Analysis
-
max time kernel
140s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
04-02-2024 15:03
Static task
static1
Behavioral task
behavioral1
Sample
4035_4414671332562.js
Resource
win7-20231215-en
General
-
Target
4035_4414671332562.js
-
Size
1.7MB
-
MD5
5691f001d9a83639c5f6fed3e999e090
-
SHA1
2ba3ef2e2cca6dfdf154b0565901b4da5833cab9
-
SHA256
7780f61445e2a2ca907d5f1292a02da7753c8959902ea54b1e4bc5bdb655d95e
-
SHA512
9a3188340367feab9734c183a7c43cc98a7de149ecfe3bff27e73de717d9826aa5eab1ab4f532ebcbb43a362f274866bf342c3896fa52d56659daca5daa9eb65
-
SSDEEP
24576:NdjoqRpEnFJoYgKyWGjg5Y0SNS/tSgVNkBI2KCcaxazM9jlVQ8l4PbmFCMX1/QQS:I7RGq
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation wscript.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 5036 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
wscript.execmd.exedescription pid process target process PID 3216 wrote to memory of 1300 3216 wscript.exe cmd.exe PID 3216 wrote to memory of 1300 3216 wscript.exe cmd.exe PID 1300 wrote to memory of 2096 1300 cmd.exe findstr.exe PID 1300 wrote to memory of 2096 1300 cmd.exe findstr.exe PID 1300 wrote to memory of 5032 1300 cmd.exe certutil.exe PID 1300 wrote to memory of 5032 1300 cmd.exe certutil.exe PID 1300 wrote to memory of 5036 1300 cmd.exe rundll32.exe PID 1300 wrote to memory of 5036 1300 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\4035_4414671332562.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\4035_4414671332562.js" "C:\Users\Admin\\womanlypoor.bat" && "C:\Users\Admin\\womanlypoor.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\system32\findstr.exefindstr /V mellowfemale ""C:\Users\Admin\\womanlypoor.bat""3⤵PID:2096
-
C:\Windows\system32\certutil.execertutil -f -decode comfortablesteer scorchapparatus.dll3⤵PID:5032
-
C:\Windows\system32\rundll32.exerundll32 scorchapparatus.dll,main3⤵
- Loads dropped DLL
PID:5036
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD57a91573a5cb5b3d5e556a73b941e7a61
SHA1a5706eda70203aa7c94cf5b64ef85fdaed911042
SHA2566a77f1e14cdd5f82663142d6fe336352214711430ab2cc927400478bd0bb3a0c
SHA512d2ec3667f14e89966ef1f7fc8b84d4e9832a1ed97c610de7a076d3ba9bb69af12e7815b0fde544e77ee36b7b1a52f6522122173798a6630c0f82263970e7e98b
-
Filesize
1.3MB
MD57d19af9fe28f09457ea7298f66209d87
SHA1df12676dd52ebb819f80e4bf8d065b4a2052fa25
SHA2568c02f8457ae523721015fef6ee912fa55bda6251498f93a5d3c35cbddf34ac6a
SHA512c336122f9a37e5e3c23ee7a2278e01b70fd09280110e62617546014cf0ea48647b231bbfb82854b98f194cea6f59f8c79c531c0b34f7d6001fa2c15d43b865fc
-
Filesize
1.7MB
MD55691f001d9a83639c5f6fed3e999e090
SHA12ba3ef2e2cca6dfdf154b0565901b4da5833cab9
SHA2567780f61445e2a2ca907d5f1292a02da7753c8959902ea54b1e4bc5bdb655d95e
SHA5129a3188340367feab9734c183a7c43cc98a7de149ecfe3bff27e73de717d9826aa5eab1ab4f532ebcbb43a362f274866bf342c3896fa52d56659daca5daa9eb65