Analysis
-
max time kernel
120s -
max time network
132s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
22-10-2021 18:09
Static task
static1
Behavioral task
behavioral1
Sample
ERECEIPT.JS
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
ERECEIPT.JS
Resource
win10-en-20210920
General
-
Target
ERECEIPT.JS
-
Size
23KB
-
MD5
f041d2da1a5839119c042afda5c966ad
-
SHA1
78dee5cee82ae393737ddbff9ccf13ad460f6711
-
SHA256
88831eb51e1546b02091a0b2508f19e82c1feea3fec4d4c10fac83e3df107677
-
SHA512
1838dc189474e0896cc5e800d0595ede6a6bc0c6535a3eb247cb2b0525763c923615762de7857ade40ecd970b8b3ef0a33075d2bae9b22e2d5aad7ae0ba37a81
Malware Config
Extracted
vjw0rm
http://loadcash.duckdns.org:7779
http://gameserver-789.duia.ro:6789
Signatures
-
Blocklisted process makes network request 15 IoCs
Processes:
wscript.exeWScript.exeflow pid process 10 660 wscript.exe 11 2156 WScript.exe 21 660 wscript.exe 26 660 wscript.exe 29 660 wscript.exe 30 660 wscript.exe 32 660 wscript.exe 35 660 wscript.exe 36 660 wscript.exe 37 660 wscript.exe 38 660 wscript.exe 39 660 wscript.exe 40 660 wscript.exe 41 660 wscript.exe 42 660 wscript.exe -
Drops startup file 3 IoCs
Processes:
WScript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERECEIPT.JS WScript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hHHTUAlbjt.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hHHTUAlbjt.js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
wscript.exeWScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\hHHTUAlbjt.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\XIKPFFU2BI = "\"C:\\Users\\Admin\\AppData\\Roaming\\ERECEIPT.JS\"" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WScript.exedescription pid process target process PID 2156 wrote to memory of 660 2156 WScript.exe wscript.exe PID 2156 wrote to memory of 660 2156 WScript.exe wscript.exe
Processes
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\ERECEIPT.JS"1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\hHHTUAlbjt.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\hHHTUAlbjt.jsMD5
92267ddaf97462922152ddb1e0165db8
SHA199d87937a9844ce24481a4499ae9bc5dd39a0604
SHA25661c77f0004a30e87cb6a0b27b56b54e50436b1e532342f01790b398847640b02
SHA5126d349ce485a573700990c26b845fe559172097c58bf2fee31d61e6feebd73d2be17b61957c582bb4be5f6f6671abe40ec9f8ebe24e360ce26dca9988343220a9
-
memory/660-115-0x0000000000000000-mapping.dmp