Analysis
-
max time kernel
152s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16-06-2022 06:41
Static task
static1
Behavioral task
behavioral1
Sample
Receipt.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Receipt.js
Resource
win10v2004-20220414-en
General
-
Target
Receipt.js
-
Size
51KB
-
MD5
e7445dedca856ea9b1c29b6d44520d7d
-
SHA1
94320eb0a513675b1bd4d012d4e4782c53a8178a
-
SHA256
9360cf526c870d8dedc3d0bb6e8b8728caf1ed840f1d55aec5c05cc2bbe43759
-
SHA512
60f60e7f8f9a10e7803b520f1797f0de7470dc728edcf7cd42f1b36e7de6334bec1f4a42b528c82e93f2a4cbae2179000d1f83926d6cc1e71678e678bda0db90
Malware Config
Signatures
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
-
Blocklisted process makes network request 40 IoCs
Processes:
wscript.exewscript.exeflow pid process 7 948 wscript.exe 8 2040 wscript.exe 9 2040 wscript.exe 11 948 wscript.exe 12 2040 wscript.exe 13 948 wscript.exe 15 2040 wscript.exe 17 2040 wscript.exe 18 948 wscript.exe 20 2040 wscript.exe 22 2040 wscript.exe 23 948 wscript.exe 25 2040 wscript.exe 26 2040 wscript.exe 27 948 wscript.exe 30 2040 wscript.exe 31 948 wscript.exe 32 2040 wscript.exe 34 948 wscript.exe 35 2040 wscript.exe 36 948 wscript.exe 38 2040 wscript.exe 40 2040 wscript.exe 41 948 wscript.exe 43 2040 wscript.exe 44 2040 wscript.exe 45 948 wscript.exe 46 2040 wscript.exe 48 948 wscript.exe 50 2040 wscript.exe 51 2040 wscript.exe 53 948 wscript.exe 54 2040 wscript.exe 55 948 wscript.exe 57 2040 wscript.exe 58 2040 wscript.exe 59 948 wscript.exe 62 2040 wscript.exe 63 2040 wscript.exe 64 948 wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hwo1.vbs wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hwo1.vbs wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LcuiFbTldv.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LcuiFbTldv.js wscript.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
wscript.exewscript.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hwo1 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\hwo1.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\LcuiFbTldv.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\hwo1 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\hwo1.vbs\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.exedescription pid process target process PID 1096 wrote to memory of 948 1096 wscript.exe wscript.exe PID 1096 wrote to memory of 948 1096 wscript.exe wscript.exe PID 1096 wrote to memory of 948 1096 wscript.exe wscript.exe PID 1096 wrote to memory of 2040 1096 wscript.exe wscript.exe PID 1096 wrote to memory of 2040 1096 wscript.exe wscript.exe PID 1096 wrote to memory of 2040 1096 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Receipt.js1⤵
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\LcuiFbTldv.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:948 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\hwo1.vbs"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:2040
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\LcuiFbTldv.jsFilesize
10KB
MD5b9f6f0af7792ca7bc93bd1d25e2ad3af
SHA16c10df215301a87bc2d060dd638e0545d8b874a1
SHA25645377bd90ec6f33844c8f24d141f0d7e7ae22abaaefdbad146021aa48091c980
SHA512339438359dbf67387c1e8481b0a7befcf756b24ecdbd271a131537344c1ba72e1696ca8e9df92111cc11a75319b884a0517abd0b54782c534240f6fd8c9cc13c
-
C:\Users\Admin\AppData\Roaming\hwo1.vbsFilesize
13KB
MD50fa22927ed90ae0bfbc0fbc979d566ff
SHA1c6562835566afe7eded525f68a0cfdf6f82b4a0a
SHA2569ec1848a60e25d9bf6f2d3dd2e607e269a259925b143ea20ee7dfbe58f7152e7
SHA5128692696d841a50b811e21384ee040cbeb478cfe5a2f093ed7b6d1869ae910c590ad940771d9f95a76880f4c25d637d4f29fbe14e2c16b6a424e54a48812b7203
-
memory/948-55-0x0000000000000000-mapping.dmp
-
memory/1096-54-0x000007FEFC021000-0x000007FEFC023000-memory.dmpFilesize
8KB
-
memory/2040-56-0x0000000000000000-mapping.dmp