Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-10-2024 01:38
Static task
static1
Behavioral task
behavioral1
Sample
48e280510d763ea0508f85658e5a5fdf4fb9a5b5e3de47d9fc271210a2e9f6f3.js
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
48e280510d763ea0508f85658e5a5fdf4fb9a5b5e3de47d9fc271210a2e9f6f3.js
Resource
win10v2004-20241007-en
General
-
Target
48e280510d763ea0508f85658e5a5fdf4fb9a5b5e3de47d9fc271210a2e9f6f3.js
-
Size
853KB
-
MD5
7830034fcf7339f1d60f197b5298fde0
-
SHA1
5b46b120da09408ac5365a41d2d1d592ee16354e
-
SHA256
48e280510d763ea0508f85658e5a5fdf4fb9a5b5e3de47d9fc271210a2e9f6f3
-
SHA512
4ff8ac75039d6fbf0060f73b18d74d37ad4f8b47b490dc869b26f9671c593dcf65eab52e6e0f0ef71f05189648bc0d74aac78b667553e0fce0f2e20e476d8265
-
SSDEEP
6144:KQXRiLVR+ZAFgfFIxviPCxeocRmAmuJp36clx+SzqAXyLCXiXh9VFIoqjKh633zq:Zo
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\szjdwyfqxt.txt java.exe -
Loads dropped DLL 2 IoCs
pid Process 3684 java.exe 2948 java.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\szjdwyfqxt = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\szjdwyfqxt.txt\"" java.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\szjdwyfqxt = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\szjdwyfqxt.txt\"" java.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 35 ip-api.com -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2136 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2828 WMIC.exe Token: SeSecurityPrivilege 2828 WMIC.exe Token: SeTakeOwnershipPrivilege 2828 WMIC.exe Token: SeLoadDriverPrivilege 2828 WMIC.exe Token: SeSystemProfilePrivilege 2828 WMIC.exe Token: SeSystemtimePrivilege 2828 WMIC.exe Token: SeProfSingleProcessPrivilege 2828 WMIC.exe Token: SeIncBasePriorityPrivilege 2828 WMIC.exe Token: SeCreatePagefilePrivilege 2828 WMIC.exe Token: SeBackupPrivilege 2828 WMIC.exe Token: SeRestorePrivilege 2828 WMIC.exe Token: SeShutdownPrivilege 2828 WMIC.exe Token: SeDebugPrivilege 2828 WMIC.exe Token: SeSystemEnvironmentPrivilege 2828 WMIC.exe Token: SeRemoteShutdownPrivilege 2828 WMIC.exe Token: SeUndockPrivilege 2828 WMIC.exe Token: SeManageVolumePrivilege 2828 WMIC.exe Token: 33 2828 WMIC.exe Token: 34 2828 WMIC.exe Token: 35 2828 WMIC.exe Token: 36 2828 WMIC.exe Token: SeIncreaseQuotaPrivilege 2828 WMIC.exe Token: SeSecurityPrivilege 2828 WMIC.exe Token: SeTakeOwnershipPrivilege 2828 WMIC.exe Token: SeLoadDriverPrivilege 2828 WMIC.exe Token: SeSystemProfilePrivilege 2828 WMIC.exe Token: SeSystemtimePrivilege 2828 WMIC.exe Token: SeProfSingleProcessPrivilege 2828 WMIC.exe Token: SeIncBasePriorityPrivilege 2828 WMIC.exe Token: SeCreatePagefilePrivilege 2828 WMIC.exe Token: SeBackupPrivilege 2828 WMIC.exe Token: SeRestorePrivilege 2828 WMIC.exe Token: SeShutdownPrivilege 2828 WMIC.exe Token: SeDebugPrivilege 2828 WMIC.exe Token: SeSystemEnvironmentPrivilege 2828 WMIC.exe Token: SeRemoteShutdownPrivilege 2828 WMIC.exe Token: SeUndockPrivilege 2828 WMIC.exe Token: SeManageVolumePrivilege 2828 WMIC.exe Token: 33 2828 WMIC.exe Token: 34 2828 WMIC.exe Token: 35 2828 WMIC.exe Token: 36 2828 WMIC.exe Token: SeIncreaseQuotaPrivilege 932 WMIC.exe Token: SeSecurityPrivilege 932 WMIC.exe Token: SeTakeOwnershipPrivilege 932 WMIC.exe Token: SeLoadDriverPrivilege 932 WMIC.exe Token: SeSystemProfilePrivilege 932 WMIC.exe Token: SeSystemtimePrivilege 932 WMIC.exe Token: SeProfSingleProcessPrivilege 932 WMIC.exe Token: SeIncBasePriorityPrivilege 932 WMIC.exe Token: SeCreatePagefilePrivilege 932 WMIC.exe Token: SeBackupPrivilege 932 WMIC.exe Token: SeRestorePrivilege 932 WMIC.exe Token: SeShutdownPrivilege 932 WMIC.exe Token: SeDebugPrivilege 932 WMIC.exe Token: SeSystemEnvironmentPrivilege 932 WMIC.exe Token: SeRemoteShutdownPrivilege 932 WMIC.exe Token: SeUndockPrivilege 932 WMIC.exe Token: SeManageVolumePrivilege 932 WMIC.exe Token: 33 932 WMIC.exe Token: 34 932 WMIC.exe Token: 35 932 WMIC.exe Token: 36 932 WMIC.exe Token: SeIncreaseQuotaPrivilege 932 WMIC.