Analysis
-
max time kernel
4294210s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220223-en -
submitted
24-02-2022 07:59
Static task
static1
Behavioral task
behavioral1
Sample
eVoucher.js
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
eVoucher.js
Resource
win10v2004-en-20220112
General
-
Target
eVoucher.js
-
Size
20KB
-
MD5
b2be3dbbf5e20713b203a95b9dca8ee6
-
SHA1
fa11acd273295bbfaf6db67acb1cc7fd0934d825
-
SHA256
f2a1e7f1d81a1500da4245641082c12649e4bb8136d7883c2f211ba327ffcac2
-
SHA512
b03a23d4020904b4b72005c9513e2f77a4f4925754532e3b417d26e85deb68460f8671b49180527a9f719afecd6ebaabfb17ccaa6552ee75bc5d545b5d0788dc
Malware Config
Extracted
vjw0rm
http://warrr.duckdns.org:9997
Signatures
-
Blocklisted process makes network request 19 IoCs
Processes:
wscript.exewscript.exeflow pid process 8 1656 wscript.exe 9 1076 wscript.exe 10 1656 wscript.exe 11 1656 wscript.exe 14 1656 wscript.exe 15 1656 wscript.exe 17 1656 wscript.exe 19 1656 wscript.exe 21 1656 wscript.exe 22 1656 wscript.exe 24 1656 wscript.exe 26 1656 wscript.exe 27 1656 wscript.exe 30 1656 wscript.exe 31 1656 wscript.exe 32 1656 wscript.exe 34 1656 wscript.exe 36 1656 wscript.exe 37 1656 wscript.exe -
Drops startup file 3 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eVoucher.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ssoLSQXptF.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ssoLSQXptF.js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\ssoLSQXptF.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\RV7KJCEOJC = "\"C:\\Users\\Admin\\AppData\\Roaming\\eVoucher.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.exedescription pid process target process PID 1076 wrote to memory of 1656 1076 wscript.exe wscript.exe PID 1076 wrote to memory of 1656 1076 wscript.exe wscript.exe PID 1076 wrote to memory of 1656 1076 wscript.exe wscript.exe PID 1076 wrote to memory of 1496 1076 wscript.exe schtasks.exe PID 1076 wrote to memory of 1496 1076 wscript.exe schtasks.exe PID 1076 wrote to memory of 1496 1076 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\eVoucher.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ssoLSQXptF.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\eVoucher.js2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ssoLSQXptF.jsMD5
e983a6182dfbb9a79b2bf3e3b9c589a4
SHA1f24cb83586d88963bece54a2d18c1994880e0377
SHA256bf43679c00fd876f84e1f836b2bb753fe8e1cd08b0d573e429cecd26d09e1fd5
SHA5125d0a8db73393378706ee9e955c1e04fc6bb0c71a113514e158df5c5d5a1f7d0e2d04a4d3017bc56ea0ddc1b302f04313cbcf4dd043628abc8acaf9bbf30ef120