Analysis
-
max time kernel
4294211s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220310-en -
submitted
13-03-2022 16:37
Static task
static1
Behavioral task
behavioral1
Sample
receipt.js
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
receipt.js
Resource
win10v2004-20220310-en
General
-
Target
receipt.js
-
Size
66KB
-
MD5
6f3064d19d9af3374af22dd40df47850
-
SHA1
9a663a6b13430cc5018a23b348850ff76644f5fb
-
SHA256
779d2a6161c86c42ce9ed2888117b72a6778f050153654a0d9c0aa1e3ec3cfdc
-
SHA512
f8ba075afddbb3f3f7f64af145cbd9e70c02710689c70d47959f3e9ca38593bc29a6c28896ffb19621802a09981ebf31a96630d9cff115c91e25335f18e21f85
Malware Config
Extracted
vjw0rm
http://zeegod.duckdns.org:9001
Signatures
-
Blocklisted process makes network request 19 IoCs
Processes:
wscript.exewscript.exeflow pid process 8 1496 wscript.exe 9 1708 wscript.exe 10 1496 wscript.exe 12 1496 wscript.exe 14 1496 wscript.exe 16 1496 wscript.exe 18 1496 wscript.exe 20 1496 wscript.exe 22 1496 wscript.exe 24 1496 wscript.exe 26 1496 wscript.exe 28 1496 wscript.exe 29 1496 wscript.exe 32 1496 wscript.exe 34 1496 wscript.exe 36 1496 wscript.exe 38 1496 wscript.exe 40 1496 wscript.exe 42 1496 wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GHCfqroCHm.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GHCfqroCHm.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\receipt.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\receipt.js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run\LMOXHX511V = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\receipt.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run\00FAYTSXGU = "\"C:\\Users\\Admin\\AppData\\Roaming\\GHCfqroCHm.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1708 wrote to memory of 1496 1708 wscript.exe wscript.exe PID 1708 wrote to memory of 1496 1708 wscript.exe wscript.exe PID 1708 wrote to memory of 1496 1708 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\receipt.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\GHCfqroCHm.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1496
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\GHCfqroCHm.jsMD5
eaa8511b7082f30b4a6e46702014f014
SHA1dbc2dfad64e5f7b00492743f706fddeed984fd9b
SHA256545360cb2972730fa0cdcd01b56deab97cdbe4a113b626962ab20877c79586d2
SHA51217cf9357656987f5c9595c8157cad0b864a836a2cf910bdaf67f1468838fff42fedde1cfe419487d177f9ef472d88a72378300230d6b2deb2cb56a6bc9d7c9f2
-
memory/1708-54-0x000007FEFBA61000-0x000007FEFBA63000-memory.dmpFilesize
8KB