Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23/08/2022, 11:51
Static task
static1
Behavioral task
behavioral1
Sample
eReceipt#.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
eReceipt#.js
Resource
win10v2004-20220812-en
General
-
Target
eReceipt#.js
-
Size
20KB
-
MD5
f463015a0a92d3712514ef8d400942b9
-
SHA1
7500026a1393410425ae99ba74aa74012d8f7c51
-
SHA256
caf7270a354ba192bcb3adbe0ccfe74eed5de20ce99954a5f5ace68a0c7ad265
-
SHA512
57d4a81ef176f26c73d69564290e95a3cce429fec5ade22ebf59df3dd6d6215a066a0472dcbe939f647f65b57fd3ec4cbccbd0e4381161550b29e0ae2f62ee09
Malware Config
Signatures
-
Blocklisted process makes network request 17 IoCs
flow pid Process 10 4872 wscript.exe 28 4872 wscript.exe 36 4872 wscript.exe 37 4872 wscript.exe 46 4872 wscript.exe 47 4872 wscript.exe 60 4872 wscript.exe 63 4872 wscript.exe 65 4872 wscript.exe 67 4872 wscript.exe 68 4872 wscript.exe 69 4872 wscript.exe 70 4872 wscript.exe 71 4872 wscript.exe 72 4872 wscript.exe 73 4872 wscript.exe 74 4872 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eReceipt#.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KYXNMD0WI5 = "\"C:\\Users\\Admin\\eReceipt#.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 636 schtasks.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4872 wrote to memory of 4996 4872 wscript.exe 81 PID 4872 wrote to memory of 4996 4872 wscript.exe 81 PID 4872 wrote to memory of 636 4872 wscript.exe 82 PID 4872 wrote to memory of 636 4872 wscript.exe 82
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\eReceipt#.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\TinAizYutL.js"2⤵PID:4996
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\eReceipt#.js2⤵
- Creates scheduled task(s)
PID:636
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD590a592e75b596744ef43f1fa1b567842
SHA158ef4539d609277c5da366ea038f3d2ec951391f
SHA25602f55a0ea0071457afc46ea8298e9e7b9e23da7b743c906881c56d94540d76bc
SHA5126d73b667e7cd7d90550dcfc832ccce00a99769fcad8cff0bf5eefdfb02df09c70d35bf395ea517fcc918f0e4d7237342bfe8f9df9f3cd23504bca94a1d123ef3