Analysis
-
max time kernel
4294212s -
max time network
159s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
14-03-2022 15:16
Static task
static1
Behavioral task
behavioral1
Sample
eReceipt.js
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
eReceipt.js
Resource
win10v2004-20220310-en
General
-
Target
eReceipt.js
-
Size
578KB
-
MD5
d64b0399563a39517dbdc2a7b07ebccc
-
SHA1
bf6b80063cdb8204a491c149ac17a142dcdec2b0
-
SHA256
bd589d7e0de188679d2688c2e1f4d43f13ae2239be9603453170daa1b8484951
-
SHA512
36a7a3d56180c7fd883b4c14acfee40c43fd7b962a92c6b837c9d09958f34f16001ce99e4132a886c370beb1ad89d6478625f7b519474dac739ce6463b74b585
Malware Config
Extracted
vjw0rm
http://zeegod.duckdns.org:9001
http://kathyaboth.duia.ro:6534
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
wscript.exewscript.exeflow pid process 8 1836 wscript.exe 9 1208 wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eReceipt.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AbdlghowYl.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AbdlghowYl.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eReceipt.js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\LMOXHX511V = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\eReceipt.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\00FAYTSXGU = "\"C:\\Users\\Admin\\AppData\\Roaming\\AbdlghowYl.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1836 wrote to memory of 1208 1836 wscript.exe wscript.exe PID 1836 wrote to memory of 1208 1836 wscript.exe wscript.exe PID 1836 wrote to memory of 1208 1836 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\eReceipt.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\AbdlghowYl.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1208
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\AbdlghowYl.jsMD5
a7efd43f52cb592f4a674e900cafe0f9
SHA169b512179460e51463d4cadc75838cbbdfd59b95
SHA256b670690136c73f206b2c8a3207a41c626f548a787ba3378b78b1e098c984a0cc
SHA512601ceb0f725bb2db320880523b25c249fbf52d56162bff6496792405493d7adad2119f1dca18868be3539e72ec62c1b0906d5a9ccae9aa72809b288d0a3b108c
-
memory/1836-54-0x000007FEFC411000-0x000007FEFC413000-memory.dmpFilesize
8KB