Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26/09/2022, 09:26
Static task
static1
Behavioral task
behavioral1
Sample
Order_PO62525112155.js
Resource
win7-20220812-en
General
-
Target
Order_PO62525112155.js
-
Size
348KB
-
MD5
baa9ab709a99c55195c2fe2d337ea9e6
-
SHA1
42959e7df94322d5aae1218db8dd24448ee8b3e6
-
SHA256
b5fe0b324c6401f3b25e3dc121d159b663cfd2e58dfe161fddfdef7e107f4f80
-
SHA512
b0195c452dc4112e037f6737f57f04df6a6dad553932b7241300115a11a732438d8de6158673ea06d7e8b7bb81394018f90119494eb6750c7a1e6a1c68eed390
-
SSDEEP
6144:amMlxZnzblW5d1qLE/yNo3YuKsYN7NssdJm2JZ7k29RypsQo1o0t+f:amM3Jz3VeYuKPHs+Jzi29RWsQo8f
Malware Config
Extracted
formbook
douy
q/gE5cI3rDQ=
mWCSTU/0Qg0y2LI=
Ozoj90916XZyH/FO1eCN0FbH3B8AxgG7Ew==
g5GYftfE/MwWgYzxjKuH
vYfWrnDlWBLBYqeE
Ovww28VyrH1wHcha2A==
lqgaxrprk2qvYslb2g==
oELEK3LYUxWCa7iY1pVWxhBaQQ==
8Qp7H/31ZmEJzbA=
v1ZJvbrbN8Csuid/4vRrXKLjDoB3PQa5
ZCbNYcXjHpvlbrKO
9LL1wbJRw4QPGFwyQxePqS2ZaO3T1Q==
H9oCe3eR/b6yh8lO07snFpmfgI0=
+9aXS875O7eqViZPlo47yhxnSw==
eTqN+HUSjk3lbrKO
xDCvt/BcVjCQ
+5yHTtcBR9bcr/Ok2xfBCw==
up7eiFXqd0blbrKO
tIDEiHde4YZeHcha2A==
CNDqbko6tnpqHcha2A==
47bzd0jrQg0y2LI=
rXRDEYyuMNemnAqf2xfBCw==
x8lEuRlJdEC5rQnaNZB7U5I=
LeqXHZ7zN7OqVSaMGw5zyhxnSw==
X2DIpYjvFdUTxqs=
Ge6dE1t+uVqrZRAmYw2J
3rJrGmlTozkSqHzN2YtDyhxnSw==
ePvhVS4nmlRMNn1ao9c=
AqYsl91JvX868F5IiuSe06D1
39/GnNvMCxHwvKs=
iJYdpxRFdxtgRpy7vheP
VRrAa+cQTs/WpPC9HrBYFTZ8Xazrf8c=
p34+9z9g0ElV+eSZ
UGLNi5E9hhiSQhn2fciL+bv9
+wUMhl9DGE6MhfDF00zcFYU=
PQTLd8G1AJvlbrKO
VSRU9OSFsTK11lA3O/w+IFbi
r7IzE+zD0L6fHcha2A==
YPRmRD3rKGnFaehH0g==
0aZW+WXZQwXBYqeE
O/9GrgkxbDt+Xd0wwQ==
5bLyzGdWxIigOwJe2w==
QwlO9cvzGaqSaehH0g==
PAQ5B+Z4v69pH5kBbMo=
HP6xMa8A/bipSi26AlzXbG1ySg==
aTR1Py9/s33w1gDRQ79yTEm9aO3T1Q==
qrwavJd/7HeAP4ITVmniAw==
1m10O/4ng42NmqU=
6rh5HoGS2l1E9uq7vheP
QhhdFyZWmi0=
p4lQ/U5Li2C2d6m7vheP
h4cAabfHCJKLOBZxqxLTEg==
hXzz0enrLUpUUA==
cjh7RivVR9lSA+C7OpB7U5I=
+PXanegRnWRmHcha2A==
9L+QZdb7YQ0I+mY3iqqG
4mdxX2YLZv5c/RWqtt0=
0t5k2Cg6dvbklHvgVFjczUVvfYc=
8a/oeWECOQbRgFxntJQXKV+WabgH
OhZFuHsPSiAJ3tfoSljk5jJ4HKzrf8c=
JRaPHH2f53B8CEaos3dyTtpG08y7wQ==
bHx1P7AZjlDvJ3vd2xfBCw==
eX5uU7yv10QdGkyi2xfBCw==
0sGoigc0sk0uQLgigoc4yhxnSw==
bigeasypizza.com
Signatures
-
Blocklisted process makes network request 6 IoCs
flow pid Process 7 4676 wscript.exe 19 4676 wscript.exe 45 4676 wscript.exe 54 4676 wscript.exe 69 4676 wscript.exe 81 4676 wscript.exe -
Executes dropped EXE 1 IoCs
