Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
08-12-2021 19:17
Static task
static1
Behavioral task
behavioral1
Sample
receipt_ups.js
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
receipt_ups.js
Resource
win10-en-20211208
General
-
Target
receipt_ups.js
-
Size
22KB
-
MD5
45da0659e1a6f35fc8c740dafcbb5435
-
SHA1
083d64752001598e019b8a74db75f992121f7cf5
-
SHA256
1b706876d4f0d013e451fecd02d7f5486650efe4593bac4e74d51d0d164d3fb9
-
SHA512
0125b2f121db439fd64552e1c854d7e9fdc30c0fc3c380676c20c21987118739f6d2ff89b72a1e155d4c276ea12d12c836180a096d341d66f2c7fcc5209a0210
Malware Config
Extracted
vjw0rm
http://zeegod.duckdns.org:9998
Signatures
-
Blocklisted process makes network request 18 IoCs
Processes:
wscript.exewscript.exeflow pid process 8 524 wscript.exe 9 1692 wscript.exe 10 524 wscript.exe 12 524 wscript.exe 14 524 wscript.exe 16 524 wscript.exe 17 524 wscript.exe 20 524 wscript.exe 21 524 wscript.exe 23 524 wscript.exe 26 524 wscript.exe 27 524 wscript.exe 30 524 wscript.exe 32 524 wscript.exe 35 524 wscript.exe 36 524 wscript.exe 39 524 wscript.exe 41 524 wscript.exe -
Drops startup file 3 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\receipt_ups.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZZRlKoGvgy.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZZRlKoGvgy.js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\ZZRlKoGvgy.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\YSAGQWKNY8 = "\"C:\\Users\\Admin\\AppData\\Roaming\\receipt_ups.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.exedescription pid process target process PID 1692 wrote to memory of 524 1692 wscript.exe wscript.exe PID 1692 wrote to memory of 524 1692 wscript.exe wscript.exe PID 1692 wrote to memory of 524 1692 wscript.exe wscript.exe PID 1692 wrote to memory of 1272 1692 wscript.exe schtasks.exe PID 1692 wrote to memory of 1272 1692 wscript.exe schtasks.exe PID 1692 wrote to memory of 1272 1692 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\receipt_ups.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ZZRlKoGvgy.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\receipt_ups.js2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ZZRlKoGvgy.jsMD5
b08acc841bc0948b0892a8420e71bc08
SHA15e71337164e700afdc9fe01368faac4b1509480d
SHA25683067e15bd60e591b11f99220d11702b312d062120d82886660d02cfed5786ad
SHA5123462e057cf0e35d726d5f8139b140a7d638da358b69ff87769a1fc217e7265a18fffbe59ca018f054b58607bad1eb60b9ee2d5e3db4047cb46e275bd9dd58329
-
memory/524-54-0x0000000000000000-mapping.dmp
-
memory/1272-56-0x0000000000000000-mapping.dmp