Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23/08/2022, 11:51
Static task
static1
Behavioral task
behavioral1
Sample
eReceipt#.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
eReceipt#.js
Resource
win10v2004-20220812-en
General
-
Target
eReceipt#.js
-
Size
20KB
-
MD5
f463015a0a92d3712514ef8d400942b9
-
SHA1
7500026a1393410425ae99ba74aa74012d8f7c51
-
SHA256
caf7270a354ba192bcb3adbe0ccfe74eed5de20ce99954a5f5ace68a0c7ad265
-
SHA512
57d4a81ef176f26c73d69564290e95a3cce429fec5ade22ebf59df3dd6d6215a066a0472dcbe939f647f65b57fd3ec4cbccbd0e4381161550b29e0ae2f62ee09
Malware Config
Signatures
-
Blocklisted process makes network request 16 IoCs
flow pid Process 4 1764 wscript.exe 5 1764 wscript.exe 6 1764 wscript.exe 8 1764 wscript.exe 9 1764 wscript.exe 11 1764 wscript.exe 13 1764 wscript.exe 14 1764 wscript.exe 15 1764 wscript.exe 17 1764 wscript.exe 18 1764 wscript.exe 19 1764 wscript.exe 21 1764 wscript.exe 22 1764 wscript.exe 23 1764 wscript.exe 25 1764 wscript.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eReceipt#.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\KYXNMD0WI5 = "\"C:\\Users\\Admin\\eReceipt#.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 824 schtasks.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1764 wrote to memory of 944 1764 wscript.exe 28 PID 1764 wrote to memory of 944 1764 wscript.exe 28 PID 1764 wrote to memory of 944 1764 wscript.exe 28 PID 1764 wrote to memory of 824 1764 wscript.exe 30 PID 1764 wrote to memory of 824 1764 wscript.exe 30 PID 1764 wrote to memory of 824 1764 wscript.exe 30
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\eReceipt#.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\TinAizYutL.js"2⤵PID:944
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\eReceipt#.js2⤵
- Creates scheduled task(s)
PID:824
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD590a592e75b596744ef43f1fa1b567842
SHA158ef4539d609277c5da366ea038f3d2ec951391f
SHA25602f55a0ea0071457afc46ea8298e9e7b9e23da7b743c906881c56d94540d76bc
SHA5126d73b667e7cd7d90550dcfc832ccce00a99769fcad8cff0bf5eefdfb02df09c70d35bf395ea517fcc918f0e4d7237342bfe8f9df9f3cd23504bca94a1d123ef3