pid Process 1600 binx.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation binx.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spFEowQViP.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spFEowQViP.js wscript.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1600 set thread context of 2712 1600 binx.exe 40 PID 1600 set thread context of 2712 1600 binx.exe 40 PID 3932 set thread context of 2712 3932 cscript.exe 40 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \Registry\User\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cscript.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 1600 binx.exe 1600 binx.exe 1600 binx.exe 1600 binx.exe 1600 binx.exe 1600 binx.exe 1600 binx.exe 1600 binx.exe 1600 binx.exe 1600 binx.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
pid Process 1600 binx.exe 1600 binx.exe 1600 binx.exe 1600 binx.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe 3932 cscript.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1600 binx.exe Token: SeDebugPrivilege 3932 cscript.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4248 wrote to memory of 4676 4248 wscript.exe 80 PID 4248 wrote to memory of 4676 4248 wscript.exe 80 PID 4248 wrote to memory of 1600 4248 wscript.exe 81 PID 4248 wrote to memory of 1600 4248 wscript.exe 81 PID 4248 wrote to memory of 1600 4248 wscript.exe 81 PID 1600 wrote to memory of 3932 1600 binx.exe 88 PID 1600 wrote to memory of 3932 1600 binx.exe 88 PID 1600 wrote to memory of 3932 1600 binx.exe 88 PID 3932 wrote to memory of 2116 3932 cscript.exe 91 PID 3932 wrote to memory of 2116 3932 cscript.exe 91 PID 3932 wrote to memory of 2116 3932 cscript.exe 91
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Order_PO62525112155.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\spFEowQViP.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:4676
-
-
C:\Users\Admin\AppData\Local\Temp\binx.exe"C:\Users\Admin\AppData\Local\Temp\binx.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"3⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"4⤵PID:2116
-
-
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2712
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
185KB
MD521718633ba6c7c6e83147a334dd6266c
SHA15459c562ed6c407ce38b860ce4e594e9c3744235
SHA25643917a72ddc8088875ae0d248876d31f6dffd5ad4bb18a25ae5cadf2a7010bf6
SHA5128c37c1eda02435ad02a411a57efc035cdd69cb43a0b5da6f21b470ac56e9ea2eba041587b8c41bd6539a0905603990d2939104dafc029af6fe35bbd6a22d836a
-
Filesize
185KB
MD521718633ba6c7c6e83147a334dd6266c
SHA15459c562ed6c407ce38b860ce4e594e9c3744235
SHA25643917a72ddc8088875ae0d248876d31f6dffd5ad4bb18a25ae5cadf2a7010bf6
SHA5128c37c1eda02435ad02a411a57efc035cdd69cb43a0b5da6f21b470ac56e9ea2eba041587b8c41bd6539a0905603990d2939104dafc029af6fe35bbd6a22d836a
-
Filesize
7KB
MD54326214270abe9617a275433b8c6e10b
SHA1f7f175d352a1b08c702101ef47d46cf5f79e1bf3
SHA256b06c913e4c3d3e5476ff270359cfd431ae6cedb6088e7ce6dd78eb01f5e2603f
SHA512b576ada7cfb97f367f1e3480a9fb02b630584ac7f5826c6a21f75046961cb724e6733a53b96cd24843bc06edbb25fbc5585e1164f1cf34ec5533a1c8e0490ac8