a0041aa69a92b8a85e020dcf6424960e466c4e2f315a556bed9e06d870dddf47

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2023, 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORDERjs.js
Size

912KB
MD5

70e483ab51c94cd2318fb5cb0de989fd
SHA1

8bb7ff7229a9eb8230dcbdc8507e60b3403313c0
SHA256

a0041aa69a92b8a85e020dcf6424960e466c4e2f315a556bed9e06d870dddf47
SHA512

350dac5a389fbdf85c770a1d4858b2152eceb8903558f0a5b37a95bb172a987eea2c932dd9bf06bd62f813e4b334daff3d83838a9e127f1135e2c077b0cb972a
SSDEEP

1536:j21Ax5SP/rgoMp633kUFPyHqVfxkCx1UE8o1TQ5CAiaRgd6W0NQHMpgac+0rOMzc:Uh+vek3mUQKN

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 4280	5052	wscript.exe	87
PID 5052 wrote to memory of 4280	5052	wscript.exe	87

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDERjs.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\igtlqgdfpg.txt"
  2⤵
  PID:4280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\igtlqgdfpg.txt

Filesize
92KB

MD5
be4e48191df83f3c7bfd54379ba4d4f3

SHA1
36a12c5dc7d0f28f31036ed44221521bdcb04de8

SHA256
6d8f633293aea1a6c3082e4db203b88f60c09415604631fee719e4bba70e597d

SHA512
dd7d9619a0cbff8d99e735ebf0497c28d7720113f431740c5993e139d4deed243f66fc67d80c585bcf1bbeb9cee85c10a0661f8a6e316472589417d611857425

Download Submit
memory/4280-145-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/4280-159-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/4280-173-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/4280-174-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/4280-175-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/4280-186-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/4280-187-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/4280-191-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/4280-193-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/4280-196-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/4280-199-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/4280-203-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/4280-208-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/4280-209-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/4280-210-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/4280-211-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/4280-217-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/4280-222-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/4280-223-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/4280-224-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download