Analysis
-
max time kernel
4294188s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
22-03-2022 18:32
Static task
static1
Behavioral task
behavioral1
Sample
eVoucher.js
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
eVoucher.js
Resource
win10v2004-20220310-en
General
-
Target
eVoucher.js
-
Size
10KB
-
MD5
4a86c0250f53d61920c72434e80ac836
-
SHA1
52d5178d979640301456d353bb1d3a4cd9fe56c8
-
SHA256
2cf7cf0ac77b25eccc61fea38629e1a2de4547aa1d4eaae4f7885fdc0e2194a4
-
SHA512
ddb19e6e340cedd29ea5735caffd7f9e47825c904ce09896d6d6a0680262a371c597ac1e019b55bed12d424c2bc8df5a56940f68edaa3a74e361016abdfc41ad
Malware Config
Extracted
vjw0rm
http://zeegod.duckdns.org:9001
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 5 1980 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eVoucher.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eVoucher.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\LMOXHX511V = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\eVoucher.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1980 wrote to memory of 2004 1980 wscript.exe wscript.exe PID 1980 wrote to memory of 2004 1980 wscript.exe wscript.exe PID 1980 wrote to memory of 2004 1980 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\eVoucher.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\JSkhHqaBqS.js"2⤵PID:2004
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\JSkhHqaBqS.jsMD5
8ccd90975fcb67cfd9f799c1a57a005c
SHA122ec3e1d29bf2abf53c5a8b0ec5d13caadce145f
SHA25624f109d42332b7fc72a66a97697642914865a27c0d7c495e0d5f6a4c6b63b04e
SHA512e1f32f967ef742c1b9605f52cc9d7cd43b1b4658d9de94e38a2c69fc3e9b7055fc645b51ecc8f4d6acff45d3be17061ef1101975ced9e7489332770c1713fbe6