Analysis
-
max time kernel
135s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26-01-2024 12:27
Static task
static1
Behavioral task
behavioral1
Sample
28325142147799.js
Resource
win7-20231215-en
General
-
Target
28325142147799.js
-
Size
959KB
-
MD5
e142b6e92af05edd784ecea426ea62ae
-
SHA1
4b4a1e8489acef2c4a27dfe4f9de1b2e4a14f86e
-
SHA256
4b2fb816282af672a02dd4f13fff81f00f6f3825c7c9329dca4bf934412b8322
-
SHA512
a69d6958f60427fcf8e66c41a6b64e9033eb6504aaf05d5be62a849efcf113996dfd14a24d256fab43e53e4694c3a5f19bd3a298052c793f346fe4d04f34cee3
-
SSDEEP
12288:H2DjmKxUlG7TcTEeHeauBdjGjNzWpEq0mqRVb86XFXZZSLY72i9TMY6Sms9aFG4M:WZU67qe/p9dtkoH2
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation wscript.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4548 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
wscript.execmd.execmd.exedescription pid process target process PID 1172 wrote to memory of 3156 1172 wscript.exe cmd.exe PID 1172 wrote to memory of 3156 1172 wscript.exe cmd.exe PID 3156 wrote to memory of 3692 3156 cmd.exe findstr.exe PID 3156 wrote to memory of 3692 3156 cmd.exe findstr.exe PID 3156 wrote to memory of 2284 3156 cmd.exe certutil.exe PID 3156 wrote to memory of 2284 3156 cmd.exe certutil.exe PID 3156 wrote to memory of 3632 3156 cmd.exe cmd.exe PID 3156 wrote to memory of 3632 3156 cmd.exe cmd.exe PID 3632 wrote to memory of 4548 3632 cmd.exe rundll32.exe PID 3632 wrote to memory of 4548 3632 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\28325142147799.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\28325142147799.js" "C:\Users\Admin\AppData\Local\Temp\\suspectfeeble.bat" && "C:\Users\Admin\AppData\Local\Temp\\suspectfeeble.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\system32\findstr.exefindstr /V ricehat ""C:\Users\Admin\AppData\Local\Temp\\suspectfeeble.bat""3⤵PID:3692
-
C:\Windows\system32\certutil.execertutil -f -decode tinsoak heapswim.dll3⤵PID:2284
-
C:\Windows\system32\cmd.execmd /c rundll32 heapswim.dll,m3⤵
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\system32\rundll32.exerundll32 heapswim.dll,m4⤵
- Loads dropped DLL
PID:4548
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
712KB
MD5e369903ea87d49ddf23c1682a5e8d01e
SHA10b50b560770cf44c8d95286d7d67fa27871f7d1a
SHA25680a58fc6fc8ce8929996f6cd56b97cb729cf8bfe2b07c02b112b6b6d96f02423
SHA512359dd3a3c2341c5f0fd5c60538bf0c10f8efbf818376a2f049bc2f9f5c5fe9c9d9d2077da115e28ea9b0fa69961df68eaa667fd220402b9eb4eb679969df2a09
-
Filesize
959KB
MD5e142b6e92af05edd784ecea426ea62ae
SHA14b4a1e8489acef2c4a27dfe4f9de1b2e4a14f86e
SHA2564b2fb816282af672a02dd4f13fff81f00f6f3825c7c9329dca4bf934412b8322
SHA512a69d6958f60427fcf8e66c41a6b64e9033eb6504aaf05d5be62a849efcf113996dfd14a24d256fab43e53e4694c3a5f19bd3a298052c793f346fe4d04f34cee3
-
Filesize
952KB
MD59ed413fb2d65047ce18bdd9bd2d738a7
SHA1dbcdb9612ac5c51f3940f0e28377e749153beb72
SHA256cbb12b164a282becaae013b43a7b948bf3e9a913340cc35dd0d915720bfde909
SHA512403d48fd20c2d0e807064af5acf978a7329833229700f18b7f170b313853f8a345782a2541817c945742f7752b38a848c4230298f1bf4920dfcaa859a8f4ded9