Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30-01-2024 11:05
Static task
static1
Behavioral task
behavioral1
Sample
147981734725653.js
Resource
win7-20231215-en
General
-
Target
147981734725653.js
-
Size
1.1MB
-
MD5
f0aa642d6a0e4a0021bb5a006da8f659
-
SHA1
6da83194b6e3acb7fa7537b179b96c0a21654983
-
SHA256
7b513b60bf0c42e4dea6b545591088954a1ed63348d085cbeee97c03ef163a42
-
SHA512
bd023360956eec5c06bd322d52d3881072955f6b22b9e99cdaf4f2a3f726d23e8bab0f3ab85d2bfaafbbfa5c696683026dbd50c7a5849e8aee893083662ae41e
-
SSDEEP
12288:3lyp9BJQJzEk/e0clTeD1FUEnYC1b3XC4Ksl8iUVfloiMKQsKJlmgAzE27UKEZtl:olcDR666E/NSnGQbR3xGJZ3
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation wscript.exe -
Loads dropped DLL 1 IoCs
pid Process 368 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings OpenWith.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2772 OpenWith.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4812 wrote to memory of 4424 4812 wscript.exe 84 PID 4812 wrote to memory of 4424 4812 wscript.exe 84 PID 4424 wrote to memory of 5072 4424 cmd.exe 92 PID 4424 wrote to memory of 5072 4424 cmd.exe 92 PID 4424 wrote to memory of 632 4424 cmd.exe 93 PID 4424 wrote to memory of 632 4424 cmd.exe 93 PID 4424 wrote to memory of 3880 4424 cmd.exe 94 PID 4424 wrote to memory of 3880 4424 cmd.exe 94 PID 3880 wrote to memory of 368 3880 cmd.exe 95 PID 3880 wrote to memory of 368 3880 cmd.exe 95
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\147981734725653.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\147981734725653.js" "C:\Users\Admin\AppData\Local\Temp\\killwindow.bat" && "C:\Users\Admin\AppData\Local\Temp\\killwindow.bat"2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\system32\findstr.exefindstr /V stickykick ""C:\Users\Admin\AppData\Local\Temp\\killwindow.bat""3⤵PID:5072
-
-
C:\Windows\system32\certutil.execertutil -f -decode economicknife playgroundstructure.dll3⤵PID:632
-
-
C:\Windows\system32\cmd.execmd /c rundll32 playgroundstructure.dll,m3⤵
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Windows\system32\rundll32.exerundll32 playgroundstructure.dll,m4⤵
- Loads dropped DLL
PID:368
-
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2772
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5b1eb68af4adfd3c1b2c9bebc96f7476f
SHA1c0b9a3b8b98a07884d6a200c9f1f4789584efffe
SHA2568ef40cddfde7f269cee9d4167f78540c74a5176c11a875d3e139b39d784616d2
SHA5125e9860af3ac660b24a41bbffd3b4b1b6fad213cc22efe7eeb103384e1b237e21f610cec63743f5329a9ad0c4b0452e5bb9eb56ca70a10b7b23240de5f2696bba
-
Filesize
1.1MB
MD5f0aa642d6a0e4a0021bb5a006da8f659
SHA16da83194b6e3acb7fa7537b179b96c0a21654983
SHA2567b513b60bf0c42e4dea6b545591088954a1ed63348d085cbeee97c03ef163a42
SHA512bd023360956eec5c06bd322d52d3881072955f6b22b9e99cdaf4f2a3f726d23e8bab0f3ab85d2bfaafbbfa5c696683026dbd50c7a5849e8aee893083662ae41e
-
Filesize
805KB
MD56a1f4bd07b38e35b007978bb130742b5
SHA1fa396ca0dcc3738555f07c6ffbcbbd48ab67de92
SHA256cce183b5df0c236e4d89fb64d34c35909b7fc04c54b3447340b2c44dd7030593
SHA512e9dab28fb33f2cec7dec5332236a55554d5ba6e8eaea92cd7e6b0c47dbce8b08c7b45e4c11abd017f4cddd7930ee7214abefeccecba68362157f24710906b657