Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
02-02-2024 01:21
Static task
static1
Behavioral task
behavioral1
Sample
23107ced99838695bf4391c1271bafce47fad96e95b28f52df0a060038f80a7b.js
Resource
win7-20231215-en
General
-
Target
23107ced99838695bf4391c1271bafce47fad96e95b28f52df0a060038f80a7b.js
-
Size
1.4MB
-
MD5
6a6c6d9614e572fedbfb8d2eb108bb42
-
SHA1
347b37c4eb1c9d6f6d18d7ec13291436b43bab79
-
SHA256
23107ced99838695bf4391c1271bafce47fad96e95b28f52df0a060038f80a7b
-
SHA512
e7b0a9980f6a08c709ce251baf43553c1799dd7593ad8620d80aeaa1366934072bfd40edbc4d3b6660e8c31b6a74577ad34eb7fd93a3685ac4504eed58c22499
-
SSDEEP
24576:68+ynjkFpqZ5YszaGTWeo2a2QQrcuCUw2eQBJeOsvWthPVtd9qu2X+DlvCu0903s:aN
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation wscript.exe -
Loads dropped DLL 1 IoCs
pid Process 4716 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1468 wrote to memory of 4888 1468 wscript.exe 84 PID 1468 wrote to memory of 4888 1468 wscript.exe 84 PID 4888 wrote to memory of 4944 4888 cmd.exe 86 PID 4888 wrote to memory of 4944 4888 cmd.exe 86 PID 4888 wrote to memory of 2596 4888 cmd.exe 87 PID 4888 wrote to memory of 2596 4888 cmd.exe 87 PID 4888 wrote to memory of 4716 4888 cmd.exe 90 PID 4888 wrote to memory of 4716 4888 cmd.exe 90
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\23107ced99838695bf4391c1271bafce47fad96e95b28f52df0a060038f80a7b.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\23107ced99838695bf4391c1271bafce47fad96e95b28f52df0a060038f80a7b.js" "C:\Users\Admin\\pleasantobject.bat" && "C:\Users\Admin\\pleasantobject.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\system32\findstr.exefindstr /V militarysnore ""C:\Users\Admin\\pleasantobject.bat""3⤵PID:4944
-
-
C:\Windows\system32\certutil.execertutil -f -decode shakyinconclusive gatewoman.dll3⤵PID:2596
-
-
C:\Windows\system32\rundll32.exerundll32 gatewoman.dll,main3⤵
- Loads dropped DLL
PID:4716
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5d5f35509799fe456a67d41558f1b0f80
SHA1c7d1cb4541fadc69dc2f3a6f04b2940600d12e5c
SHA256ae1388f95f2678b7b6aabaf430b646710cdea10850c2556fbfcc0fb068e6fe4e
SHA512a9ed4db26bde7a085678ad15fb01e6be0ff4af0c8ffc5f6cdde99d9141b01e6889dbe2f172ae1723f479e0c75488eee6a7a6e79a7529c4dbb95381a80a1c6e48
-
Filesize
1.4MB
MD56a6c6d9614e572fedbfb8d2eb108bb42
SHA1347b37c4eb1c9d6f6d18d7ec13291436b43bab79
SHA25623107ced99838695bf4391c1271bafce47fad96e95b28f52df0a060038f80a7b
SHA512e7b0a9980f6a08c709ce251baf43553c1799dd7593ad8620d80aeaa1366934072bfd40edbc4d3b6660e8c31b6a74577ad34eb7fd93a3685ac4504eed58c22499
-
Filesize
1.4MB
MD56423b4a456dc34d7c6f67740aaa371fa
SHA1d9d4c432b60581b9d8b3fdd55e781ce5ff5e6df5
SHA25625abcd9fb9ee09402dbc40b58466283739f223932fef07239f11548af088e9b4
SHA51231c99c287ad497c14f70bd99163e9304952f662089b774ebbc94bf70c07e27ecc683d9e4ace957f17028883c0643e55a0e5ffcceaacc33e95ffd9f748c61b181