7cd89f7f6d7d41ebc7059689827073c0bbad2101c5a639c62a68278629f477d9

Analysis

max time kernel
60s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2023, 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec04a1d07720f0c856844906b040d3876a7801f90640c15fa23aa4e3001ed400.js
Size

3.5MB
MD5

0c39ad338f05da2c25ce56b23531f1f3
SHA1

a51227fa9755cf0bd5c3660d016bdd871e500e7f
SHA256

ec04a1d07720f0c856844906b040d3876a7801f90640c15fa23aa4e3001ed400
SHA512

c7074aeeb63472cb6b2f1be1f61221c683908c7f3f7d6348b345db398ed52558b1ad9b65b3097e43d79561818c8b98ea2a60679bfd7457b149877b53025c0d2f
SSDEEP

24576:ejGw6bEVDPNoa+w7jOvCjAjODdJkEQTDTPmhH3NqEL8qELFiiKNpO28wb0XHpJh6:uNrsHo

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
2388	Payloa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2388	Payloa.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2388	Payloa.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 2388	1804	wscript.exe	90
PID 1804 wrote to memory of 2388	1804	wscript.exe	90
PID 1804 wrote to memory of 2388	1804	wscript.exe	90

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ec04a1d07720f0c856844906b040d3876a7801f90640c15fa23aa4e3001ed400.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Users\Admin\AppData\Roaming\Payloa.exe
  "C:\Users\Admin\AppData\Roaming\Payloa.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Payloa.exe

Filesize
825KB

MD5
b178c0250cc3f84a8101eb263c52d716

SHA1
0bcb484264be368704de6028040a7552ebaf9a46

SHA256
aa2359fab304db99e520d8f343c579886debe677003f04695db008e3f2c90f99

SHA512
0927124a400b321d166a9122521760d2f922aaaff38d42e7d9e975d6ff6ddcc47038c4eea9e19a0a909d5d5cab1bed1a36fa2294c1175ee492250f19868dfda1

Download Submit
C:\Users\Admin\AppData\Roaming\Payloa.exe

Filesize
825KB

MD5
b178c0250cc3f84a8101eb263c52d716

SHA1
0bcb484264be368704de6028040a7552ebaf9a46

SHA256
aa2359fab304db99e520d8f343c579886debe677003f04695db008e3f2c90f99

SHA512
0927124a400b321d166a9122521760d2f922aaaff38d42e7d9e975d6ff6ddcc47038c4eea9e19a0a909d5d5cab1bed1a36fa2294c1175ee492250f19868dfda1

Download Submit
C:\Users\Admin\AppData\Roaming\Payloa.exe

Filesize
825KB

MD5
b178c0250cc3f84a8101eb263c52d716

SHA1
0bcb484264be368704de6028040a7552ebaf9a46

SHA256
aa2359fab304db99e520d8f343c579886debe677003f04695db008e3f2c90f99

SHA512
0927124a400b321d166a9122521760d2f922aaaff38d42e7d9e975d6ff6ddcc47038c4eea9e19a0a909d5d5cab1bed1a36fa2294c1175ee492250f19868dfda1

Download Submit
memory/2388-144-0x00000000003B0000-0x0000000000484000-memory.dmp

Filesize
848KB

Download
memory/2388-145-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/2388-146-0x00000000071F0000-0x0000000007256000-memory.dmp

Filesize
408KB

Download
memory/2388-147-0x0000000004780000-0x00000000047A2000-memory.dmp

Filesize
136KB

Download