Analysis
-
max time kernel
167s -
max time network
232s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16-06-2022 06:40
Static task
static1
Behavioral task
behavioral1
Sample
Electroinc receipt #170622-HWRM-AMZN.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Electroinc receipt #170622-HWRM-AMZN.js
Resource
win10v2004-20220414-en
General
-
Target
Electroinc receipt #170622-HWRM-AMZN.js
-
Size
50KB
-
MD5
b4ff9e813c3c7f228605b07932bfbe86
-
SHA1
3ef44f9fec10cd94d2cd5c71799d79ef103a2e1a
-
SHA256
abd35915269d9b7031f7a74be2827e2e5591734f41e0e0da9ea42f9654f79dfa
-
SHA512
e3114ae026e9e540ecaaf3dcba1a2de23c017443dcfe874da57f2b04dcdd7d660ce6b81732665aecec717966932be3c7992ac27b42be803bdbb999a2308ba1ba
Malware Config
Signatures
-
Blocklisted process makes network request 46 IoCs
Processes:
wscript.exewscript.exeflow pid process 7 1092 wscript.exe 8 1108 wscript.exe 9 1108 wscript.exe 11 1092 wscript.exe 12 1108 wscript.exe 13 1108 wscript.exe 14 1092 wscript.exe 17 1108 wscript.exe 18 1108 wscript.exe 21 1092 wscript.exe 22 1108 wscript.exe 23 1108 wscript.exe 25 1092 wscript.exe 26 1108 wscript.exe 27 1108 wscript.exe 29 1092 wscript.exe 31 1108 wscript.exe 32 1108 wscript.exe 34 1092 wscript.exe 36 1108 wscript.exe 37 1108 wscript.exe 39 1092 wscript.exe 40 1108 wscript.exe 41 1108 wscript.exe 43 1092 wscript.exe 45 1108 wscript.exe 46 1108 wscript.exe 48 1092 wscript.exe 50 1108 wscript.exe 51 1108 wscript.exe 53 1092 wscript.exe 54 1108 wscript.exe 55 1108 wscript.exe 57 1092 wscript.exe 59 1108 wscript.exe 60 1108 wscript.exe 62 1092 wscript.exe 64 1108 wscript.exe 65 1108 wscript.exe 66 1092 wscript.exe 68 1108 wscript.exe 70 1092 wscript.exe 71 1108 wscript.exe 73 1108 wscript.exe 74 1092 wscript.exe 76 1108 wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exewscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BypceJOrnQ.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1.vbs wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1.vbs wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BypceJOrnQ.js wscript.exe -
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
wscript.exewscript.exewscript.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\software\microsoft\windows\currentversion\run wscript.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "wscript.exe //B \"C:\\ProgramData\\1.vbs\"" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 = "wscript.exe //B \"C:\\ProgramData\\1.vbs\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "wscript.exe //B \"C:\\ProgramData\\1.vbs\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 = "wscript.exe //B \"C:\\ProgramData\\1.vbs\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\BypceJOrnQ.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
wscript.exewscript.exedescription pid process target process PID 880 wrote to memory of 1092 880 wscript.exe wscript.exe PID 880 wrote to memory of 1092 880 wscript.exe wscript.exe PID 880 wrote to memory of 1092 880 wscript.exe wscript.exe PID 880 wrote to memory of 1716 880 wscript.exe wscript.exe PID 880 wrote to memory of 1716 880 wscript.exe wscript.exe PID 880 wrote to memory of 1716 880 wscript.exe wscript.exe PID 1716 wrote to memory of 1108 1716 wscript.exe wscript.exe PID 1716 wrote to memory of 1108 1716 wscript.exe wscript.exe PID 1716 wrote to memory of 1108 1716 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Electroinc receipt #170622-HWRM-AMZN.js"1⤵
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\BypceJOrnQ.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1092 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\1.vbs"2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\ProgramData\1.vbs"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1108
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\1.vbsFilesize
13KB
MD5b35e3e27a51c38b3c80edb236338dc8a
SHA11e696d13ade727030d8f0c921e4a603402ccce49
SHA256d572c9837b6e5125ab6beef8b833bc2ce2ba2d150f5d876c5510b406b0faa32f
SHA512bfd8a293f01fe7b9b5b154d3639808da3d9484324f61a06a2fb5c0c5d61d14574c3f2881008c43456305ed446a01da2c75d6cf604ebcb66266df750396a13677
-
C:\Users\Admin\AppData\Roaming\1.vbsFilesize
13KB
MD5b35e3e27a51c38b3c80edb236338dc8a
SHA11e696d13ade727030d8f0c921e4a603402ccce49
SHA256d572c9837b6e5125ab6beef8b833bc2ce2ba2d150f5d876c5510b406b0faa32f
SHA512bfd8a293f01fe7b9b5b154d3639808da3d9484324f61a06a2fb5c0c5d61d14574c3f2881008c43456305ed446a01da2c75d6cf604ebcb66266df750396a13677
-
C:\Users\Admin\AppData\Roaming\BypceJOrnQ.jsFilesize
10KB
MD5caeb0950a5e4b8e6ba5afb1933670778
SHA121e5ab00fc5c624b37c6253003bfb308b97a5b64
SHA256bf5afb70af5a7a469a630131da230dbbb2aa14107d6052d84e94dc12640ca0ed
SHA512392b44a6ddd35ff898261360a82ae3d5ad9b2456618024e92e87ddb648b6fd91dbacaaff8cd14b14332a8df87cb2018c579169cd945562ea83cae2e7089d361e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1.vbsFilesize
13KB
MD5b35e3e27a51c38b3c80edb236338dc8a
SHA11e696d13ade727030d8f0c921e4a603402ccce49
SHA256d572c9837b6e5125ab6beef8b833bc2ce2ba2d150f5d876c5510b406b0faa32f
SHA512bfd8a293f01fe7b9b5b154d3639808da3d9484324f61a06a2fb5c0c5d61d14574c3f2881008c43456305ed446a01da2c75d6cf604ebcb66266df750396a13677
-
memory/880-54-0x000007FEFBAA1000-0x000007FEFBAA3000-memory.dmpFilesize
8KB
-
memory/1092-55-0x0000000000000000-mapping.dmp
-
memory/1108-60-0x0000000000000000-mapping.dmp
-
memory/1716-57-0x0000000000000000-mapping.dmp