Analysis
-
max time kernel
129s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
02-02-2024 14:52
Static task
static1
Behavioral task
behavioral1
Sample
24946_15193478413494.js
Resource
win7-20231215-en
General
-
Target
24946_15193478413494.js
-
Size
1.9MB
-
MD5
c587f03e38a7ca5ac023ef8745264eb4
-
SHA1
a01598d9c8812f2609f0a868c8e44a81ad3c0685
-
SHA256
1bf9722c0d8d00609a12614e512f662ea693a8d22a8854ccfcb2de8ca858d16a
-
SHA512
e6ee7687dddc0e23717c42ba2bf0b46cc19dcf3ff557c5be3e06fbea3e82520f5fa39afa315ff78408d812308ae04ed10a9e3cfa837a4ac5e11d9c4989f4d816
-
SSDEEP
24576:z7wlkCvWJPN4RQjEdsFCOlJ+IbY68A7ckHsgPp2K9mkkCJzIrytG7sjxsSzMYOnY:ojTUwehMs
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation wscript.exe -
Loads dropped DLL 1 IoCs
pid Process 3196 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1096 wrote to memory of 1764 1096 wscript.exe 86 PID 1096 wrote to memory of 1764 1096 wscript.exe 86 PID 1764 wrote to memory of 3268 1764 cmd.exe 91 PID 1764 wrote to memory of 3268 1764 cmd.exe 91 PID 1764 wrote to memory of 4360 1764 cmd.exe 92 PID 1764 wrote to memory of 4360 1764 cmd.exe 92 PID 1764 wrote to memory of 3196 1764 cmd.exe 93 PID 1764 wrote to memory of 3196 1764 cmd.exe 93
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\24946_15193478413494.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\24946_15193478413494.js" "C:\Users\Admin\\vaguetongue.bat" && "C:\Users\Admin\\vaguetongue.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\system32\findstr.exefindstr /V agreetrick ""C:\Users\Admin\\vaguetongue.bat""3⤵PID:3268
-
-
C:\Windows\system32\certutil.execertutil -f -decode insidiouswall ladybugwork.dll3⤵PID:4360
-
-
C:\Windows\system32\rundll32.exerundll32 ladybugwork.dll,main3⤵
- Loads dropped DLL
PID:3196
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD573c7a5a0060662b6d39adb4933d83d7e
SHA197c0a2102a6398047b0256316f235279e74afe3d
SHA256dfd5b00748f07ce813bbf47c4128912ed5517b1e9fd1a1d6f5eeb6c4e2e751b5
SHA512629b6439e44a4ba8dc502228ca269a8e9e8b7ea9b7459b2565c467d0ed059db8cf0f58f25d7cd7c4892cae52c8c52f87c818e4cd36235d7c648d5b27cb450084
-
Filesize
1007KB
MD56dcd37226bb68e40f5b6e58361bb0210
SHA1bb2a47f726aa56a658822ce575b5363f5257047f
SHA256639e341b9fc9d256a502d91b784798e09c77fabe6347567a8bbff9c0819c9037
SHA512203ee3765f0073ae0d246cb0c4b6eab7d9d989a6487baef91bf8e52d57ee1d033564b0fee519612178e6343f3e1884bc16f959f2ea967b317cafba0048febf7f
-
Filesize
1.3MB
MD5172a0cf1298ee04df575d6fd591ec63c
SHA129fab1e4477846d226c7e81994958137992a6aed
SHA256f7df69f6ccb0e06757846ef8e5d4e02026757981b3cdcc7dcf4fd1598c24222c
SHA5126cc1740825c4da4d3623dd982613c7581410d007d37ac76277683592f562e080101cd1eee40a1b96fd86683b5db887452596fd87e413c6c6570dcac9113dfae8
-
Filesize
1.9MB
MD5c587f03e38a7ca5ac023ef8745264eb4
SHA1a01598d9c8812f2609f0a868c8e44a81ad3c0685
SHA2561bf9722c0d8d00609a12614e512f662ea693a8d22a8854ccfcb2de8ca858d16a
SHA512e6ee7687dddc0e23717c42ba2bf0b46cc19dcf3ff557c5be3e06fbea3e82520f5fa39afa315ff78408d812308ae04ed10a9e3cfa837a4ac5e11d9c4989f4d816