Resubmissions
19-02-2024 19:16
240219-xzannsbc6y 1019-02-2024 19:12
240219-xwla1abb8z 106-02-2024 16:53
240206-veee1sbeb4 10Analysis
-
max time kernel
92s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
06-02-2024 16:53
Static task
static1
Behavioral task
behavioral1
Sample
1727822909290912689.js
Resource
win7-20231215-en
General
-
Target
1727822909290912689.js
-
Size
647KB
-
MD5
9d68a860c54584dd2d52f465160ee6ad
-
SHA1
42270d711512467421fd9f15530a70476f383172
-
SHA256
cf66b2a95512490b690794f70d6c847aa8047bee3975c1eb46a7a892f74b9cff
-
SHA512
352838f21a3664f308327c3e9e7f318d3af3480f0fcf952c2ae9cbd647826baf29274db0545822ff13365271ae2638f3a7b662caf40744b14cf6502abbad0539
-
SSDEEP
6144:GYkeuxJrlxHlmMkIKjT5/gId68KpldKlZk7bm0KGm63EYnkkenxf2SeefVZwzqzs:GY7orJGIS/gIl3NGN0YnkR+tfVWE
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation wscript.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4820 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
wscript.execmd.execmd.exedescription pid process target process PID 3180 wrote to memory of 4608 3180 wscript.exe cmd.exe PID 3180 wrote to memory of 4608 3180 wscript.exe cmd.exe PID 4608 wrote to memory of 740 4608 cmd.exe findstr.exe PID 4608 wrote to memory of 740 4608 cmd.exe findstr.exe PID 4608 wrote to memory of 4748 4608 cmd.exe certutil.exe PID 4608 wrote to memory of 4748 4608 cmd.exe certutil.exe PID 4608 wrote to memory of 2512 4608 cmd.exe cmd.exe PID 4608 wrote to memory of 2512 4608 cmd.exe cmd.exe PID 2512 wrote to memory of 4820 2512 cmd.exe rundll32.exe PID 2512 wrote to memory of 4820 2512 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\1727822909290912689.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\1727822909290912689.js" "C:\Users\Admin\\yelltame.bat" && "C:\Users\Admin\\yelltame.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\system32\findstr.exefindstr /V complexsugar ""C:\Users\Admin\\yelltame.bat""3⤵PID:740
-
C:\Windows\system32\certutil.execertutil -f -decode cherryargument high-pitchedhandsomely.dll3⤵PID:4748
-
C:\Windows\system32\cmd.execmd /C rundll32 high-pitchedhandsomely.dll,main3⤵
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\system32\rundll32.exerundll32 high-pitchedhandsomely.dll,main4⤵
- Loads dropped DLL
PID:4820
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
306KB
MD5e0ab76e2f14e9a8d3314f0d88924c318
SHA1debed77dc28f418fa1d4d3c76d11f543cd75ce73
SHA256ea11fda572f1131a0e002d3475324411aee6c8760ac69e7118f13170521913ca
SHA512e978e6f237aff763f8a87f6fc81c6f82bd98afdf210c3f4d2fa88df06ac0d2d421cbbc845d40ff2441a725d0392ecc8e0d0daeac48d49cad6d3cf5a1c08d91ac
-
Filesize
229KB
MD57510774ef92e9c6a391b92a0bd3f408b
SHA1741652f31e83c6ed6908ed4e0cfc46f79451d985
SHA2564254817a71122bb75a09cfa918c3a5c8fac4b44c2073cb5f62f25931531c739c
SHA512a5a6a058975bdef39be187104895be1656ee8547abd9cdbe0713cf4f7a7f92e5f5c901edf7ba4dd18bd6a9e65631e64f73a681ab3563f8eed00381c257b32264
-
Filesize
647KB
MD59d68a860c54584dd2d52f465160ee6ad
SHA142270d711512467421fd9f15530a70476f383172
SHA256cf66b2a95512490b690794f70d6c847aa8047bee3975c1eb46a7a892f74b9cff
SHA512352838f21a3664f308327c3e9e7f318d3af3480f0fcf952c2ae9cbd647826baf29274db0545822ff13365271ae2638f3a7b662caf40744b14cf6502abbad0539