Analysis
-
max time kernel
129s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
02-02-2024 13:44
Static task
static1
Behavioral task
behavioral1
Sample
24946_15193478413494.js
Resource
win7-20231215-en
General
-
Target
24946_15193478413494.js
-
Size
1.9MB
-
MD5
c587f03e38a7ca5ac023ef8745264eb4
-
SHA1
a01598d9c8812f2609f0a868c8e44a81ad3c0685
-
SHA256
1bf9722c0d8d00609a12614e512f662ea693a8d22a8854ccfcb2de8ca858d16a
-
SHA512
e6ee7687dddc0e23717c42ba2bf0b46cc19dcf3ff557c5be3e06fbea3e82520f5fa39afa315ff78408d812308ae04ed10a9e3cfa837a4ac5e11d9c4989f4d816
-
SSDEEP
24576:z7wlkCvWJPN4RQjEdsFCOlJ+IbY68A7ckHsgPp2K9mkkCJzIrytG7sjxsSzMYOnY:ojTUwehMs
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation wscript.exe -
Loads dropped DLL 1 IoCs
pid Process 4180 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3320 wrote to memory of 380 3320 wscript.exe 84 PID 3320 wrote to memory of 380 3320 wscript.exe 84 PID 380 wrote to memory of 1624 380 cmd.exe 88 PID 380 wrote to memory of 1624 380 cmd.exe 88 PID 380 wrote to memory of 4456 380 cmd.exe 90 PID 380 wrote to memory of 4456 380 cmd.exe 90 PID 380 wrote to memory of 4180 380 cmd.exe 91 PID 380 wrote to memory of 4180 380 cmd.exe 91
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\24946_15193478413494.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\24946_15193478413494.js" "C:\Users\Admin\\vaguetongue.bat" && "C:\Users\Admin\\vaguetongue.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\system32\findstr.exefindstr /V agreetrick ""C:\Users\Admin\\vaguetongue.bat""3⤵PID:1624
-
-
C:\Windows\system32\certutil.execertutil -f -decode insidiouswall ladybugwork.dll3⤵PID:4456
-
-
C:\Windows\system32\rundll32.exerundll32 ladybugwork.dll,main3⤵
- Loads dropped DLL
PID:4180
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5faef51ea997d7cd9d5e06163ac7e688d
SHA14d363cd37ae00a68c360a4007cafc7a9b1b39916
SHA25675e258a9a0b150d98276059a3083c32fb76ab8b6ccd8867a711d2efff1dad569
SHA5121ee6d5e2bd041cd40dd51dabb923c1038caea987c335ed0096a44bfa352a2df11d305ec65c725a0776068ccd4df1ad88d197253d0902f2a69a28d58c0444b0f7
-
Filesize
1.4MB
MD537da6d71a857781e6af959bf651b886c
SHA14947e02ade3269501720410aa0710f6bae388cca
SHA25659574b349e6554efb11b0ce11711cf0bf399311319f7a8ab17d23011f2715f72
SHA512783ae2f77abc6056aca179594ea5165977201378a18a4e871af1415ca9edc9174415130a7aff208785852ec21a5f12caea75910fd3d9f4463a9eac3ffb9ed8f6
-
Filesize
1.9MB
MD5c587f03e38a7ca5ac023ef8745264eb4
SHA1a01598d9c8812f2609f0a868c8e44a81ad3c0685
SHA2561bf9722c0d8d00609a12614e512f662ea693a8d22a8854ccfcb2de8ca858d16a
SHA512e6ee7687dddc0e23717c42ba2bf0b46cc19dcf3ff557c5be3e06fbea3e82520f5fa39afa315ff78408d812308ae04ed10a9e3cfa837a4ac5e11d9c4989f4d816