740cfea615830a7aea63a90b732e95c09babefc43a2859ec210a47c08e8ea709

Analysis

max time kernel
146s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
14/01/2023, 13:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

water corporation enterprise agreement 2018 wa 15722.js
Size

62KB
MD5

fbbd2ab87eb076d202e6bd929535c609
SHA1

b3627d701873263cf9a247e93dcbe5684ce65951
SHA256

d64d9cb448ff7dfea1e641471beae99893637de21f7801b2b45b1495b90b3088
SHA512

d7498b9ea9dd456ac49c074278a13257b74754ac074dbf49538e1177f8b864264a5872e0b948a3ad5578a39a0ee4cde99878e95c3c3e20ada2d6067982f36213
SSDEEP

768:v2ghJ5gba4sC/1a7Wuj2MgJlRhQMtUpoZEFNA/Ycik0aBZyxvDvl:/Aa4sFNK4MtA620y

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	wscript.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2728	poWERsHeLl.exe
2728	poWERsHeLl.exe
2728	poWERsHeLl.exe
2728	poWERsHeLl.exe
2728	poWERsHeLl.exe
2728	poWERsHeLl.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2728	poWERsHeLl.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 3804	2468	wscript.EXE	87
PID 2468 wrote to memory of 3804	2468	wscript.EXE	87
PID 3804 wrote to memory of 2728	3804	cscript.exe	89
PID 3804 wrote to memory of 2728	3804	cscript.exe	89

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\water corporation enterprise agreement 2018 wa 15722.js"
1⤵
PID:1328

C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE BASEOF~1.JS
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\System32\cscript.exe
  "C:\Windows\System32\cscript.exe" "BASEOF~1.JS"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3804
- - C:\Windows\System32\WindowsPowerShell\v1.0\poWERsHeLl.exe
    poWERsHeLl
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\BASEOF~1.JS

Filesize
45.8MB

MD5
33a35cb8f6d3882a2c6d0477ef7f7523

SHA1
3fd9b5ae18ad7b5b2dc77d52a53185a2eb2911f0

SHA256
7dcd7acdac4258bd1767183c269a21281f6e7253364db50ffd1f08afbd452b84

SHA512
14606801f8eb46df7357edfcce11f356a63a2a2e7ba24b40345f0fe3bdf98e24c70e87d477a46ebb75afb0c218f8987853513e8c4e32c29877150da3b03488fd

Download Submit
memory/2728-135-0x000002AF7F4D0000-0x000002AF7F4F2000-memory.dmp

Filesize
136KB

Download
memory/2728-136-0x000002AF7F9F0000-0x000002AF7FA34000-memory.dmp

Filesize
272KB

Download
memory/2728-137-0x000002AF7FAC0000-0x000002AF7FB36000-memory.dmp

Filesize
472KB

Download
memory/2728-138-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download
memory/2728-139-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download
memory/2728-140-0x000002AF1965A000-0x000002AF1965F000-memory.dmp

Filesize
20KB

Download