Analysis
-
max time kernel
1174s -
max time network
1176s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
01-02-2024 13:57
Static task
static1
Behavioral task
behavioral1
Sample
samples.zip
Resource
win10v2004-20231215-en
General
-
Target
3b1e6f545d77b1999b877967fd736c7ba01531b26874311b436d014f91803bf3
-
Size
1.8MB
-
MD5
97ef45c0303878a80b44a236e27fd30b
-
SHA1
14cdc83dae55ad1e6d9d5f01c7bd431db1b1654f
-
SHA256
3b1e6f545d77b1999b877967fd736c7ba01531b26874311b436d014f91803bf3
-
SHA512
1f8bee9f9922b89eef565465fba7a70d45babed06a59c9e72730672bfe2f3c6e542ecb43336121e00a2bcf5b345547b61615d1c6a7b6f6753b153f914bac96ee
-
SSDEEP
24576:S/YK0om5hQqko3/EIUaPyycFFfqcIe2c3UyWKBWM5uiSnBl37EWeG+j2Y1LHYgp8:vak
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation WScript.exe -
Loads dropped DLL 3 IoCs
pid Process 2308 rundll32.exe 4072 rundll32.exe 3504 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 4832 wrote to memory of 2368 4832 WScript.exe 96 PID 4832 wrote to memory of 2368 4832 WScript.exe 96 PID 2368 wrote to memory of 2964 2368 cmd.exe 98 PID 2368 wrote to memory of 2964 2368 cmd.exe 98 PID 2368 wrote to memory of 4248 2368 cmd.exe 99 PID 2368 wrote to memory of 4248 2368 cmd.exe 99 PID 2368 wrote to memory of 2308 2368 cmd.exe 100 PID 2368 wrote to memory of 2308 2368 cmd.exe 100 PID 5076 wrote to memory of 756 5076 WScript.exe 103 PID 5076 wrote to memory of 756 5076 WScript.exe 103 PID 756 wrote to memory of 264 756 cmd.exe 104 PID 756 wrote to memory of 264 756 cmd.exe 104 PID 756 wrote to memory of 840 756 cmd.exe 105 PID 756 wrote to memory of 840 756 cmd.exe 105 PID 756 wrote to memory of 4072 756 cmd.exe 106 PID 756 wrote to memory of 4072 756 cmd.exe 106 PID 4472 wrote to memory of 4876 4472 WScript.exe 108 PID 4472 wrote to memory of 4876 4472 WScript.exe 108 PID 4876 wrote to memory of 4468 4876 cmd.exe 110 PID 4876 wrote to memory of 4468 4876 cmd.exe 110 PID 4876 wrote to memory of 4320 4876 cmd.exe 111 PID 4876 wrote to memory of 4320 4876 cmd.exe 111 PID 4876 wrote to memory of 3504 4876 cmd.exe 112 PID 4876 wrote to memory of 3504 4876 cmd.exe 112
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\3b1e6f545d77b1999b877967fd736c7ba01531b26874311b436d014f91803bf31⤵PID:372
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1852
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b1e6f545d77b1999b877967fd736c7ba01531b26874311b436d014f91803bf3.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\3b1e6f545d77b1999b877967fd736c7ba01531b26874311b436d014f91803bf3.js" "C:\Users\Admin\\trainreproduce.bat" && "C:\Users\Admin\\trainreproduce.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\system32\findstr.exefindstr /V hammerachiever ""C:\Users\Admin\\trainreproduce.bat""3⤵PID:2964
-
-
C:\Windows\system32\certutil.execertutil -f -decode licenseanxious alivebooks.dll3⤵PID:4248
-
-
C:\Windows\system32\rundll32.exerundll32 alivebooks.dll,main3⤵
- Loads dropped DLL
PID:2308
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b1e6f545d77b1999b877967fd736c7ba01531b26874311b436d014f91803bf3.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\3b1e6f545d77b1999b877967fd736c7ba01531b26874311b436d014f91803bf3.js" "C:\Users\Admin\\trainreproduce.bat" && "C:\Users\Admin\\trainreproduce.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\system32\findstr.exefindstr /V hammerachiever ""C:\Users\Admin\\trainreproduce.bat""3⤵PID:264
-
-
C:\Windows\system32\certutil.execertutil -f -decode licenseanxious alivebooks.dll3⤵PID:840
-
-
C:\Windows\system32\rundll32.exerundll32 alivebooks.dll,main3⤵
- Loads dropped DLL
PID:4072
