Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16-06-2022 06:38
Static task
static1
Behavioral task
behavioral1
Sample
Receipt.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Receipt.js
Resource
win10v2004-20220414-en
General
-
Target
Receipt.js
-
Size
51KB
-
MD5
e7445dedca856ea9b1c29b6d44520d7d
-
SHA1
94320eb0a513675b1bd4d012d4e4782c53a8178a
-
SHA256
9360cf526c870d8dedc3d0bb6e8b8728caf1ed840f1d55aec5c05cc2bbe43759
-
SHA512
60f60e7f8f9a10e7803b520f1797f0de7470dc728edcf7cd42f1b36e7de6334bec1f4a42b528c82e93f2a4cbae2179000d1f83926d6cc1e71678e678bda0db90
Malware Config
Signatures
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
-
Blocklisted process makes network request 39 IoCs
Processes:
wscript.exewscript.exeflow pid process 5 1092 wscript.exe 6 1108 wscript.exe 7 1108 wscript.exe 9 1092 wscript.exe 10 1108 wscript.exe 11 1108 wscript.exe 14 1092 wscript.exe 16 1108 wscript.exe 17 1092 wscript.exe 19 1108 wscript.exe 20 1108 wscript.exe 22 1092 wscript.exe 23 1108 wscript.exe 24 1092 wscript.exe 26 1108 wscript.exe 28 1108 wscript.exe 30 1092 wscript.exe 31 1108 wscript.exe 32 1092 wscript.exe 34 1108 wscript.exe 35 1108 wscript.exe 36 1092 wscript.exe 39 1108 wscript.exe 40 1108 wscript.exe 41 1092 wscript.exe 43 1108 wscript.exe 44 1092 wscript.exe 46 1108 wscript.exe 47 1108 wscript.exe 48 1092 wscript.exe 51 1108 wscript.exe 52 1108 wscript.exe 53 1092 wscript.exe 55 1108 wscript.exe 57 1092 wscript.exe 58 1108 wscript.exe 59 1108 wscript.exe 60 1092 wscript.exe 63 1108 wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LcuiFbTldv.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hwo1.vbs wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hwo1.vbs wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LcuiFbTldv.js wscript.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\LcuiFbTldv.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\hwo1 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\hwo1.vbs\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hwo1 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\hwo1.vbs\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.exedescription pid process target process PID 1972 wrote to memory of 1092 1972 wscript.exe wscript.exe PID 1972 wrote to memory of 1092 1972 wscript.exe wscript.exe PID 1972 wrote to memory of 1092 1972 wscript.exe wscript.exe PID 1972 wrote to memory of 1108 1972 wscript.exe wscript.exe PID 1972 wrote to memory of 1108 1972 wscript.exe wscript.exe PID 1972 wrote to memory of 1108 1972 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Receipt.js1⤵
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\LcuiFbTldv.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1092 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\hwo1.vbs"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1108
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\LcuiFbTldv.jsFilesize
10KB
MD5b9f6f0af7792ca7bc93bd1d25e2ad3af
SHA16c10df215301a87bc2d060dd638e0545d8b874a1
SHA25645377bd90ec6f33844c8f24d141f0d7e7ae22abaaefdbad146021aa48091c980
SHA512339438359dbf67387c1e8481b0a7befcf756b24ecdbd271a131537344c1ba72e1696ca8e9df92111cc11a75319b884a0517abd0b54782c534240f6fd8c9cc13c
-
C:\Users\Admin\AppData\Roaming\hwo1.vbsFilesize
13KB
MD50fa22927ed90ae0bfbc0fbc979d566ff
SHA1c6562835566afe7eded525f68a0cfdf6f82b4a0a
SHA2569ec1848a60e25d9bf6f2d3dd2e607e269a259925b143ea20ee7dfbe58f7152e7
SHA5128692696d841a50b811e21384ee040cbeb478cfe5a2f093ed7b6d1869ae910c590ad940771d9f95a76880f4c25d637d4f29fbe14e2c16b6a424e54a48812b7203
-
memory/1092-55-0x0000000000000000-mapping.dmp
-
memory/1108-57-0x0000000000000000-mapping.dmp
-
memory/1972-54-0x000007FEFC3A1000-0x000007FEFC3A3000-memory.dmpFilesize
8KB