db52ba4813ac23846ecc76bd0702b5ed62b01e5ef4ec0793ee3684f1de3b8cef

Analysis

max time kernel
171s
max time network
175s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-10-2022 13:07

Target

Specification.js
Size

258KB
MD5

316e2984cf71459a417eaddbf6e7b5d2
SHA1

566186bf8a192f59e8e1203cc9aeb9386e96e1b8
SHA256

db52ba4813ac23846ecc76bd0702b5ed62b01e5ef4ec0793ee3684f1de3b8cef
SHA512

ae4791848556a77794b7d305b535c5eae17de31debe3e49344a0476e1ffb7930e02f76fc0b9370c1f2d1ce8fd9ce49d322c7b31480c083186ccf476cb2928264
SSDEEP

3072:Klg0lyRcJXN48AWrp1eixPCrC/C8UyCCyCC6CCYCCRCqC6xdAe4q8fiMQJw+FRU:ag0lyRcpN418xP5yxJNJw+Y

Score

8^/10

Executes dropped EXE 1 IoCs

Processes:

Specification.exe

pid process

936 Specification.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Specification.exe

description pid process

Token: SeDebugPrivilege 936 Specification.exe

pid	process
936	Specification.exe

description	pid	process
Token: SeDebugPrivilege	936	Specification.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 1500 wrote to memory of 936	1500	wscript.exe	Specification.exe
PID 1500 wrote to memory of 936	1500	wscript.exe	Specification.exe
PID 1500 wrote to memory of 936	1500	wscript.exe	Specification.exe
PID 1500 wrote to memory of 936	1500	wscript.exe	Specification.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Specification.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1500

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Roaming\Specification.exe

Filesize
193KB

MD5
21df14ff478164ccca8bbe85cd9c42ce

SHA1
210f8d66672b4ebf77e7fd276360a2187f0bbb2f

SHA256
c28e38cbd899c5d2cadc6faf6c155483bea63519dd282da4a40ba925a76b64b5

SHA512
7978e1316733b057f008dae8b4b9d63a1ec49d92dbe4282381b24d23b0a8d8cd0224ae1f2a6a2233b6624865c599182c06982a195733a706cc6da4e674a5a66c

Download Submit
C:\Users\Admin\AppData\Roaming\Specification.exe

Filesize
193KB

MD5
21df14ff478164ccca8bbe85cd9c42ce

SHA1
210f8d66672b4ebf77e7fd276360a2187f0bbb2f

SHA256
c28e38cbd899c5d2cadc6faf6c155483bea63519dd282da4a40ba925a76b64b5

SHA512
7978e1316733b057f008dae8b4b9d63a1ec49d92dbe4282381b24d23b0a8d8cd0224ae1f2a6a2233b6624865c599182c06982a195733a706cc6da4e674a5a66c

Download Submit
memory/936-55-0x0000000000000000-mapping.dmp

Download
memory/936-58-0x00000000002E0000-0x0000000000316000-memory.dmp

Filesize
216KB

Download
memory/936-59-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/1500-54-0x000007FEFB991000-0x000007FEFB993000-memory.dmp

Filesize
8KB

Download