Analysis
-
max time kernel
1164s -
max time network
1169s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
01-02-2024 13:57
Static task
static1
Behavioral task
behavioral1
Sample
samples.zip
Resource
win10v2004-20231215-en
General
-
Target
samples.zip
-
Size
638KB
-
MD5
f9b1b162ec801ce4315ae13425a3de89
-
SHA1
c9bde0245dcbc93d3336357c123dca6da855ebe1
-
SHA256
bcb6561a9a8fbaaad702961e156a80c77d3e7f317178bf3f4ab04086bcd526ab
-
SHA512
aa1e1f01e32bb12167847bf01fbc467565e9b307598d3d46773b6c892bfe0f2cc9dc2419cb1421e7679a4d0a26f3985bcb4bfeaff33ac1cd178e6515ad463277
-
SSDEEP
12288:UHB425PMKYduuooYk2DYv7yK97DyzT8uF+1XIwMq0AwJiDX/J0JVwtMR4n54X6:UHBN53ruo62ETy67DyzT891XQAairsVy
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation WScript.exe -
Loads dropped DLL 2 IoCs
pid Process 1784 rundll32.exe 3660 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1328 Notepad.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeRestorePrivilege 1680 7zG.exe Token: 35 1680 7zG.exe Token: SeSecurityPrivilege 1680 7zG.exe Token: SeSecurityPrivilege 1680 7zG.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1680 7zG.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2372 wrote to memory of 1740 2372 WScript.exe 98 PID 2372 wrote to memory of 1740 2372 WScript.exe 98 PID 1740 wrote to memory of 1400 1740 cmd.exe 99 PID 1740 wrote to memory of 1400 1740 cmd.exe 99 PID 1740 wrote to memory of 4948 1740 cmd.exe 100 PID 1740 wrote to memory of 4948 1740 cmd.exe 100 PID 1740 wrote to memory of 1784 1740 cmd.exe 101 PID 1740 wrote to memory of 1784 1740 cmd.exe 101 PID 556 wrote to memory of 4872 556 WScript.exe 103 PID 556 wrote to memory of 4872 556 WScript.exe 103 PID 4872 wrote to memory of 396 4872 cmd.exe 105 PID 4872 wrote to memory of 396 4872 cmd.exe 105 PID 4872 wrote to memory of 468 4872 cmd.exe 106 PID 4872 wrote to memory of 468 4872 cmd.exe 106 PID 4872 wrote to memory of 3660 4872 cmd.exe 107 PID 4872 wrote to memory of 3660 4872 cmd.exe 107
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\samples.zip1⤵PID:1208
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4228
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\samples\" -spe -an -ai#7zMap4734:94:7zEvent100731⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1680
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\samples\3b1e6f545d77b1999b877967fd736c7ba01531b26874311b436d014f91803bf3.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\samples\3b1e6f545d77b1999b877967fd736c7ba01531b26874311b436d014f91803bf3.js" "C:\Users\Admin\\trainreproduce.bat" && "C:\Users\Admin\\trainreproduce.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\system32\findstr.exefindstr /V hammerachiever ""C:\Users\Admin\\trainreproduce.bat""3⤵PID:1400
-
-
C:\Windows\system32\certutil.execertutil -f -decode licenseanxious alivebooks.dll3⤵PID:4948
-
-
C:\Windows\system32\rundll32.exerundll32 alivebooks.dll,main3⤵
- Loads dropped DLL
PID:1784
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\samples\3b1e6f545d77b1999b877967fd736c7ba01531b26874311b436d014f91803bf3.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\samples\3b1e6f545d77b1999b877967fd736c7ba01531b26874311b436d014f91803bf3.js" "C:\Users\Admin\\trainreproduce.bat" && "C:\Users\Admin\\trainreproduce.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\system32\findstr.exefindstr /V hammerachiever ""C:\Users\Admin\\trainreproduce.bat""3⤵PID:396
-
-
C:\Windows\system32\certutil.execertutil -f -decode licenseanxious alivebooks.dll3⤵PID:468
-
-
C:\Windows\system32\rundll32.exerundll32 alivebooks.dll,main3⤵
- Loads dropped DLL
PID:3660
-
-
-
C:\Windows\System32\Notepad.exe"C:\Windows\System32\Notepad.exe" C:\Users\Admin\AppData\Local\Temp\samples\3b1e6f545d77b1999b877967fd736c7ba01531b26874311b436d014f91803bf3.js1⤵
- Opens file in notepad (likely ransom note)
PID:1328
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\samples\3b1e6f545d77b1999b877967fd736c7ba01531b26874311b436d014f91803bf3.js
Filesize1.8MB
MD597ef45c0303878a80b44a236e27fd30b
SHA114cdc83dae55ad1e6d9d5f01c7bd431db1b1654f
SHA2563b1e6f545d77b1999b877967fd736c7ba01531b26874311b436d014f91803bf3
SHA5121f8bee9f9922b89eef565465fba7a70d45babed06a59c9e72730672bfe2f3c6e542ecb43336121e00a2bcf5b345547b61615d1c6a7b6f6753b153f914bac96ee
-
Filesize
1.3MB
MD550e82a0939f2e5e07db2883b6d8f0f57
SHA1f9455b140bd8577d852927905ab3b432b0047b02
SHA2560cc102da3a0f71e77164ac351b19796dad1affa0a3283753f46708ee921d762c
SHA5122d96ce17ae184b67695f5cf017eb4af8c8e05d60df9d5a6b98f502b835bae2cfea40d393967fa6d6cd17842b2a100e629433ce79d930408e64aef0bc9d2350b7
-
Filesize
1.8MB
MD5cccbee3669234b546da8c922dae5515b
SHA16545a901c5b40a29967ed0c30e308a413485bbf9
SHA2562ddcf13b108c3cda14cff5ff089539281bc95b6072a16aed5e5432d46daaa5ce
SHA5126107ed80789bade3e624b742f76d5f409c7dc4005ad8d2caf192bd8b2b58adf84d0e1a61ea7559088baad3bfc2b130fe208a2162b49e0f297775db594b7b857c
-
Filesize
991KB
MD58de56a50f6ad2682277860101b8996c7
SHA1f53772aaac0baa71fed3c5953a788c7b59aeb9f1
SHA2564941db609c0650bdffa6fcea7af4844c3e7886b0f03d376715f87b10766a1bb4
SHA512e3e7487d25faf6d6a0e870928aecdff59617de8f7843f44770d8149abefd5d462ba992e7eeeede6a957f5058aef70770dfe3e394b9a390fc4087f2cc237b74c7