Overview

overview

7

Static

static

Protected Client.js

windows7-x64

3

Protected Client.js

windows10-2004-x64

7

Analysis

  • max time kernel
    73s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-11-2022 07:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Protected Client.js

  • Size

    1KB

  • MD5

    8661f783af6a1226a3c3367cf17bf929

  • SHA1

    3dc569cee05b5a1c1f8b22ef07e65c266a7617ca

  • SHA256

    a89012aa8d570ec8b063bf81dc14037395131745ccb29b076a6d993334c19621

  • SHA512

    9fc90f5f2cc49677eadf6bd23835783fd360297a9bd27893c1787d894f320b50a87fb318aa21eae6b32499ba42d19c4d5d056995e26c768cf1ff952b621cc39c

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Protected Client.js"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Can’t reach this page Can’t reach this page Make sure the web address http://104.223.67.151 is correct Search for this site on Bing Refresh the page Check that all network cables are plugged in. Verify that airplane mode is turned off. Make sure your wireless switch is turned on. See if you can connect to mobile broadband. Restart your router. More information <id id="moreInformation">More information</id> This website could not be found. Error Code: INET_E_RESOURCE_NOT_FOUND Fix connection problems
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4964
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Move-Item 'C:\Users\Admin\AppData\Local\Temp\Protected Client.js' 'C:\Users\Admin\\AppData\\Roaming\\Microsoft\\Windows\Start Menu\Programs\Startup\'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      PID:664
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
      PID:1156
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4924
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4924 CREDAT:17410 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:4892

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      471B

      MD5

      dedb504b3469b24ec0df79c68f5772e2

      SHA1

      177a8b1045b456316ca32d90aba942bf34774c64

      SHA256

      e18111fd56db31f02eb16990f0bbc7991a0c80571703281ee66010e229c9f8b0

      SHA512

      101312fa01991caeaef010d0d21e740244cb3768490a1b82ae12e7524e50b6e7f2e23c08978ac4c373e9013baa0a8f50de8e1994341556b78ecd88ce13df5680

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      434B

      MD5

      272099cbd0296202461a083ea9d085e6

      SHA1

      eb40612bf2e3c019c64614bec4f43661e14e0db5

      SHA256

      4b32bd34f4c3b35d6b593c8eddb2d2216f82243ffb8ea2c24a3ea78cae6a4cd4

      SHA512

      feded02bcb0d7687a95c207b9acbea75303baf48da6ff26c23781e9529e4173a71b672362e2499551051498c9218cd5e383e44f23b267c6137925e590c3e379d

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      6cf293cb4d80be23433eecf74ddb5503

      SHA1

      24fe4752df102c2ef492954d6b046cb5512ad408

      SHA256

      b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

      SHA512

      0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      6d3e9c29fe44e90aae6ed30ccf799ca8

      SHA1

      c7974ef72264bbdf13a2793ccf1aed11bc565dce

      SHA256

      2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

      SHA512

      60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

      Download Submit

    • memory/664-133-0x0000000000000000-mapping.dmp

      Download

    • memory/664-138-0x00007FFA05CF0000-0x00007FFA067B1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4964-132-0x0000000000000000-mapping.dmp

      Download

    • memory/4964-134-0x000001918C8A0000-0x000001918C8C2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4964-137-0x00007FFA05CF0000-0x00007FFA067B1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4964-139-0x00007FFA05CF0000-0x00007FFA067B1000-memory.dmp

      Filesize

      10.8MB

      Download