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b1e6f545d77b1999b877967fd736c7ba01531b26874311b436d014f91803bf3.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\3b1e6f545d77b1999b877967fd736c7ba01531b26874311b436d014f91803bf3.js" "C:\Users\Admin\\trainreproduce.bat" && "C:\Users\Admin\\trainreproduce.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\system32\findstr.exefindstr /V hammerachiever ""C:\Users\Admin\\trainreproduce.bat""3⤵PID:4468
-
-
C:\Windows\system32\certutil.execertutil -f -decode licenseanxious alivebooks.dll3⤵PID:4320
-
-
C:\Windows\system32\rundll32.exerundll32 alivebooks.dll,main3⤵
- Loads dropped DLL
PID:3504
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD550e82a0939f2e5e07db2883b6d8f0f57
SHA1f9455b140bd8577d852927905ab3b432b0047b02
SHA2560cc102da3a0f71e77164ac351b19796dad1affa0a3283753f46708ee921d762c
SHA5122d96ce17ae184b67695f5cf017eb4af8c8e05d60df9d5a6b98f502b835bae2cfea40d393967fa6d6cd17842b2a100e629433ce79d930408e64aef0bc9d2350b7
-
Filesize
533KB
MD5ef6035b14fd8885507ced592f336f9f8
SHA1f636c1aa5c13f1b9d2287dc701102e65880639a7
SHA256055735d13611e484ff4220c2b45c6d96fa72298dc841b7ed8af409b7e3845e5e
SHA512ab177ad8c4a700d559235c994d02d41f43f549583dbccd6df8fbc5054a9ba2ddc4bc4edc1a10ea8f3c61aa79ff2f87fd8284f6b1ae4508968eed2ebdb8ba0907
-
Filesize
822KB
MD5122cb5f616cfb20f67e1a31420f531d7
SHA178560db9f7801dfee3fc01f72b7154d44e17c5e4
SHA2566d110058be6456131a573fa494d131518ff5fd76c30a975ab56e95c515a23c24
SHA5126e3d6130e772167bd17fb95ceda2a0b61aeef8b96a14d9aa6a4125404b8b6aaeb8be03e21d8634f3f4f312cb95f3d78bc7acd072a0f7e6843a1f7497c4bddbd5
-
Filesize
665KB
MD5a614137204d6b90175da5a1b7c5b05f7
SHA10eddb9b2c9afb9c61e7ec7413472a8a14253b190
SHA2568ab76629f969514aa55d61f0439e97b0b5f1ce5af843eeb33d65ca50b1d9848b
SHA512964aa24f1000635e08015bac80c210638a6e188f5002cb1ad84c94514befea25bc9430fd2bb40514739062405d1da58a24ae191fbf9118f6f2ddec28e37496a3
-
Filesize
696KB
MD5e827253fbfeaa39f6465bbbe8ef6f9e1
SHA18a0a53da7d7d38d1023fb31feaeb5da71e61e428
SHA2569e565ee1fd4b16c66d06e274a2ed04439b9368af613798ba189db6873c8b350c
SHA5121521a179c31b7afaab8e93cd8877dbd838a6dc77a8014614f571b72b5f3824f5fb8bb1f751f2870f8c46b3032f03630ec950b604e5fbdc360748fdaeba74c587
-
Filesize
1.8MB
MD5cccbee3669234b546da8c922dae5515b
SHA16545a901c5b40a29967ed0c30e308a413485bbf9
SHA2562ddcf13b108c3cda14cff5ff089539281bc95b6072a16aed5e5432d46daaa5ce
SHA5126107ed80789bade3e624b742f76d5f409c7dc4005ad8d2caf192bd8b2b58adf84d0e1a61ea7559088baad3bfc2b130fe208a2162b49e0f297775db594b7b857c
-
Filesize
782KB
MD5e0fdf13959e902a8f04ad8ac419bef7a
SHA1ad18df88debbd0af8d8c623cf1823b983ab80e8f
SHA2560cd50f9403330cac7c06718af50d83789b805310c2a207abc3507aaab1c24a08
SHA5127f4221702ceafd91991129ed28d5e12efa7f7261763359f5bda77c724531ba68cbf7f7e2f1d7806682bf1bc5f090ed18fa081b2eab3708f994995fcd6947fb2d
-
Filesize
704KB
MD5bab0014deb14f24d20658e95e1e32f65
SHA1ed17543cf92b081d78c090a972ae4f49435746b3
SHA2567f3f8cd9dbc11e09a65d9a92e46c5ec5b8fc547617057883a80342e75d6329f9
SHA512a1bff1f0774bcb671cda9c1c9767ec5727e568f6b723deb5a5ddca7f41a39b91cd1c8d74617a91a6a17e69dc39f615df773f4ebc89506830c7c381ee8bf52b82
-
Filesize
1.6MB
MD57b9b251c87bd3959eb6daf22ef5a95d4
SHA157dddbb33d9769993a4633dcdb9341c6d3611979
SHA25681b8ea02158c925448668d5c041e8b83856b293ed31886c5921d0ad60a3f4f11
SHA512c6503cdd38e539669cd7d64c402a450205bbaa6176bbea3bea855ce0ad868de7bf47843be81165ba24ddbdde8cb7d7f3a29a3550b2a869728fc28cdb00f988ac
-
Filesize
1.8MB
MD597ef45c0303878a80b44a236e27fd30b
SHA114cdc83dae55ad1e6d9d5f01c7bd431db1b1654f
SHA2563b1e6f545d77b1999b877967fd736c7ba01531b26874311b436d014f91803bf3
SHA5121f8bee9f9922b89eef565465fba7a70d45babed06a59c9e72730672bfe2f3c6e542ecb43336121e00a2bcf5b345547b61615d1c6a7b6f6753b153f914bac96ee
-
Filesize
1.8MB
MD5f420c6e2b75278a05ada549649e5fb59
SHA1ceacf069d47b036480b968d0b3048a88f62d040d
SHA256d3319da67e41d37b6b9358403577e6440316643d76191abdc3cdb63f73a0f5ff
SHA5120081b834ff8a33d379d44b6868d78a6e0ed44774d922d975382af6bfbe8994867f2b9b3376f6000e2b4617afcdc44d79c5923bcb97d50521365022ff46db01fe