336be3a20ae8a36962ffd26b1ec7fb0ec2274a860dd9423b16ff817d29f1908a

Analysis

max time kernel
169s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2024 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b875cc39a6933b5a96ec292403ea2fa59788658f825b7fd0b66bffc1a6b09395.js
Size

8KB
MD5

1f374431d5cc7f30b6e582b29990c3ca
SHA1

756136a15a244fa8a845b1d2888a6b51e22109a1
SHA256

b875cc39a6933b5a96ec292403ea2fa59788658f825b7fd0b66bffc1a6b09395
SHA512

6bc179b9743a66a648b9427d365104ccd667306b59068acfcc4284f3b0b3679f21eb664e5f1f5ba87e2f8156854fcfb1ef78d0fe52cb9a11a82d1193ba8eed9b
SSDEEP

192:oqLDmKxwjg1AO19yjn93UTW5lY8epXy6HN7RbrQ/6/2swA/vQ:aCwj3O10z9ETt8epXHnQhswAXQ

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 6 IoCs

flow	pid	Process
42	3080	wscript.exe
43	3080	wscript.exe
46	3080	wscript.exe
53	3080	wscript.exe
55	3080	wscript.exe
56	3080	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3080 wrote to memory of 3552	3080	wscript.exe	93
PID 3080 wrote to memory of 3552	3080	wscript.exe	93

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\b875cc39a6933b5a96ec292403ea2fa59788658f825b7fd0b66bffc1a6b09395.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\224017_tree.cmd" "
  2⤵
  PID:3552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\224017_tree.cmd

Filesize
15KB

MD5
a1f53630138ad684aaf6ed7bc309b508

SHA1
a7fedc8aeeaea6b59726ac798e5680e0c5be1ce9

SHA256
a4fe69c73072c8fc553e17b74aa2387d5f2e9ceb12c584bab86e6c711d4a92e9

SHA512
b70ab4a0d0368d90d2e83a0dfd83bbf28df88dd787e8baf9b1e5c23e46fe6573570d94b9cda351ac9ceed02a3eeabd6f273739b64abaf7df71528818e41048b8

Download Submit