23426c7999763f1f42752451f6cf6598733ec88a68890af130a5b7384ccbec75

Analysis

max time kernel
133s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2023, 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

when is a d&f for contract type required 30781.js
Size

564KB
MD5

e578abaa9a94fd9665f84c2b8360fda1
SHA1

32675b30e0f5a18bc8b6e120b2211ac53cc35e75
SHA256

1469dc7b039809dde24a5894170185e73a5969a55a84872f185aac6265f2b9d2
SHA512

163b51e45082a8b258f7f99a51ca50fed139916411c5b83d8c7abe5d17ac4694b4c490eb6bb9fa1b538edc7eb704ab238d6b583b92606acf1739407581af1e60
SSDEEP

12288:d69oRzp+By2ex3ERhTiWUOrD2lKyrCvSkdJyi0j9nsDvV101d1eo4kwx9LVGyniH:B/yy2e6V2ai3KAL5rPzy9maM3

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	wscript.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1308	POwerShelL.exe
1308	POwerShelL.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1308	POwerShelL.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4020 wrote to memory of 2716	4020	wscript.EXE	102
PID 4020 wrote to memory of 2716	4020	wscript.EXE	102
PID 2716 wrote to memory of 1308	2716	cscript.exe	104
PID 2716 wrote to memory of 1308	2716	cscript.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\when is a d&f for contract type required 30781.js"
1⤵
PID:2664

C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE FINANC~1.JS
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Windows\System32\cscript.exe
  "C:\Windows\System32\cscript.exe" "FINANC~1.JS"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\System32\WindowsPowerShell\v1.0\POwerShelL.exe
    POwerShelL
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_054nb53k.aih.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\FINANC~1.JS

Filesize
47.7MB

MD5
c25d4ee52235f4a4e4333c3cb7ad33e7

SHA1
2247a375160548e407c66372dc9b80c79d936ed8

SHA256
de83848f32d7352382570b853aa627d0edcd08f4475f665f384557d21011e01d

SHA512
cd5500df8b825d00ce77b7f78a34700cf2ae78a522fb91f0a3ad97fdbe6af4213f1e418334d376f37c263e887bc759481607650aa601d0a790f800c13c88a05a

Download Submit
memory/1308-145-0x00000205B3B70000-0x00000205B3B92000-memory.dmp

Filesize
136KB

Download
memory/1308-146-0x00000205B3A60000-0x00000205B3A70000-memory.dmp

Filesize
64KB

Download
memory/1308-148-0x00000205B3A60000-0x00000205B3A70000-memory.dmp

Filesize
64KB

Download
memory/1308-147-0x00000205B3A60000-0x00000205B3A70000-memory.dmp

Filesize
64KB

Download
memory/1308-149-0x00000205B4090000-0x00000205B40D4000-memory.dmp

Filesize
272KB

Download
memory/1308-150-0x00000205B4160000-0x00000205B41D6000-memory.dmp

Filesize
472KB

Download