Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2023 14:57
Static task
static1
Behavioral task
behavioral1
Sample
8b786459da668bf229d67be2f0723d3e.js
Resource
win7-20220901-en
General
-
Target
8b786459da668bf229d67be2f0723d3e.js
-
Size
1.3MB
-
MD5
8b786459da668bf229d67be2f0723d3e
-
SHA1
a049cdb8ababa353f6680203104d94df4fd8bebb
-
SHA256
e5949068ab9d6e134134a471fda48012a5052bf8e4fcbd5801e0df0d617f2336
-
SHA512
47a6611f7071093df66a214753c8b5b43428bd22dade994b1e28d6c1f90d59e9b226b95ca8c5879fbd5cc1ab3145b9633df4aea12312b3a4e915b737d976fcb2
-
SSDEEP
24576:n+qRVuZ86lSFd1dLImyZDe83TrXYpPJK/msejpyqI8bFt3:n+qRVk8eo1LImytlYLKc+8P
Malware Config
Signatures
-
Blocklisted process makes network request 16 IoCs
Processes:
wscript.exeflow pid process 9 4476 wscript.exe 28 4476 wscript.exe 31 4476 wscript.exe 37 4476 wscript.exe 46 4476 wscript.exe 49 4476 wscript.exe 50 4476 wscript.exe 55 4476 wscript.exe 56 4476 wscript.exe 57 4476 wscript.exe 58 4476 wscript.exe 59 4476 wscript.exe 60 4476 wscript.exe 61 4476 wscript.exe 62 4476 wscript.exe 63 4476 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
Payload (3).exepid process 2188 Payload (3).exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UcKCgYfQCy.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UcKCgYfQCy.js wscript.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Payload (3).exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payload (3).exe Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payload (3).exe Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payload (3).exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 ipinfo.io 19 ipinfo.io -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Payload (3).exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Payload (3).exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Payload (3).exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Payload (3).exedescription pid process Token: SeDebugPrivilege 2188 Payload (3).exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
wscript.exedescription pid process target process PID 4604 wrote to memory of 4476 4604 wscript.exe wscript.exe PID 4604 wrote to memory of 4476 4604 wscript.exe wscript.exe PID 4604 wrote to memory of 2188 4604 wscript.exe Payload (3).exe PID 4604 wrote to memory of 2188 4604 wscript.exe Payload (3).exe PID 4604 wrote to memory of 2188 4604 wscript.exe Payload (3).exe -
outlook_office_path 1 IoCs
Processes:
Payload (3).exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payload (3).exe -
outlook_win_path 1 IoCs
Processes:
Payload (3).exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payload (3).exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\8b786459da668bf229d67be2f0723d3e.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\UcKCgYfQCy.js"2⤵
- Blocklisted process makes network request
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\Payload (3).exe"C:\Users\Admin\AppData\Local\Temp\Payload (3).exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Payload (3).exeFilesize
755KB
MD53e8af9fffb1b980b193508f6a8a8cdc3
SHA1e91e6f525952ae5a812d3cd3a795c6aeca94e527
SHA256ba055f5ffcf5c345e37307673717f11319326e5c4b621f336b76c4826b09f7cc
SHA512072bac20632cc30aa99715e4d5f508eab6a5b143704a0cdbbf0f5f22f86f4c02204efb1eb4acf8eeca97622c074bed2aa333119e842040e34ab55bff219a1f11
-
C:\Users\Admin\AppData\Local\Temp\Payload (3).exeFilesize
755KB
MD53e8af9fffb1b980b193508f6a8a8cdc3
SHA1e91e6f525952ae5a812d3cd3a795c6aeca94e527
SHA256ba055f5ffcf5c345e37307673717f11319326e5c4b621f336b76c4826b09f7cc
SHA512072bac20632cc30aa99715e4d5f508eab6a5b143704a0cdbbf0f5f22f86f4c02204efb1eb4acf8eeca97622c074bed2aa333119e842040e34ab55bff219a1f11
-
C:\Users\Admin\AppData\Roaming\UcKCgYfQCy.jsFilesize
5KB
MD5e92476e9675eb8bd668e6e1144a07191
SHA1d3b1de85dcd84a331dbdeb033e6f00b2aa46954c
SHA2563840382c8527ba2e58e6ddb72f379d17a7e95ac559b2f61d8b8e0a53d4bac9b2
SHA51230d3f57b150de25b30737e13a42bfc0948144e91eb9772e3b38114fe4d19ad778eeb600c8565ecfee10a86e9a6056b12119f2116c9d82fee18367ae1412b35e3
-
memory/2188-134-0x0000000000000000-mapping.dmp
-
memory/2188-137-0x00000000007A0000-0x0000000000864000-memory.dmpFilesize
784KB
-
memory/2188-138-0x0000000007560000-0x00000000075C6000-memory.dmpFilesize
408KB
-
memory/2188-139-0x0000000008AB0000-0x0000000008AD2000-memory.dmpFilesize
136KB
-
memory/2188-140-0x0000000008A80000-0x0000000008A8A000-memory.dmpFilesize
40KB
-
memory/2188-141-0x0000000008EF0000-0x0000000008F02000-memory.dmpFilesize
72KB
-
memory/4476-132-0x0000000000000000-mapping.dmp