Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
18-10-2021 19:45
Static task
static1
Behavioral task
behavioral1
Sample
eReceipt.js
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
eReceipt.js
Resource
win10-en-20210920
General
-
Target
eReceipt.js
-
Size
23KB
-
MD5
e86024bc35002c13c653555802ad2ece
-
SHA1
6a40601e1e11cf7c9dbd815040211d75e73c0e6a
-
SHA256
6af2616970680def8dc9f6f6af83fbf68c96a95fec6638216dc303d02bd8476e
-
SHA512
0e80c8fbe3f339f97f8372e5c6d3d77e6423316a16252fbda571e27e469702643d89e80a7f9611446e400632cdc8b3f011f2d82791958448268a3186986298a1
Malware Config
Signatures
-
Blocklisted process makes network request 36 IoCs
Processes:
wscript.exewscript.exeflow pid process 8 3140 wscript.exe 9 1684 wscript.exe 16 1684 wscript.exe 17 3140 wscript.exe 22 1684 wscript.exe 23 3140 wscript.exe 26 1684 wscript.exe 31 3140 wscript.exe 32 1684 wscript.exe 33 3140 wscript.exe 35 1684 wscript.exe 36 3140 wscript.exe 37 1684 wscript.exe 38 3140 wscript.exe 39 1684 wscript.exe 41 3140 wscript.exe 42 1684 wscript.exe 43 3140 wscript.exe 44 1684 wscript.exe 45 3140 wscript.exe 46 1684 wscript.exe 47 1684 wscript.exe 48 3140 wscript.exe 49 1684 wscript.exe 50 3140 wscript.exe 51 1684 wscript.exe 52 3140 wscript.exe 53 1684 wscript.exe 54 3140 wscript.exe 55 1684 wscript.exe 56 3140 wscript.exe 57 1684 wscript.exe 58 3140 wscript.exe 59 1684 wscript.exe 60 1684 wscript.exe 61 3140 wscript.exe -
Drops startup file 3 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eReceipt.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kFbewbBkWg.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kFbewbBkWg.js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\XIKPFFU2BI = "\"C:\\Users\\Admin\\AppData\\Roaming\\eReceipt.js\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\kFbewbBkWg.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 1684 wrote to memory of 3140 1684 wscript.exe wscript.exe PID 1684 wrote to memory of 3140 1684 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\eReceipt.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\kFbewbBkWg.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\kFbewbBkWg.jsMD5
745cdc100a8cc18004ac54875c5323af
SHA12e87b98257f64a8ff12fae9bcb33a91226496a10
SHA256d457a895563f1cf63b7aa240244cfcc4d89767323ae4b56244c0770f9b72aa8a
SHA51271f07852235868a59cdc84db3a39db81c5c9ce7661b68819ae65f6708123b86b24a414c9ac6e1f20a38530a5300b7d6a1b5c544348bff566150e4e02f952c305
-
memory/3140-115-0x0000000000000000-mapping.dmp