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 4900 wrote to memory of 3456 4900 wscript.exe 84 PID 4900 wrote to memory of 3456 4900 wscript.exe 84 PID 3456 wrote to memory of 3684 3456 javaw.exe 92 PID 3456 wrote to memory of 3684 3456 javaw.exe 92 PID 3684 wrote to memory of 2544 3684 java.exe 96 PID 3684 wrote to memory of 2544 3684 java.exe 96 PID 3684 wrote to memory of 2948 3684 java.exe 97 PID 3684 wrote to memory of 2948 3684 java.exe 97 PID 2544 wrote to memory of 2136 2544 cmd.exe 100 PID 2544 wrote to memory of 2136 2544 cmd.exe 100 PID 2948 wrote to memory of 1792 2948 java.exe 104 PID 2948 wrote to memory of 1792 2948 java.exe 104 PID 1792 wrote to memory of 2828 1792 cmd.exe 106 PID 1792 wrote to memory of 2828 1792 cmd.exe 106 PID 2948 wrote to memory of 2840 2948 java.exe 107 PID 2948 wrote to memory of 2840 2948 java.exe 107 PID 2840 wrote to memory of 932 2840 cmd.exe 109 PID 2840 wrote to memory of 932 2840 cmd.exe 109 PID 2948 wrote to memory of 4808 2948 java.exe 110 PID 2948 wrote to memory of 4808 2948 java.exe 110 PID 4808 wrote to memory of 1236 4808 cmd.exe 112 PID 4808 wrote to memory of 1236 4808 cmd.exe 112 PID 2948 wrote to memory of 4080 2948 java.exe 113 PID 2948 wrote to memory of 4080 2948 java.exe 113 PID 4080 wrote to memory of 4376 4080 cmd.exe 115 PID 4080 wrote to memory of 4376 4080 cmd.exe 115 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\48e280510d763ea0508f85658e5a5fdf4fb9a5b5e3de47d9fc271210a2e9f6f3.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\szjdwyfqxt.txt"2⤵
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Program Files\Java\jre-1.8\bin\java.exe"C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\szjdwyfqxt.txt"3⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\SYSTEM32\cmd.execmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\szjdwyfqxt.txt"4⤵
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\szjdwyfqxt.txt"5⤵
- Scheduled Task/Job: Scheduled Task
PID:2136
-
-
-
C:\Program Files\Java\jre-1.8\bin\java.exe"C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\szjdwyfqxt.txt"4⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"5⤵
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2828
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"5⤵
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list6⤵
- Suspicious use of AdjustPrivilegeToken
PID:932
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"5⤵
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list6⤵PID:1236
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"5⤵
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list6⤵PID:4376
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1JavaScript
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46B
MD54c6bef6f6c82845b8cec29caddd05ca7
SHA1ff8823d7e201460614a0ef3123a7cfc2ae6ee9be
SHA256941b564a59ed156d752e0cb2560ca621838ad1f40cfb65d0a893a072bfe7429a
SHA51235b8f603e3d898bfdb0fc18b78c66c0292097a66db53a6e02c90fcd5157732fec7bb1083182c2b717881902aad708bd831a04c0a1a1930b56bafb231793b284c
-
Filesize
241KB
MD5e02979ecd43bcc9061eb2b494ab5af50
SHA13122ac0e751660f646c73b10c4f79685aa65c545
SHA256a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a
SHA5121e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3350944739-639801879-157714471-1000\83aa4cc77f591dfc2374580bbd95f6ba_dd2803c7-d377-4f06-bdfe-aea230fc7b0e
Filesize45B
MD5c8366ae350e7019aefc9d1e6e6a498c6
SHA15731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA25611e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA51233c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd
-
Filesize
92KB
MD52cc7e15396dc275497fcf51f461da38d
SHA16fa0f11b6d9e3812a86ff1d43a86ad34bfc41062
SHA256e14f1c7e11a1f1ddd570d605e4204a694a7370d603c1b1ca157e505f180ccc48
SHA512daf71473c48f9592d33a49ff2f6d7b84e2c3a992f18a29979494cae86623328f0137c6ae9046cf3bbeb75d90d2a030d1fdbf3aca8718ea769429ce1e6e4a931f
-
Filesize
1.4MB
MD5acfb5b5fd9ee10bf69497792fd469f85
SHA10e0845217c4907822403912ad6828d8e0b256208
SHA256b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e
SHA512e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa
-
Filesize
2.6MB
MD52f4a99c2758e72ee2b59a73586a2322f
SHA1af38e7c4d0fc73c23ecd785443705bfdee5b90bf
SHA25624d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5
SHA512b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494
-
Filesize
4.1MB
MD5b33387e15ab150a7bf560abdc73c3bec
SHA166b8075784131f578ef893fd7674273f709b9a4c
SHA2562eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491
SHA51225cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279
-
Filesize
772KB
MD5e1aa38a1e78a76a6de73efae136cdb3a
SHA1c463da71871f780b2e2e5dba115d43953b537daf
SHA2562ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609
SHA512fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d