Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
12-01-2023 13:06
Static task
static1
Behavioral task
behavioral1
Sample
SPI MARINE.js
Resource
win7-20221111-en
General
-
Target
SPI MARINE.js
-
Size
1.4MB
-
MD5
520428e8d0eb089f381439c7877482a8
-
SHA1
4ece1f572b9e1eeff87287938198f7e75d99eda0
-
SHA256
ceaa4d371a7d05ee9dc926777f30684b0acd7ea78c745a8d1b3eaa77b6e85e55
-
SHA512
76ccd734760ff90ef8abfc2ebf36fb67d4924091a9a8fd626ad9722bd2fb42ab5b5a199a2e8baeac898eaba636b8e1a269c06c5f3d4813d4cd3b38e980ceda0b
-
SSDEEP
12288:E0PM6alqrN4P5/TJVnNRVRuCVPWYZYryTmp9V8wFfrPTKR4NVyqxSuogqmNx2plw:9IlqK1TJVP/VPWMYkwFfrmHqxLx1l3Hh
Malware Config
Signatures
-
Blocklisted process makes network request 16 IoCs
Processes:
wscript.exeflow pid Process 5 4852 wscript.exe 19 4852 wscript.exe 22 4852 wscript.exe 23 4852 wscript.exe 39 4852 wscript.exe 41 4852 wscript.exe 47 4852 wscript.exe 50 4852 wscript.exe 52 4852 wscript.exe 53 4852 wscript.exe 55 4852 wscript.exe 56 4852 wscript.exe 57 4852 wscript.exe 58 4852 wscript.exe 59 4852 wscript.exe 60 4852 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
Payload.exepid Process 4732 Payload.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mTDWCoeANO.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mTDWCoeANO.js wscript.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Payload.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payload.exe Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payload.exe Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payload.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Payload.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Payload.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Payload.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Payload.exedescription pid Process Token: SeDebugPrivilege 4732 Payload.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
wscript.exedescription pid Process procid_target PID 4460 wrote to memory of 4852 4460 wscript.exe 79 PID 4460 wrote to memory of 4852 4460 wscript.exe 79 PID 4460 wrote to memory of 4732 4460 wscript.exe 80 PID 4460 wrote to memory of 4732 4460 wscript.exe 80 PID 4460 wrote to memory of 4732 4460 wscript.exe 80 -
outlook_office_path 1 IoCs
Processes:
Payload.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payload.exe -
outlook_win_path 1 IoCs
Processes:
Payload.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payload.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\SPI MARINE.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\mTDWCoeANO.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:4852
-
-
C:\Users\Admin\AppData\Local\Temp\Payload.exe"C:\Users\Admin\AppData\Local\Temp\Payload.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4732
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
755KB
MD52b7f757f0a02ced496481020f0b8f1eb
SHA121f11c5f725648d27af684ecff61c3ef7ecbcba3
SHA256e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9
SHA5121a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7
-
Filesize
755KB
MD52b7f757f0a02ced496481020f0b8f1eb
SHA121f11c5f725648d27af684ecff61c3ef7ecbcba3
SHA256e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9
SHA5121a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7
-
Filesize
16KB
MD552a7a3de89aa5553c03bc908385e47c6
SHA1c9119e20eb105d5f722d5fdc417a51a829b2b517
SHA2568331fd62bc3e4ebc9129cdfaaa8f1ee5e18461e13fff209e7220d6a93c8cb0fd
SHA5123bfbd03b780803142088aa898fd6443a9a1aea202a714a00173227b5ecd98deadce5c0fded80225525e7a88e5c38b591b558a0106779b168e8c5b1b7038e63e3