Analysis

  • max time kernel
    139s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-08-2024 07:47

General

  • Target

    Ref_87021929821US20240709031221656.js

  • Size

    7KB

  • MD5

    8c3bd48b27d70c24d021ff7c16308a15

  • SHA1

    80bdf02a07c5407fae1c67d311480283c41235ad

  • SHA256

    356e87a4ef1469bba5cfc99c19161b37f0fdaa766043705a4d51b4bae8b134d3

  • SHA512

    384cca755586d4e8f6b6ae8a1ba247862a81270dcdd28b077014b3c23ba1aa1af58ea3f1f786190c8b3d33edb116eb4024d23c610963bbe729f85864fb773ce2

  • SSDEEP

    48:BQSNqLykK7Zd1Oy2qLHDMpq1qQIqLcDGIdnFe+qyHtdHErqLup6:yGHkKVM4DRrItGmFeEHt9uA

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Ref_87021929821US20240709031221656.js
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TEZDIY.js"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2544
      • C:\Users\Admin\AppData\Local\Temp\mYIv.exe
        "C:\Users\Admin\AppData\Local\Temp\mYIv.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:3856

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\TEZDIY.js

    Filesize

    4.5MB

    MD5

    dc0bce4906594a89e2707870b3455a71

    SHA1

    693e646c87bcc184658c53e191196bb9243c3242

    SHA256

    9332806b808c9d72d0366841aa990fe5dbde39f88eccd73962adc6a91da0548d

    SHA512

    8c7aa5673700eb5989f8a60750689b87685e1a6ddc0a2e7f3c9fb288b8376c685a90639fc7745ff4757b18125373c240383e2475c3425628581cee8f40030f83

  • C:\Users\Admin\AppData\Local\Temp\mYIv.exe

    Filesize

    202KB

    MD5

    842793f4ae0abae1c4e0d1d00c3b1b36

    SHA1

    45cc5efe42d8ff19e8f4eafdcfe9e2cc0c62bb76

    SHA256

    f87b7426970122ba506c6dc25e7877f93af482db93df438bd613cea22b06a3b2

    SHA512

    681dcfe8fa0c401e234064b9ecfbe5eef5f84e3fba9c09c0a1355d0221288e97d94ab8e42c7b96d39318c71cdab18a7d563e636b5d3e5638d7d959fe812eef1d