Analysis
-
max time kernel
90s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
01-02-2024 13:53
Static task
static1
Behavioral task
behavioral1
Sample
18491242336191.js
Resource
win7-20231215-en
General
-
Target
18491242336191.js
-
Size
353KB
-
MD5
00a488ef84d5c94fcc82506405c1fb20
-
SHA1
660c34be4fc2cfad57705d5a607bedfdf5597e7d
-
SHA256
9b24c97d6400214ccfdf2ef5bdc89de58bbe54745b7caa03d0ca0f7861c985e1
-
SHA512
8f9370c6f35c7baaca1e8390843cceaf9a775f799cd44736072b78532a11df239cc64cde336bb033399d37e2f8e4d7aa7f82e21226b2f6b33fb2246db48e6484
-
SSDEEP
6144:GNP/Va6wVPV7GUIxX1uUcaDG1xo2p/Ws8LPF5Nevr:GNnVaTVPV7GUa1/cQG1x5p/zeevr
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation wscript.exe -
Loads dropped DLL 1 IoCs
pid Process 3288 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4652 wrote to memory of 4932 4652 wscript.exe 86 PID 4652 wrote to memory of 4932 4652 wscript.exe 86 PID 4932 wrote to memory of 1828 4932 cmd.exe 92 PID 4932 wrote to memory of 1828 4932 cmd.exe 92 PID 4932 wrote to memory of 4736 4932 cmd.exe 93 PID 4932 wrote to memory of 4736 4932 cmd.exe 93 PID 4932 wrote to memory of 3552 4932 cmd.exe 94 PID 4932 wrote to memory of 3552 4932 cmd.exe 94 PID 3552 wrote to memory of 3288 3552 cmd.exe 95 PID 3552 wrote to memory of 3288 3552 cmd.exe 95
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\18491242336191.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\18491242336191.js" "C:\Users\Admin\AppData\Local\Temp\\belllegal.bat" && "C:\Users\Admin\AppData\Local\Temp\\belllegal.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\system32\findstr.exefindstr /V carriagerun ""C:\Users\Admin\AppData\Local\Temp\\belllegal.bat""3⤵PID:1828
-
-
C:\Windows\system32\certutil.execertutil -f -decode timepolish jealousland.dll3⤵PID:4736
-
-
C:\Windows\system32\cmd.execmd /c rundll32 jealousland.dll,m3⤵
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\system32\rundll32.exerundll32 jealousland.dll,m4⤵
- Loads dropped DLL
PID:3288
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
353KB
MD500a488ef84d5c94fcc82506405c1fb20
SHA1660c34be4fc2cfad57705d5a607bedfdf5597e7d
SHA2569b24c97d6400214ccfdf2ef5bdc89de58bbe54745b7caa03d0ca0f7861c985e1
SHA5128f9370c6f35c7baaca1e8390843cceaf9a775f799cd44736072b78532a11df239cc64cde336bb033399d37e2f8e4d7aa7f82e21226b2f6b33fb2246db48e6484
-
Filesize
258KB
MD5363e3e964b6d304e8110b1a2eb61fdc5
SHA1b449942d73eceafc430a95e8095759a74db6837c
SHA2562bf87306136fb02e8ed7770bcee23d77dad2ab45fbe70d24f226afc1e236e01f
SHA5124fed29c1e7bc7f604515b6439e77475ea4f85771ba0d28397f40a3a9866aa881b0c6b9bc524115fa6f213ddd650ff886b43fa620aa4f1269314d6dd20670b505
-
Filesize
346KB
MD55b1835d9b309c246b6e269a3143653c3
SHA10a872a6f63eb8e100979821bade186f5d73d6dbe
SHA256f0b862a5c62cc552e14a345efbf0816e37078f312bd46c3663a4be9fd911a893
SHA51278228fc71a8152f1c3ee157db379033211eb63857a0520755505f2b1f0f5c0ab952ff536d96b85b1ef2f6c7ecc56d742f19888c2039212fb947890a1bbdc8360