Analysis
-
max time kernel
135s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31-01-2024 15:43
Static task
static1
Behavioral task
behavioral1
Sample
28836_2593959416481.js
Resource
win7-20231215-en
General
-
Target
28836_2593959416481.js
-
Size
1.4MB
-
MD5
6a6c6d9614e572fedbfb8d2eb108bb42
-
SHA1
347b37c4eb1c9d6f6d18d7ec13291436b43bab79
-
SHA256
23107ced99838695bf4391c1271bafce47fad96e95b28f52df0a060038f80a7b
-
SHA512
e7b0a9980f6a08c709ce251baf43553c1799dd7593ad8620d80aeaa1366934072bfd40edbc4d3b6660e8c31b6a74577ad34eb7fd93a3685ac4504eed58c22499
-
SSDEEP
24576:68+ynjkFpqZ5YszaGTWeo2a2QQrcuCUw2eQBJeOsvWthPVtd9qu2X+DlvCu0903s:aN
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation wscript.exe -
Loads dropped DLL 1 IoCs
pid Process 1164 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3436 wrote to memory of 668 3436 wscript.exe 84 PID 3436 wrote to memory of 668 3436 wscript.exe 84 PID 668 wrote to memory of 4224 668 cmd.exe 89 PID 668 wrote to memory of 4224 668 cmd.exe 89 PID 668 wrote to memory of 3356 668 cmd.exe 90 PID 668 wrote to memory of 3356 668 cmd.exe 90 PID 668 wrote to memory of 1164 668 cmd.exe 91 PID 668 wrote to memory of 1164 668 cmd.exe 91
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\28836_2593959416481.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\28836_2593959416481.js" "C:\Users\Admin\\pleasantobject.bat" && "C:\Users\Admin\\pleasantobject.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\system32\findstr.exefindstr /V militarysnore ""C:\Users\Admin\\pleasantobject.bat""3⤵PID:4224
-
-
C:\Windows\system32\certutil.execertutil -f -decode shakyinconclusive gatewoman.dll3⤵PID:3356
-
-
C:\Windows\system32\rundll32.exerundll32 gatewoman.dll,main3⤵
- Loads dropped DLL
PID:1164
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5d5f35509799fe456a67d41558f1b0f80
SHA1c7d1cb4541fadc69dc2f3a6f04b2940600d12e5c
SHA256ae1388f95f2678b7b6aabaf430b646710cdea10850c2556fbfcc0fb068e6fe4e
SHA512a9ed4db26bde7a085678ad15fb01e6be0ff4af0c8ffc5f6cdde99d9141b01e6889dbe2f172ae1723f479e0c75488eee6a7a6e79a7529c4dbb95381a80a1c6e48
-
Filesize
1.4MB
MD56a6c6d9614e572fedbfb8d2eb108bb42
SHA1347b37c4eb1c9d6f6d18d7ec13291436b43bab79
SHA25623107ced99838695bf4391c1271bafce47fad96e95b28f52df0a060038f80a7b
SHA512e7b0a9980f6a08c709ce251baf43553c1799dd7593ad8620d80aeaa1366934072bfd40edbc4d3b6660e8c31b6a74577ad34eb7fd93a3685ac4504eed58c22499
-
Filesize
1.4MB
MD56423b4a456dc34d7c6f67740aaa371fa
SHA1d9d4c432b60581b9d8b3fdd55e781ce5ff5e6df5
SHA25625abcd9fb9ee09402dbc40b58466283739f223932fef07239f11548af088e9b4
SHA51231c99c287ad497c14f70bd99163e9304952f662089b774ebbc94bf70c07e27ecc683d9e4ace957f17028883c0643e55a0e5ffcceaacc33e95ffd9f748c61b181