Analysis
-
max time kernel
139s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11-08-2024 07:47
Static task
static1
Behavioral task
behavioral1
Sample
Ref_87021929821US20240709031221656.js
Resource
win7-20240705-en
General
-
Target
Ref_87021929821US20240709031221656.js
-
Size
7KB
-
MD5
8c3bd48b27d70c24d021ff7c16308a15
-
SHA1
80bdf02a07c5407fae1c67d311480283c41235ad
-
SHA256
356e87a4ef1469bba5cfc99c19161b37f0fdaa766043705a4d51b4bae8b134d3
-
SHA512
384cca755586d4e8f6b6ae8a1ba247862a81270dcdd28b077014b3c23ba1aa1af58ea3f1f786190c8b3d33edb116eb4024d23c610963bbe729f85864fb773ce2
-
SSDEEP
48:BQSNqLykK7Zd1Oy2qLHDMpq1qQIqLcDGIdnFe+qyHtdHErqLup6:yGHkKVM4DRrItGmFeEHt9uA
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 3 1928 wscript.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exewscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
mYIv.exepid process 3856 mYIv.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
mYIv.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NAS Monitor = "C:\\Program Files (x86)\\NAS Monitor\\nasmon.exe" mYIv.exe -
Processes:
mYIv.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mYIv.exe -
Drops file in Program Files directory 2 IoCs
Processes:
mYIv.exedescription ioc process File created C:\Program Files (x86)\NAS Monitor\nasmon.exe mYIv.exe File opened for modification C:\Program Files (x86)\NAS Monitor\nasmon.exe mYIv.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
mYIv.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mYIv.exe -
Modifies registry class 1 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings wscript.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
mYIv.exepid process 3856 mYIv.exe 3856 mYIv.exe 3856 mYIv.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
mYIv.exepid process 3856 mYIv.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
mYIv.exedescription pid process Token: SeDebugPrivilege 3856 mYIv.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
wscript.exeWScript.exedescription pid process target process PID 1928 wrote to memory of 2544 1928 wscript.exe WScript.exe PID 1928 wrote to memory of 2544 1928 wscript.exe WScript.exe PID 2544 wrote to memory of 3856 2544 WScript.exe mYIv.exe PID 2544 wrote to memory of 3856 2544 WScript.exe mYIv.exe PID 2544 wrote to memory of 3856 2544 WScript.exe mYIv.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Ref_87021929821US20240709031221656.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TEZDIY.js"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Admin\AppData\Local\Temp\mYIv.exe"C:\Users\Admin\AppData\Local\Temp\mYIv.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3856
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.5MB
MD5dc0bce4906594a89e2707870b3455a71
SHA1693e646c87bcc184658c53e191196bb9243c3242
SHA2569332806b808c9d72d0366841aa990fe5dbde39f88eccd73962adc6a91da0548d
SHA5128c7aa5673700eb5989f8a60750689b87685e1a6ddc0a2e7f3c9fb288b8376c685a90639fc7745ff4757b18125373c240383e2475c3425628581cee8f40030f83
-
Filesize
202KB
MD5842793f4ae0abae1c4e0d1d00c3b1b36
SHA145cc5efe42d8ff19e8f4eafdcfe9e2cc0c62bb76
SHA256f87b7426970122ba506c6dc25e7877f93af482db93df438bd613cea22b06a3b2
SHA512681dcfe8fa0c401e234064b9ecfbe5eef5f84e3fba9c09c0a1355d0221288e97d94ab8e42c7b96d39318c71cdab18a7d563e636b5d3e5638d7d959fe812eef1d