Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-06-2022 09:07
Static task
static1
Behavioral task
behavioral1
Sample
receipt.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
receipt.js
Resource
win10v2004-20220414-en
General
-
Target
receipt.js
-
Size
139KB
-
MD5
553ae64ec92c74a02701ca3881915b7b
-
SHA1
a6c4676312e2bb96226fbcddbed738b30d15ec1c
-
SHA256
5f8233b2a9235541fd9e1b526c546c911dd69e9ee5e917c2540e2123748a6eba
-
SHA512
0a39079d2a4a2a03356396da5339cce8d8754261437ca74212aa71a19ab6726701404462c82c02914ddb5e7c957871b434a647b592d3266415c4eb906ea687a7
Malware Config
Extracted
vjw0rm
http://zeegod.duckdns.org:9003
Signatures
-
Blocklisted process makes network request 17 IoCs
Processes:
wscript.exewscript.exeflow pid process 5 1580 wscript.exe 8 112 wscript.exe 9 112 wscript.exe 11 112 wscript.exe 14 112 wscript.exe 18 112 wscript.exe 20 112 wscript.exe 22 112 wscript.exe 25 112 wscript.exe 26 112 wscript.exe 29 112 wscript.exe 31 112 wscript.exe 33 112 wscript.exe 37 112 wscript.exe 39 112 wscript.exe 40 112 wscript.exe 43 112 wscript.exe -
Drops startup file 3 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\receipt.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DiIvjwrRBk.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DiIvjwrRBk.js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\DiIvjwrRBk.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\1NBCD3W1VR = "\"C:\\Users\\Admin\\AppData\\Roaming\\receipt.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1580 wrote to memory of 112 1580 wscript.exe wscript.exe PID 1580 wrote to memory of 112 1580 wscript.exe wscript.exe PID 1580 wrote to memory of 112 1580 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\receipt.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\DiIvjwrRBk.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\DiIvjwrRBk.jsFilesize
49KB
MD551a764a1843be91da6398b3db85a4522
SHA1123f9f2bf93092dc01685dcb0efa0967ad451ccd
SHA256ea062b959e8551f2f206bfb67fc8ce1c7f6d2909fa56228f81582ceca136a932
SHA512965314adb06f7dbcd189c76321b5926e9340dee25dadff74356a97fca005ae86429376044b08d65f6916ab9431a0c7ec2754345ce8549efea3c84e6b236be074
-
memory/112-55-0x0000000000000000-mapping.dmp
-
memory/1580-54-0x000007FEFBF01000-0x000007FEFBF03000-memory.dmpFilesize
8KB