Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
14-07-2022 23:28
Static task
static1
Behavioral task
behavioral1
Sample
eReceipt.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
eReceipt.js
Resource
win10-20220414-en
General
-
Target
eReceipt.js
-
Size
7KB
-
MD5
c6e1e11d1f9f05501b0eea97141302fa
-
SHA1
f80eeea1b2414c1438a53eccec4065913fb76ee2
-
SHA256
44aec011118a0f9692f2f7a53d9dfeb70835c8c1cf80338f48833c65d625ad80
-
SHA512
4f22da1454bd9c35e8722f6568d0d5ebe2e25c3a0269821e17d1ff92cc905db70dd63f545a2c9257ef374ffc0f52fa80b585166023345e913249fc51d0ccd8db
Malware Config
Extracted
vjw0rm
http://zeegod.duckdns.org:9004
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 4 956 wscript.exe -
Drops startup file 1 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eReceipt.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\KYXNMD0WI5 = "\"C:\\Users\\Admin\\eReceipt.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.exedescription pid process target process PID 956 wrote to memory of 1416 956 wscript.exe wscript.exe PID 956 wrote to memory of 1416 956 wscript.exe wscript.exe PID 956 wrote to memory of 1416 956 wscript.exe wscript.exe PID 956 wrote to memory of 1676 956 wscript.exe schtasks.exe PID 956 wrote to memory of 1676 956 wscript.exe schtasks.exe PID 956 wrote to memory of 1676 956 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\eReceipt.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\RepLnVOlLK.js"2⤵
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\eReceipt.js2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\RepLnVOlLK.jsFilesize
534B
MD5aa4b9cad70ba92e675c6d716599dafb4
SHA12bbabee120011aa3cd665f2c40cce9191e4afded
SHA256758e4e99009829dcfd512bb28b2f5a11bb99fdaac232a59f261e226ff76260a8
SHA512fbd8abe4df2d581fca057173157ee1afc438f2703f70d55d9855ac0ecff4ae8437e10ef267a52746f851ebe3d4c77a67ed606f919695052f6aeb36519d2b9eb4
-
memory/956-54-0x000007FEFC281000-0x000007FEFC283000-memory.dmpFilesize
8KB
-
memory/1416-55-0x0000000000000000-mapping.dmp
-
memory/1676-57-0x0000000000000000-mapping.dmp