Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-06-2022 09:07
Static task
static1
Behavioral task
behavioral1
Sample
receipt.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
receipt.js
Resource
win10v2004-20220414-en
General
-
Target
receipt.js
-
Size
139KB
-
MD5
553ae64ec92c74a02701ca3881915b7b
-
SHA1
a6c4676312e2bb96226fbcddbed738b30d15ec1c
-
SHA256
5f8233b2a9235541fd9e1b526c546c911dd69e9ee5e917c2540e2123748a6eba
-
SHA512
0a39079d2a4a2a03356396da5339cce8d8754261437ca74212aa71a19ab6726701404462c82c02914ddb5e7c957871b434a647b592d3266415c4eb906ea687a7
Malware Config
Extracted
vjw0rm
http://zeegod.duckdns.org:9003
Signatures
-
Blocklisted process makes network request 13 IoCs
Processes:
wscript.exewscript.exeflow pid process 7 3924 wscript.exe 8 4212 wscript.exe 17 3924 wscript.exe 30 3924 wscript.exe 37 3924 wscript.exe 44 3924 wscript.exe 45 3924 wscript.exe 47 3924 wscript.exe 48 3924 wscript.exe 49 3924 wscript.exe 50 3924 wscript.exe 51 3924 wscript.exe 52 3924 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 3 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DiIvjwrRBk.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DiIvjwrRBk.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\receipt.js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\DiIvjwrRBk.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1NBCD3W1VR = "\"C:\\Users\\Admin\\AppData\\Roaming\\receipt.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 4212 wrote to memory of 3924 4212 wscript.exe wscript.exe PID 4212 wrote to memory of 3924 4212 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\receipt.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\DiIvjwrRBk.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\DiIvjwrRBk.jsFilesize
49KB
MD551a764a1843be91da6398b3db85a4522
SHA1123f9f2bf93092dc01685dcb0efa0967ad451ccd
SHA256ea062b959e8551f2f206bfb67fc8ce1c7f6d2909fa56228f81582ceca136a932
SHA512965314adb06f7dbcd189c76321b5926e9340dee25dadff74356a97fca005ae86429376044b08d65f6916ab9431a0c7ec2754345ce8549efea3c84e6b236be074
-
memory/3924-130-0x0000000000000000-mapping.dmp