Analysis
-
max time kernel
136s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26-01-2024 12:16
Static task
static1
Behavioral task
behavioral1
Sample
22345804828167.js
Resource
win7-20231215-en
General
-
Target
22345804828167.js
-
Size
1.2MB
-
MD5
60e2ff683eaddef5aaddda1bd3ee7ea7
-
SHA1
4e94ed84ea0e838ba2da2173868c5f227cea8392
-
SHA256
4baaf14d0f1adc879c79b0a234b30330a93ea3fd1d8050ac5910ce40236a067a
-
SHA512
5db582af4de3e0243474b8637282aed3e089e55b5124e712d4f0d230dd0879fd2a921acce2bf5b7ed1cf4fdf1173b98b46b1fd42d544ce7e45acd852ba971564
-
SSDEEP
24576:u+qOfAjkFZ9gwzEoCmbvD1+Crry2Q/F/XJjTETzTvBkskkZe:hfZRgBCTTrc
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation wscript.exe -
Loads dropped DLL 1 IoCs
pid Process 4416 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2472 wrote to memory of 3180 2472 wscript.exe 87 PID 2472 wrote to memory of 3180 2472 wscript.exe 87 PID 3180 wrote to memory of 5064 3180 cmd.exe 89 PID 3180 wrote to memory of 5064 3180 cmd.exe 89 PID 3180 wrote to memory of 776 3180 cmd.exe 90 PID 3180 wrote to memory of 776 3180 cmd.exe 90 PID 3180 wrote to memory of 4872 3180 cmd.exe 92 PID 3180 wrote to memory of 4872 3180 cmd.exe 92 PID 4872 wrote to memory of 4416 4872 cmd.exe 91 PID 4872 wrote to memory of 4416 4872 cmd.exe 91
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\22345804828167.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\22345804828167.js" "C:\Users\Admin\AppData\Local\Temp\\learnedscarce.bat" && "C:\Users\Admin\AppData\Local\Temp\\learnedscarce.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\system32\findstr.exefindstr /V sootheflat ""C:\Users\Admin\AppData\Local\Temp\\learnedscarce.bat""3⤵PID:5064
-
-
C:\Windows\system32\certutil.execertutil -f -decode uncoveredconfused brainyarm.dll3⤵PID:776
-
-
C:\Windows\system32\cmd.execmd /c rundll32 brainyarm.dll,m3⤵
- Suspicious use of WriteProcessMemory
PID:4872
-
-
-
C:\Windows\system32\rundll32.exerundll32 brainyarm.dll,m1⤵
- Loads dropped DLL
PID:4416
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
886KB
MD53d97638a09af4d6690008936993ba12d
SHA1cc3c922260d0dacbfda3245c8fd298695fb8c136
SHA256649d05ad0a76df62028fbb776f9bbdea19e39cbe8f03d6a233f7c297565e06b1
SHA512016b569fd5b3d8e1ab97fc025a3876dc6159a8e16b6b54a695f367e67b513d9060dc5e846dba4ef66b5ee33e39cdd8626e51afbf1f879569329d7ff4bcc52a18
-
Filesize
1.2MB
MD560e2ff683eaddef5aaddda1bd3ee7ea7
SHA14e94ed84ea0e838ba2da2173868c5f227cea8392
SHA2564baaf14d0f1adc879c79b0a234b30330a93ea3fd1d8050ac5910ce40236a067a
SHA5125db582af4de3e0243474b8637282aed3e089e55b5124e712d4f0d230dd0879fd2a921acce2bf5b7ed1cf4fdf1173b98b46b1fd42d544ce7e45acd852ba971564
-
Filesize
1.2MB
MD5963b1b331221d562001ebc2330a2f996
SHA1b2cbebc4f5512ad437622e75cb200812614134ee
SHA256e5110fb49b5a087b2c8dc47f6aff7d92954023fd16a29ed3e138d1ea6714c3ea
SHA512141f9db15bebe92306255dc05a1b132eedabc01c8297d86b03dcba3fd520d8464d766830f05f3f52dcc4550dbbb72b149c7e40377aac947df2bf4b1154624d42