Analysis
-
max time kernel
163s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16-06-2022 06:38
Static task
static1
Behavioral task
behavioral1
Sample
Receipt.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Receipt.js
Resource
win10v2004-20220414-en
General
-
Target
Receipt.js
-
Size
51KB
-
MD5
e7445dedca856ea9b1c29b6d44520d7d
-
SHA1
94320eb0a513675b1bd4d012d4e4782c53a8178a
-
SHA256
9360cf526c870d8dedc3d0bb6e8b8728caf1ed840f1d55aec5c05cc2bbe43759
-
SHA512
60f60e7f8f9a10e7803b520f1797f0de7470dc728edcf7cd42f1b36e7de6334bec1f4a42b528c82e93f2a4cbae2179000d1f83926d6cc1e71678e678bda0db90
Malware Config
Signatures
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
-
Blocklisted process makes network request 15 IoCs
Processes:
wscript.exewscript.exeflow pid process 4 4620 wscript.exe 6 1232 wscript.exe 9 4620 wscript.exe 20 1232 wscript.exe 24 4620 wscript.exe 27 1232 wscript.exe 29 1232 wscript.exe 36 4620 wscript.exe 40 1232 wscript.exe 49 4620 wscript.exe 54 1232 wscript.exe 65 4620 wscript.exe 69 1232 wscript.exe 83 4620 wscript.exe 88 1232 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LcuiFbTldv.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hwo1.vbs wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hwo1.vbs wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LcuiFbTldv.js wscript.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
wscript.exewscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hwo1 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\hwo1.vbs\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hwo1 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\hwo1.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\LcuiFbTldv.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\software\microsoft\windows\currentversion\run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 904 wrote to memory of 1232 904 wscript.exe wscript.exe PID 904 wrote to memory of 1232 904 wscript.exe wscript.exe PID 904 wrote to memory of 4620 904 wscript.exe wscript.exe PID 904 wrote to memory of 4620 904 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Receipt.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\LcuiFbTldv.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1232 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\hwo1.vbs"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:4620
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\LcuiFbTldv.jsFilesize
10KB
MD5b9f6f0af7792ca7bc93bd1d25e2ad3af
SHA16c10df215301a87bc2d060dd638e0545d8b874a1
SHA25645377bd90ec6f33844c8f24d141f0d7e7ae22abaaefdbad146021aa48091c980
SHA512339438359dbf67387c1e8481b0a7befcf756b24ecdbd271a131537344c1ba72e1696ca8e9df92111cc11a75319b884a0517abd0b54782c534240f6fd8c9cc13c
-
C:\Users\Admin\AppData\Roaming\hwo1.vbsFilesize
13KB
MD50fa22927ed90ae0bfbc0fbc979d566ff
SHA1c6562835566afe7eded525f68a0cfdf6f82b4a0a
SHA2569ec1848a60e25d9bf6f2d3dd2e607e269a259925b143ea20ee7dfbe58f7152e7
SHA5128692696d841a50b811e21384ee040cbeb478cfe5a2f093ed7b6d1869ae910c590ad940771d9f95a76880f4c25d637d4f29fbe14e2c16b6a424e54a48812b7203
-
memory/1232-130-0x0000000000000000-mapping.dmp
-
memory/4620-131-0x0000000000000000-mapping.dmp