Analysis
-
max time kernel
212s -
max time network
225s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 08:10
Static task
static1
Behavioral task
behavioral1
Sample
output(1)(1).js
Resource
win7-20220901-en
General
-
Target
output(1)(1).js
-
Size
9KB
-
MD5
457ddfc8f22d62496b18842824d69fe1
-
SHA1
7dbcf4a549128f0a108a40057c1b4a1c34a1023d
-
SHA256
b1a7f40f3e1a87d3db5daa508219e315d1d6ce77d772a7256eaa16d880359a90
-
SHA512
ae5c5176e164d5610c37a2950310b13735de175d0976809f4fa4fe4bf1bd19d87d4f5aa0ca453afe57512848cea80fe6432274c68da39a559e451a66d1d036ee
-
SSDEEP
192:ZblVH3Ye8iGlyi5K3hAwhB7VBOHwI+0eM1gr2JhEKyhOhr7kGLgIY9NhAAbmx:ZbciGlygwhBDOQI+EWwSLhOhX7gIY9N8
Malware Config
Extracted
formbook
tu7g
fbbktzFKN8MB1h8=
FPidEXGfkl0WqgXoVhHehw==
iHEjIL7XwJdpN6Er4Evhu03o
fHQTMsjqD3cPpQ==
VDXmCsr22oYhshz/Fg305nF21Q==
j4ZHfk5rRf6tVtwbMRU=
AORqAXKWy4R+//VwFdB6VVk=
9PW0Yw9RkIfer5+/bum7nlxwy1QfDQ==
ZU8mUjRgSOn3d0eFD3puQgVpnaAj
nlHgT2aJaMMB1h8=
+qc6XcgwdjVsEgKQ2zT+
/gCHJbBZrWjx1OZN40Hhu03o
48dX+WeLWAjFZMR2lItP8bJ87X4=
+N6H9VVzix7uogI=
Jf/NAPQe+8we7uftVhHehw==
YmANk8T+ix7uogI=
GTKxpLAYsJTl
pT8FM/QacYAV/+VInxn0
8JAnF9PnyZA29xH3Iw==
8ZdFPhCvGxYBxRCTqtB6VVk=
oEFAb1KQ+MMB1h8=
fCDG5xT7ymUxMvIE68/Fjw==
wLtTVh5ENMPcuBw=
3tmArOWR1oqbdspG4T/hu03o
77lcAEtzQPg805/bfuDMlZ1pnaAj
XSS+arndFfCsVtwbMRU=
2PF3BzB1D5I5vA==
5rxel2MIN540tg==
6/19nF6X36jo54md
K/N9Fsp90Zo99xH3Iw==
S9114R5DIM+4knCf
zn8SD0ap87Ksh1eM
LuusVc4B5KU/9xH3Iw==
7MB5NHSWhCQmqNwbMRU=
JTHI8f+o9skxAugBmgz25nF21Q==
WP20Ytf7D3cPpQ==
Kwy5vbdSu8AuqRfyVhHehw==
ZlodQQ4xAqoyDOlInxn0
+xOeO4CulTQwqNwbMRU=
hzDb1Z7REPRMIixl6Ezhu03o
KNWX0NQJ3Hx4StwbMRU=
Vv4CUhOrD5I5vA==
kmYiSSXFCNGZUtwbMRU=
aYEbzX4rkEEn3tddZVUG5nF21Q==
oHP3D/0cCf9fF/ccthX35nF21Q==
+IdOm4ejdhD4pgjpVhHehw==
5+FzWwgpHvfEf+WHp9B6VVk=
p2sdvuQNWDjM2lVGKxM=
eSW0oY3HpmCfWiweODvvkKFpnaAj
Y0b9I9cGWkNYamWV
jWot0GfQFNOZVtwbMRU=
9vKpJYsplH5CRWPb7t3MdlE=
J/p76BxPnH/79m4JJAvoxkjw
ahbVAAGe4pWqPj+5CquTZFs=
vmIgwy5bTUY0qNwbMRU=
BMFXd61VpqUwsg3B5+vO5nF21Q==
tZtIQUHrOQcOFP4WuTj8
xLRt6VeObi7+wjX+VhHehw==
oWEj0UZyUOtaG/spx0bhu03o
fmH5Ycis19Ly
ZifmGwg5l6GEQNgzTB8=
Khm1W9Z30o4foumH6dB6VVk=
po82VXUebjBVDZ/96hfy
r20yAkFfOe4WpNwbMRU=
eddiyiming.shop
Signatures
-
Blocklisted process makes network request 6 IoCs
Processes:
wscript.exeflow pid process 26 4256 wscript.exe 27 4256 wscript.exe 34 4256 wscript.exe 41 4256 wscript.exe 43 4256 wscript.exe 48 4256 wscript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
zz.exepid process 4352 zz.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation wscript.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
zz.exeRegsvcs.exedescription pid process target process PID 4352 set thread context of 4136 4352 zz.exe Regsvcs.exe PID 4136 set thread context of 676 4136 Regsvcs.exe Explorer.EXE PID 4136 set thread context of 676 4136 Regsvcs.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
Regsvcs.exepid process 4136 Regsvcs.exe 4136 Regsvcs.exe 4136 Regsvcs.exe 4136 Regsvcs.exe 4136 Regsvcs.exe 4136 Regsvcs.exe 4136 Regsvcs.exe 4136 Regsvcs.exe 4136 Regsvcs.exe 4136 Regsvcs.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
Regsvcs.exepid process 4136 Regsvcs.exe 4136 Regsvcs.exe 4136 Regsvcs.exe 4136 Regsvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Regsvcs.exedescription pid process Token: SeDebugPrivilege 4136 Regsvcs.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
