Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31-01-2024 15:43
Static task
static1
Behavioral task
behavioral1
Sample
28836_2593959416481.js
Resource
win7-20231215-en
General
-
Target
28836_2593959416481.js
-
Size
1.4MB
-
MD5
6a6c6d9614e572fedbfb8d2eb108bb42
-
SHA1
347b37c4eb1c9d6f6d18d7ec13291436b43bab79
-
SHA256
23107ced99838695bf4391c1271bafce47fad96e95b28f52df0a060038f80a7b
-
SHA512
e7b0a9980f6a08c709ce251baf43553c1799dd7593ad8620d80aeaa1366934072bfd40edbc4d3b6660e8c31b6a74577ad34eb7fd93a3685ac4504eed58c22499
-
SSDEEP
24576:68+ynjkFpqZ5YszaGTWeo2a2QQrcuCUw2eQBJeOsvWthPVtd9qu2X+DlvCu0903s:aN
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation wscript.exe -
Loads dropped DLL 1 IoCs
pid Process 800 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2312 wrote to memory of 1188 2312 wscript.exe 86 PID 2312 wrote to memory of 1188 2312 wscript.exe 86 PID 1188 wrote to memory of 4864 1188 cmd.exe 87 PID 1188 wrote to memory of 4864 1188 cmd.exe 87 PID 1188 wrote to memory of 4436 1188 cmd.exe 88 PID 1188 wrote to memory of 4436 1188 cmd.exe 88 PID 1188 wrote to memory of 800 1188 cmd.exe 89 PID 1188 wrote to memory of 800 1188 cmd.exe 89
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\28836_2593959416481.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\28836_2593959416481.js" "C:\Users\Admin\\pleasantobject.bat" && "C:\Users\Admin\\pleasantobject.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\system32\findstr.exefindstr /V militarysnore ""C:\Users\Admin\\pleasantobject.bat""3⤵PID:4864
-
-
C:\Windows\system32\certutil.execertutil -f -decode shakyinconclusive gatewoman.dll3⤵PID:4436
-
-
C:\Windows\system32\rundll32.exerundll32 gatewoman.dll,main3⤵
- Loads dropped DLL
PID:800
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5d5f35509799fe456a67d41558f1b0f80
SHA1c7d1cb4541fadc69dc2f3a6f04b2940600d12e5c
SHA256ae1388f95f2678b7b6aabaf430b646710cdea10850c2556fbfcc0fb068e6fe4e
SHA512a9ed4db26bde7a085678ad15fb01e6be0ff4af0c8ffc5f6cdde99d9141b01e6889dbe2f172ae1723f479e0c75488eee6a7a6e79a7529c4dbb95381a80a1c6e48
-
Filesize
1.4MB
MD56a6c6d9614e572fedbfb8d2eb108bb42
SHA1347b37c4eb1c9d6f6d18d7ec13291436b43bab79
SHA25623107ced99838695bf4391c1271bafce47fad96e95b28f52df0a060038f80a7b
SHA512e7b0a9980f6a08c709ce251baf43553c1799dd7593ad8620d80aeaa1366934072bfd40edbc4d3b6660e8c31b6a74577ad34eb7fd93a3685ac4504eed58c22499
-
Filesize
1.4MB
MD56423b4a456dc34d7c6f67740aaa371fa
SHA1d9d4c432b60581b9d8b3fdd55e781ce5ff5e6df5
SHA25625abcd9fb9ee09402dbc40b58466283739f223932fef07239f11548af088e9b4
SHA51231c99c287ad497c14f70bd99163e9304952f662089b774ebbc94bf70c07e27ecc683d9e4ace957f17028883c0643e55a0e5ffcceaacc33e95ffd9f748c61b181