Analysis
-
max time kernel
152s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
20-10-2021 06:40
Static task
static1
Behavioral task
behavioral1
Sample
eReceipt.js
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
eReceipt.js
Resource
win10-en-20211014
General
-
Target
eReceipt.js
-
Size
23KB
-
MD5
71dd3d13d2f94788ff6ba8c451e14a10
-
SHA1
e1c7b5de5ed6bd7814ebb6b826292984ca914681
-
SHA256
5c31139072a9120d3083572fa3404c0b8092c9ad801f0f71146c15256b449d65
-
SHA512
87055cc1c4407094d270e0559f2c74001cc46ffd824696788b79806db1a75fad3e6a15e0eae642bb9ce648008cb6ed66cc2ce7ba27a466be563a0c43eb806ed1
Malware Config
Extracted
vjw0rm
http://loadcash.duckdns.org:7779
Signatures
-
Blocklisted process makes network request 19 IoCs
Processes:
wscript.exewscript.exeflow pid process 8 1548 wscript.exe 9 696 wscript.exe 10 696 wscript.exe 12 696 wscript.exe 15 696 wscript.exe 17 696 wscript.exe 18 696 wscript.exe 21 696 wscript.exe 23 696 wscript.exe 25 696 wscript.exe 27 696 wscript.exe 29 696 wscript.exe 31 696 wscript.exe 34 696 wscript.exe 35 696 wscript.exe 37 696 wscript.exe 40 696 wscript.exe 42 696 wscript.exe 43 696 wscript.exe -
Drops startup file 3 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eReceipt.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VmigjCkdfz.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VmigjCkdfz.js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\XIKPFFU2BI = "\"C:\\Users\\Admin\\AppData\\Roaming\\eReceipt.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\VmigjCkdfz.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1548 wrote to memory of 696 1548 wscript.exe wscript.exe PID 1548 wrote to memory of 696 1548 wscript.exe wscript.exe PID 1548 wrote to memory of 696 1548 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\eReceipt.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\VmigjCkdfz.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\VmigjCkdfz.jsMD5
5cd907aec19d96749d3fb8f1b5378367
SHA1195fd789274725201674fe41dfaf4b0875916a4c
SHA256618b3fa2687370fa418900d543a5e353afff5c5ae5a1d9862f1993f285d4c6f6
SHA5123e366fdae68f6f66b6677908a1436c0cb8c9e37545955ce1aa2a105b582f8446c641e65e012f45e826cc6184f1d59b4f106dca1bf8672efe0be0a300d882b066
-
memory/696-56-0x0000000000000000-mapping.dmp
-
memory/1548-55-0x000007FEFBFE1000-0x000007FEFBFE3000-memory.dmpFilesize
8KB