Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31-01-2024 03:05
Static task
static1
Behavioral task
behavioral1
Sample
287212633216314.js
Resource
win7-20231215-en
General
-
Target
287212633216314.js
-
Size
354KB
-
MD5
cd856039e0eadf0f5dfdcd036cb3edc9
-
SHA1
b0692de01ae5e2b4a0df6e41a5ba8e129fbd08bd
-
SHA256
805906250cc6d183deca8995103f8fc0848c5e25b4d67d72461af0e67ebb9c16
-
SHA512
a3c45d99c8b1ca02b475b6c2412e6db7e9eabc439228be8a822049708588971f349e504eeb15cac3b637832ee8ec7c6ae36cd84cfa185c82fcbf1b08a8256fcc
-
SSDEEP
6144:Gdk9VWlGxMJNlP6QDJxv6HXYUKEZ1O59CNXAfAQmKybf7tmgD:WuWIMJX6QH6HX1KEZ1xK65mgD
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation wscript.exe -
Loads dropped DLL 1 IoCs
pid Process 2272 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 3204 wrote to memory of 2484 3204 wscript.exe 84 PID 3204 wrote to memory of 2484 3204 wscript.exe 84 PID 2484 wrote to memory of 1836 2484 cmd.exe 88 PID 2484 wrote to memory of 1836 2484 cmd.exe 88 PID 2484 wrote to memory of 4900 2484 cmd.exe 89 PID 2484 wrote to memory of 4900 2484 cmd.exe 89 PID 2484 wrote to memory of 2632 2484 cmd.exe 90 PID 2484 wrote to memory of 2632 2484 cmd.exe 90 PID 2632 wrote to memory of 2272 2632 cmd.exe 91 PID 2632 wrote to memory of 2272 2632 cmd.exe 91
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\287212633216314.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\287212633216314.js" "C:\Users\Admin\AppData\Local\Temp\\obtainfaint.bat" && "C:\Users\Admin\AppData\Local\Temp\\obtainfaint.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\system32\findstr.exefindstr /V outrageousdepressed ""C:\Users\Admin\AppData\Local\Temp\\obtainfaint.bat""3⤵PID:1836
-
-
C:\Windows\system32\certutil.execertutil -f -decode zephyrhome tickettoys.dll3⤵PID:4900
-
-
C:\Windows\system32\cmd.execmd /c rundll32 tickettoys.dll,m3⤵
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\system32\rundll32.exerundll32 tickettoys.dll,m4⤵
- Loads dropped DLL
PID:2272
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
354KB
MD5cd856039e0eadf0f5dfdcd036cb3edc9
SHA1b0692de01ae5e2b4a0df6e41a5ba8e129fbd08bd
SHA256805906250cc6d183deca8995103f8fc0848c5e25b4d67d72461af0e67ebb9c16
SHA512a3c45d99c8b1ca02b475b6c2412e6db7e9eabc439228be8a822049708588971f349e504eeb15cac3b637832ee8ec7c6ae36cd84cfa185c82fcbf1b08a8256fcc
-
Filesize
257KB
MD54cc26a2da2049ff4509091cdbf004c5e
SHA10bba8d2338b7db224047760a27c57afa02748f05
SHA2563ad13a452ab86fb5eccbf0bf71f33700369fdd5114c3a8d13c52e722a1586312
SHA512cabc55978155dfddc6e6f2bbfe712b66998c3858dc52680c9e99f5a8040c001e52d76093e77636f6b03ba63f4798a04dc12c9f8438a5bfe97ccd90ccd2da02de
-
Filesize
284KB
MD545bb4703b30d265f474073b79d575f7b
SHA1e1e96b924e135ab196a858705d7d0d7faeb79089
SHA256f23ad20f62511db7458b14aa5e26cdd310b9274a297f1cb87772ff5798fc061c
SHA51292b519f6a9281aa082d178ac4811988955ddb317684b6becc8bb73b57e129dff977803646d9917a83c5b07114080213d5297529bbe6dc99fa03d3efc19b3cfda