Overview
overview
10Static
static
1014052163e5...43.exe
windows7-x64
1014052163e5...43.exe
windows10-1703-x64
1014052163e5...43.exe
windows10-2004-x64
1014052163e5...43.exe
windows11-21h2-x64
10Antimalwar...ble.js
windows7-x64
8Antimalwar...ble.js
windows10-1703-x64
8Antimalwar...ble.js
windows10-2004-x64
8Antimalwar...ble.js
windows11-21h2-x64
8EmbraTor M...et.exe
windows7-x64
1EmbraTor M...et.exe
windows10-1703-x64
1EmbraTor M...et.exe
windows10-2004-x64
1EmbraTor M...et.exe
windows11-21h2-x64
1Java Install.jar
windows7-x64
1Java Install.jar
windows10-1703-x64
10Java Install.jar
windows10-2004-x64
7Java Install.jar
windows11-21h2-x64
10MsMpEng.js
windows7-x64
10MsMpEng.js
windows10-1703-x64
9MsMpEng.js
windows10-2004-x64
10MsMpEng.js
windows11-21h2-x64
10Windows Dr...on.vbs
windows7-x64
10Windows Dr...on.vbs
windows10-1703-x64
10Windows Dr...on.vbs
windows10-2004-x64
10Windows Dr...on.vbs
windows11-21h2-x64
10Resubmissions
09-04-2024 13:34
240409-qvlrtabe9s 1009-04-2024 13:34
240409-qvk6aabe81 1009-04-2024 13:33
240409-qthzjabe5z 1009-04-2024 13:33
240409-qthc1abe5y 1007-07-2023 11:45
230707-nw632ahf6w 10Analysis
-
max time kernel
1799s -
max time network
1802s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09-04-2024 13:34
Behavioral task
behavioral1
Sample
14052163e50c197697c64b143.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral2
Sample
14052163e50c197697c64b143.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral3
Sample
14052163e50c197697c64b143.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral4
Sample
14052163e50c197697c64b143.exe
Resource
win11-20240214-en
windows11-21h2-x64
Behavioral task
behavioral5
Sample
Antimalware Service Executable.js
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
Antimalware Service Executable.js
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral7
Sample
Antimalware Service Executable.js
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
Antimalware Service Executable.js
Resource
win11-20240221-en
windows11-21h2-x64
Behavioral task
behavioral9
Sample
EmbraTor Mac Smash Bullet.exe
Resource
win7-20240319-en
windows7-x64
Behavioral task
behavioral10
Sample
EmbraTor Mac Smash Bullet.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral11
Sample
EmbraTor Mac Smash Bullet.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
EmbraTor Mac Smash Bullet.exe
Resource
win11-20240319-en
windows11-21h2-x64
Behavioral task
behavioral13
Sample
Java Install.jar
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral14
Sample
Java Install.jar
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral15
Sample
Java Install.jar
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
Java Install.jar
Resource
win11-20240221-en
windows11-21h2-x64
Behavioral task
behavioral17
Sample
MsMpEng.js
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral18
Sample
MsMpEng.js
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral19
Sample
MsMpEng.js
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
MsMpEng.js
Resource
win11-20240221-en
windows11-21h2-x64
Behavioral task
behavioral21
Sample
Windows Driver Foundation.vbs
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral22
Sample
Windows Driver Foundation.vbs
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral23
Sample
Windows Driver Foundation.vbs
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
Windows Driver Foundation.vbs
Resource
win11-20240221-en
windows11-21h2-x64
General
-
Target
Antimalware Service Executable.js
-
Size
713KB
-
MD5
c958a31d5e439d5b0d01900e5a85992a
-
SHA1
fc40d0ef637fe55fbaf83e8f4891e008ac736df6
-
SHA256
e3a33757c2e596f7ee50a4a41ff58f2e64dbdb062257fe5749ca19b955b0baaf
-
SHA512
2aa0c813b7c17b01e1c18a3a12fb4f3c8ba9c9fee79a3ed66421959fd0440571e0cba5e90569970655342ce2730e823feae23ef6c5da09248f3da68fc0f3cf1c
-
SSDEEP
12288:KOmMdaDXBuOdAAxcHaMp7yk0AaDhlLBO0Xzaj1B+UquKbLZaQlx+2CRQlD+EhajH:KOmMdaDXBuOdAAxcHaMp7yk0AaDhlLBc
Malware Config
Signatures
-
Blocklisted process makes network request 64 IoCs
flow pid Process 8 4576 wscript.exe 14 4576 wscript.exe 26 4576 wscript.exe 40 4576 wscript.exe 44 4576 wscript.exe 51 4576 wscript.exe 52 4576 wscript.exe 53 4576 wscript.exe 54 4576 wscript.exe 55 4576 wscript.exe 56 4576 wscript.exe 57 4576 wscript.exe 58 4576 wscript.exe 59 4576 wscript.exe 64 4576 wscript.exe 65 4576 wscript.exe 67 4576 wscript.exe 68 4576 wscript.exe 69 4576 wscript.exe 71 4576 wscript.exe 72 4576 wscript.exe 73 4576 wscript.exe 74 4576 wscript.exe 75 4576 wscript.exe 76 4576 wscript.exe 77 4576 wscript.exe 78 4576 wscript.exe 79 4576 wscript.exe 80 4576 wscript.exe 81 4576 wscript.exe 82 4576 wscript.exe 83 4576 wscript.exe 84 4576 wscript.exe 85 4576 wscript.exe 86 4576 wscript.exe 87 4576 wscript.exe 88 4576 wscript.exe 89 4576 wscript.exe 90 4576 wscript.exe 91 4576 wscript.exe 92 4576 wscript.exe 93 4576 wscript.exe 94 4576 wscript.exe 95 4576 wscript.exe 96 4576 wscript.exe 97 4576 wscript.exe 98 4576 wscript.exe 99 4576 wscript.exe 100 4576 wscript.exe 101 4576 wscript.exe 102 4576 wscript.exe 103 4576 wscript.exe 104 4576 wscript.exe 105 4576 wscript.exe 106 4576 wscript.exe 107 4576 wscript.exe 108 4576 wscript.exe 109 4576 wscript.exe 110 4576 wscript.exe 111 4576 wscript.exe 112 4576 wscript.exe 113 4576 wscript.exe 114 4576 wscript.exe 115 4576 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antimalware Service Executable.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antimalware Service Executable.js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Antimalware Service Executable = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Antimalware Service Executable.js\"" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Antimalware Service Executable = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Antimalware Service Executable.js\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Antimalware Service Executable = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Antimalware Service Executable.js\"" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Antimalware Service Executable = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Antimalware Service Executable.js\"" wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 228 wrote to memory of 4576 228 wscript.exe 87 PID 228 wrote to memory of 4576 228 wscript.exe 87
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Antimalware Service Executable.js"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Antimalware Service Executable.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:4576
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
713KB
MD5c958a31d5e439d5b0d01900e5a85992a
SHA1fc40d0ef637fe55fbaf83e8f4891e008ac736df6
SHA256e3a33757c2e596f7ee50a4a41ff58f2e64dbdb062257fe5749ca19b955b0baaf
SHA5122aa0c813b7c17b01e1c18a3a12fb4f3c8ba9c9fee79a3ed66421959fd0440571e0cba5e90569970655342ce2730e823feae23ef6c5da09248f3da68fc0f3cf1c