Analysis
-
max time kernel
176s -
max time network
191s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
12-07-2022 09:56
Static task
static1
Behavioral task
behavioral1
Sample
eVoucher.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
eVoucher.js
Resource
win10v2004-20220414-en
General
-
Target
eVoucher.js
-
Size
29KB
-
MD5
48d9924ce427fdd657487fdf2858f7f9
-
SHA1
4e6d949dfbc65d7abfae5fe2f4302c556ac0a54f
-
SHA256
d339b022589120edd727f6c3307e0df5851d4073f4d8f588116cf9f49512df9b
-
SHA512
d56567298581bbdd414b6d35448d0a69fc884994abf843e030fffb4337cf9122f66f10744cca4ad6745260912569fc5ef1d36d6051952c407397e7602e71a303
Malware Config
Signatures
-
Blocklisted process makes network request 13 IoCs
Processes:
wscript.exeflow pid process 5 1604 wscript.exe 6 1604 wscript.exe 7 1604 wscript.exe 9 1604 wscript.exe 10 1604 wscript.exe 11 1604 wscript.exe 13 1604 wscript.exe 14 1604 wscript.exe 15 1604 wscript.exe 17 1604 wscript.exe 18 1604 wscript.exe 19 1604 wscript.exe 21 1604 wscript.exe -
Drops startup file 1 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eVoucher.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\KYXNMD0WI5 = "\"C:\\Users\\Admin\\eVoucher.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.exedescription pid process target process PID 1604 wrote to memory of 1192 1604 wscript.exe wscript.exe PID 1604 wrote to memory of 1192 1604 wscript.exe wscript.exe PID 1604 wrote to memory of 1192 1604 wscript.exe wscript.exe PID 1604 wrote to memory of 792 1604 wscript.exe schtasks.exe PID 1604 wrote to memory of 792 1604 wscript.exe schtasks.exe PID 1604 wrote to memory of 792 1604 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\eVoucher.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ZIdtxECakT.js"2⤵
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\eVoucher.js2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ZIdtxECakT.jsFilesize
8KB
MD51faddc7933cfad79bb1e2721b209054d
SHA1d296650263c2056776a426b2f425efdf947f8091
SHA25630c0bf91205929a0683f72394eb17014b7ada70e5ecb2f5dc33ef6fc3c75b9cb
SHA51208b641e45e34eda6401cb23dfcd0b9ad815a393bdb8bd75ae214062c3edc41ea209b0fc47b0330ac787050efc467cc9157996eae24d4d0898f245c4e972d6e72
-
memory/792-57-0x0000000000000000-mapping.dmp
-
memory/1192-55-0x0000000000000000-mapping.dmp
-
memory/1604-54-0x000007FEFB551000-0x000007FEFB553000-memory.dmpFilesize
8KB