wscript.exezz.exeExplorer.EXEdescription pid process target process PID 4256 wrote to memory of 4352 4256 wscript.exe zz.exe PID 4256 wrote to memory of 4352 4256 wscript.exe zz.exe PID 4352 wrote to memory of 4136 4352 zz.exe Regsvcs.exe PID 4352 wrote to memory of 4136 4352 zz.exe Regsvcs.exe PID 4352 wrote to memory of 4136 4352 zz.exe Regsvcs.exe PID 4352 wrote to memory of 4136 4352 zz.exe Regsvcs.exe PID 4352 wrote to memory of 4136 4352 zz.exe Regsvcs.exe PID 4352 wrote to memory of 4136 4352 zz.exe Regsvcs.exe PID 676 wrote to memory of 2920 676 Explorer.EXE msiexec.exe PID 676 wrote to memory of 2920 676 Explorer.EXE msiexec.exe PID 676 wrote to memory of 2920 676 Explorer.EXE msiexec.exe PID 676 wrote to memory of 2240 676 Explorer.EXE explorer.exe PID 676 wrote to memory of 2240 676 Explorer.EXE explorer.exe PID 676 wrote to memory of 2240 676 Explorer.EXE explorer.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\output(1)(1).js2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Users\Admin\AppData\Local\Temp\zz.exe"C:\Users\Admin\AppData\Local\Temp\zz.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4136 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵PID:2240
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:4336
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵PID:2920
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\zz.exeFilesize
260KB
MD531319144a917439aa8e961cce95f82ee
SHA1eaea6b758bdba74243099d60e8dd65dcbb524351
SHA256b4455821387f7c5571cf3aa28abde41c188593a4cb5f59d0f1e9c368db49348b
SHA5120d28854203e99f9d35fbbb920a23d9829cfad3a2583d42c77515709963c347282737b7ac545673a3b7951c4e44e4c4c37209780ef9a498eeca1ac81948dccf62
-
C:\Users\Admin\AppData\Local\Temp\zz.exeFilesize
260KB
MD531319144a917439aa8e961cce95f82ee
SHA1eaea6b758bdba74243099d60e8dd65dcbb524351
SHA256b4455821387f7c5571cf3aa28abde41c188593a4cb5f59d0f1e9c368db49348b
SHA5120d28854203e99f9d35fbbb920a23d9829cfad3a2583d42c77515709963c347282737b7ac545673a3b7951c4e44e4c4c37209780ef9a498eeca1ac81948dccf62
-
memory/676-146-0x00000000084A0000-0x000000000863C000-memory.dmpFilesize
1.6MB
-
memory/676-153-0x0000000008640000-0x0000000008725000-memory.dmpFilesize
916KB
-
memory/676-152-0x00000000084A0000-0x000000000863C000-memory.dmpFilesize
1.6MB
-
memory/676-151-0x0000000008640000-0x0000000008725000-memory.dmpFilesize
916KB
-
memory/2920-154-0x0000000000000000-mapping.dmp
-
memory/4136-143-0x00000000017C0000-0x0000000001B0A000-memory.dmpFilesize
3.3MB
-
memory/4136-141-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4136-142-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/4136-145-0x00000000016C0000-0x00000000016D0000-memory.dmpFilesize
64KB
-
memory/4136-147-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4136-148-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/4136-150-0x0000000001760000-0x0000000001770000-memory.dmpFilesize
64KB
-
memory/4136-138-0x00000000004012B0-mapping.dmp
-
memory/4136-137-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4352-132-0x0000000000000000-mapping.dmp
-
memory/4352-139-0x00007FF8096F0000-0x00007FF80A1B1000-memory.dmpFilesize
10.8MB
-
memory/4352-136-0x00007FF8096F0000-0x00007FF80A1B1000-memory.dmpFilesize
10.8MB
-
memory/4352-135-0x000002D5D7D50000-0x000002D5D7D94000-memory.dmpFilesize
272KB