Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
23-06-2022 05:56
Static task
static1
Behavioral task
behavioral1
Sample
e-Receipt#009.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
e-Receipt#009.js
Resource
win10v2004-20220414-en
General
-
Target
e-Receipt#009.js
-
Size
163KB
-
MD5
1b4e9f90c6dcd35504ea999ba8aa54a1
-
SHA1
06721639da5b24773f5543e0684a2247911bda92
-
SHA256
793e966b5c476e439785b630c25d47748b528efb0c4b337e41aa6b64e70fd117
-
SHA512
da5bb7d79fadda9b4a5207e411bc689b805990388ed2cf0f98570ddc2a2b0c81d64c6b9a2c8db505a57ffbb67cdb432a5427810f1c6c0daac8175336cad959f7
Malware Config
Signatures
-
Blocklisted process makes network request 34 IoCs
Processes:
wscript.exewscript.exeflow pid process 5 4744 wscript.exe 6 2252 wscript.exe 15 2252 wscript.exe 16 4744 wscript.exe 23 2252 wscript.exe 24 4744 wscript.exe 25 2252 wscript.exe 26 4744 wscript.exe 37 2252 wscript.exe 38 4744 wscript.exe 42 2252 wscript.exe 43 4744 wscript.exe 46 2252 wscript.exe 47 4744 wscript.exe 50 2252 wscript.exe 51 4744 wscript.exe 52 2252 wscript.exe 53 4744 wscript.exe 54 2252 wscript.exe 55 4744 wscript.exe 58 2252 wscript.exe 59 4744 wscript.exe 60 2252 wscript.exe 61 4744 wscript.exe 62 2252 wscript.exe 63 4744 wscript.exe 64 2252 wscript.exe 65 4744 wscript.exe 66 2252 wscript.exe 67 4744 wscript.exe 68 2252 wscript.exe 69 4744 wscript.exe 70 2252 wscript.exe 71 4744 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 3 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nlDPzaYWSj.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nlDPzaYWSj.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e-Receipt#009.js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KYXNMD0WI5 = "\"C:\\Users\\Admin\\e-Receipt#009.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\nlDPzaYWSj.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 2252 wrote to memory of 4744 2252 wscript.exe wscript.exe PID 2252 wrote to memory of 4744 2252 wscript.exe wscript.exe PID 2252 wrote to memory of 5104 2252 wscript.exe schtasks.exe PID 2252 wrote to memory of 5104 2252 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\e-Receipt#009.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\nlDPzaYWSj.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:4744 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\e-Receipt#009.js2⤵
- Creates scheduled task(s)
PID:5104
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\nlDPzaYWSj.jsFilesize
58KB
MD554f543b5d40a98120f956b0bde522fa9
SHA1bedab14ffa732c74366d192b8d3c9b393682960e
SHA256446646baa7534faf7066fb842934ae5e6167680c0383b44e0fef9513549bc0ac
SHA512e463ed8564d8fb88ab45dd68d29936a068f36cbbdf2623903e68b173a24e907ebad48ab05836dfc30b58fc278dc170a301364cb396b42cf787efd9fbf3ccb76e
-
memory/4744-130-0x0000000000000000-mapping.dmp
-
memory/5104-132-0x0000000000000000-mapping.dmp