Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
02-02-2023 11:29
Static task
static1
Behavioral task
behavioral1
Sample
Request for PO_2023.js
Resource
win7-20220901-en
General
-
Target
Request for PO_2023.js
-
Size
1.3MB
-
MD5
70653ab99274c82b0a279a3385f62d04
-
SHA1
fc35767cfddafe185ec263c1eaf2d5acc65714a8
-
SHA256
85e2252b565492389e6dc161551a3c82b9fcc6b3873ca2f7f4a2e99d87ca6c9f
-
SHA512
5686564725d64a1883e62d50399d8b650e3deb45e7b569b0def53573bc9dd21c2fc276c1e5422c4b26ba66b0cdccb032ebe770b6f974bea45679ea4adc88042b
-
SSDEEP
24576:ju9bPTr3v4HG3dvjcYxRVBw+H8AirMFTYs0RU:iFTrw4LcfpMCRK
Malware Config
Signatures
-
Blocklisted process makes network request 16 IoCs
Processes:
wscript.exeflow pid process 8 2428 wscript.exe 26 2428 wscript.exe 28 2428 wscript.exe 38 2428 wscript.exe 39 2428 wscript.exe 42 2428 wscript.exe 44 2428 wscript.exe 45 2428 wscript.exe 46 2428 wscript.exe 48 2428 wscript.exe 49 2428 wscript.exe 50 2428 wscript.exe 51 2428 wscript.exe 52 2428 wscript.exe 53 2428 wscript.exe 54 2428 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
Payload p.exepid process 1816 Payload p.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wHxgzZKiRX.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wHxgzZKiRX.js wscript.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Payload p.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payload p.exe Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payload p.exe Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payload p.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 ipinfo.io 15 ipinfo.io -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Payload p.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Payload p.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Payload p.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Payload p.exedescription pid process Token: SeDebugPrivilege 1816 Payload p.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
wscript.exedescription pid process target process PID 2124 wrote to memory of 2428 2124 wscript.exe wscript.exe PID 2124 wrote to memory of 2428 2124 wscript.exe wscript.exe PID 2124 wrote to memory of 1816 2124 wscript.exe Payload p.exe PID 2124 wrote to memory of 1816 2124 wscript.exe Payload p.exe PID 2124 wrote to memory of 1816 2124 wscript.exe Payload p.exe -
outlook_office_path 1 IoCs
Processes:
Payload p.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payload p.exe -
outlook_win_path 1 IoCs
Processes:
Payload p.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payload p.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Request for PO_2023.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\wHxgzZKiRX.js"2⤵
- Blocklisted process makes network request
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\Payload p.exe"C:\Users\Admin\AppData\Local\Temp\Payload p.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Payload p.exeFilesize
755KB
MD524ed8d2e4ab971b4145ee8af48ba91e6
SHA11be10a9e71d9fccf3234c16ef5e2f5a04e9ed105
SHA256c19f573b3628986c4c4437c97596de9d15bfce93a34cb0d813fe935c1118b230
SHA5120f2e096b57b32fb1c24777c550d54529dcccfc2485897b44f10c98f7c77692a2753950b36b78279058be8d1e5b65ad753209a247d4988c58ede9c27b1a1090da
-
C:\Users\Admin\AppData\Local\Temp\Payload p.exeFilesize
755KB
MD524ed8d2e4ab971b4145ee8af48ba91e6
SHA11be10a9e71d9fccf3234c16ef5e2f5a04e9ed105
SHA256c19f573b3628986c4c4437c97596de9d15bfce93a34cb0d813fe935c1118b230
SHA5120f2e096b57b32fb1c24777c550d54529dcccfc2485897b44f10c98f7c77692a2753950b36b78279058be8d1e5b65ad753209a247d4988c58ede9c27b1a1090da
-
C:\Users\Admin\AppData\Roaming\wHxgzZKiRX.jsFilesize
6KB
MD57b4a3c37cef8e86bbe9662efbd48356f
SHA1f31035920f5ce28b46c857b580127a0e04641b6b
SHA256eeab7b35432f06c27731ea671544b738ca2327afb57477fc20e8a29370f2a3b4
SHA512cc8ee4153e691b1e62945bb9cb6c1f59fe02f4ec98b74eab2a6c5ce99a2cb6cbb610602a8683d76056b95aec29fd208819ad96b54fec9977fdcdf6a5a7605faa
-
memory/1816-134-0x0000000000000000-mapping.dmp
-
memory/1816-137-0x0000000000770000-0x0000000000834000-memory.dmpFilesize
784KB
-
memory/1816-138-0x00000000051E0000-0x0000000005246000-memory.dmpFilesize
408KB
-
memory/1816-139-0x0000000008BC0000-0x0000000008BE2000-memory.dmpFilesize
136KB
-
memory/1816-140-0x0000000009070000-0x000000000907A000-memory.dmpFilesize
40KB
-
memory/1816-141-0x00000000090A0000-0x00000000090B2000-memory.dmpFilesize
72KB
-
memory/2428-132-0x0000000000000000-mapping.dmp