Analysis
-
max time kernel
147s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-07-2022 09:56
Static task
static1
Behavioral task
behavioral1
Sample
eVoucher.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
eVoucher.js
Resource
win10v2004-20220414-en
General
-
Target
eVoucher.js
-
Size
29KB
-
MD5
48d9924ce427fdd657487fdf2858f7f9
-
SHA1
4e6d949dfbc65d7abfae5fe2f4302c556ac0a54f
-
SHA256
d339b022589120edd727f6c3307e0df5851d4073f4d8f588116cf9f49512df9b
-
SHA512
d56567298581bbdd414b6d35448d0a69fc884994abf843e030fffb4337cf9122f66f10744cca4ad6745260912569fc5ef1d36d6051952c407397e7602e71a303
Malware Config
Signatures
-
Blocklisted process makes network request 6 IoCs
Processes:
wscript.exeflow pid process 17 3328 wscript.exe 26 3328 wscript.exe 33 3328 wscript.exe 40 3328 wscript.exe 52 3328 wscript.exe 53 3328 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 1 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eVoucher.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KYXNMD0WI5 = "\"C:\\Users\\Admin\\eVoucher.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 3328 wrote to memory of 4152 3328 wscript.exe wscript.exe PID 3328 wrote to memory of 4152 3328 wscript.exe wscript.exe PID 3328 wrote to memory of 4676 3328 wscript.exe schtasks.exe PID 3328 wrote to memory of 4676 3328 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\eVoucher.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ZIdtxECakT.js"2⤵
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\eVoucher.js2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ZIdtxECakT.jsFilesize
8KB
MD51faddc7933cfad79bb1e2721b209054d
SHA1d296650263c2056776a426b2f425efdf947f8091
SHA25630c0bf91205929a0683f72394eb17014b7ada70e5ecb2f5dc33ef6fc3c75b9cb
SHA51208b641e45e34eda6401cb23dfcd0b9ad815a393bdb8bd75ae214062c3edc41ea209b0fc47b0330ac787050efc467cc9157996eae24d4d0898f245c4e972d6e72
-
memory/4152-130-0x0000000000000000-mapping.dmp
-
memory/4676-132-0x0000000000000000-mapping.dmp