Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
09-07-2022 06:42
Static task
static1
Behavioral task
behavioral1
Sample
eReceipt.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
eReceipt.js
Resource
win10v2004-20220414-en
General
-
Target
eReceipt.js
-
Size
29KB
-
MD5
f073d180f8bf7dae0dfb837e8d78d82a
-
SHA1
b7a8e2e4debde8013a9b89e205fc750c85d525d5
-
SHA256
0a3a6ef611952fbe870b4697a0cb4775a619a4b4599623cf295d6b787d6d43a5
-
SHA512
3b4d0771f4050f6d7bf14679fde2d8c6278fc5b9def9e5472bc4a066fd26d9be994850874184c03791d1065d0e94ad63e2063ff382c82c496fda51a7bec6f4db
Malware Config
Extracted
vjw0rm
http://zeegod.duckdns.org:9004
Signatures
-
Blocklisted process makes network request 10 IoCs
Processes:
wscript.exeflow pid process 6 3928 wscript.exe 15 3928 wscript.exe 25 3928 wscript.exe 27 3928 wscript.exe 41 3928 wscript.exe 53 3928 wscript.exe 56 3928 wscript.exe 66 3928 wscript.exe 73 3928 wscript.exe 76 3928 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 1 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eReceipt.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KYXNMD0WI5 = "\"C:\\Users\\Admin\\eReceipt.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 3928 wrote to memory of 4652 3928 wscript.exe wscript.exe PID 3928 wrote to memory of 4652 3928 wscript.exe wscript.exe PID 3928 wrote to memory of 4788 3928 wscript.exe schtasks.exe PID 3928 wrote to memory of 4788 3928 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\eReceipt.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\EoqWadtefP.js"2⤵
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\eReceipt.js2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\EoqWadtefP.jsFilesize
8KB
MD5a6c14cb2a7afb46ea8b649abc24e83f1
SHA162bb593672d13446fd62ba53bed45da09cf24bcd
SHA2563c3df3cf093e39d0b670b975c61f8c4be41d7362fa488ad8627b40c09a02d3d0
SHA512bf75ef02d6961c2dcc2eab0ec7a1f545ff9f6e5dde5371b9b603ccd31076b6485b33e87396cd775a79332c09328386dd116b7a892fba5265a5f01a359bd92609
-
memory/4652-130-0x0000000000000000-mapping.dmp
-
memory/4788-132-0x0000000000000000-mapping.dmp