24 1092 wscript.exe 26 368 wscript.exe 29 1092 wscript.exe 30 368 wscript.exe 32 1092 wscript.exe 34 368 wscript.exe 35 1092 wscript.exe 38 368 wscript.exe 40 1092 wscript.exe 41 368 wscript.exe 43 1092 wscript.exe 44 368 wscript.exe 46 1092 wscript.exe 49 368 wscript.exe 51 1092 wscript.exe 52 368 wscript.exe 54 1092 wscript.exe 56 368 wscript.exe 57 1092 wscript.exe 59 368 wscript.exe 62 1092 wscript.exe 63 368 wscript.exe 65 1092 wscript.exe 66 368 wscript.exe 68 1092 wscript.exe 70 368 wscript.exe -
Drops startup file 3 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eReceipt.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xTZBMhzFuE.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xTZBMhzFuE.js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\xTZBMhzFuE.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\3W2CQPM6PM = "\"C:\\Users\\Admin\\AppData\\Roaming\\eReceipt.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1092 wrote to memory of 368 1092 wscript.exe wscript.exe PID 1092 wrote to memory of 368 1092 wscript.exe wscript.exe PID 1092 wrote to memory of 368 1092 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\eReceipt.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\xTZBMhzFuE.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\xTZBMhzFuE.jsMD5
c723c09e07ec54a2833fdd1cf2adcee3
SHA19acabb132972ac2dc178e396a903258c61a3adc9
SHA2560d231c7df5c5c19a43d3992e654b6fbbe7fd32b8a66040471dbe398a35947f04
SHA5121ccaeaab8ee01dd7b152e665941094dac1af6b73e8a12c713615be89c95bd8ce76a8c99547ca5f366d63bb71c45a0e15dab0930f0c8cf771cc6ff72ca2c976c2
-
memory/368-54-0x0000000000000000-mapping.dmp
-
memory/1092-53-0x000007FEFB6B1000-0x000007FEFB6B3000-memory.dmpFilesize
8KB