163f5404fb82b83d23e5eb51f030e2589f134fd85762a392ef141f2d8991772a

Resubmissions

06/01/2023, 11:42

21/12/2022, 12:32

max time kernel
117s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06/01/2023, 11:42

Target

uk reciprocal tax agreement countries 25817.js
Size

62KB
MD5

39cc9421265174f16b3de95ef2060df9
SHA1

99912d4b4a385bf6aa131419bfd3c4b4a2915dd7
SHA256

b76481df9f0c8d5e00c2f6e2340c8d664adf127a9363aa4032c443d30cff60cd
SHA512

3fd4a883506e46f8e4f657c3913e84c92518e3cc18f270704b3deb9cdefe5e6e8f25575e072e961cc73ba8546d0d429df43377662b145e1adb4ddad8782d67d4
SSDEEP

768:vBrI+mKl5AmG25bNz9ZEG6U8RUDO4t+XiYoefmsTQvl:GQNz8GbPS4MOeLs

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1708	PoWERshELL.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1708	PoWERshELL.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 608 wrote to memory of 772	608	taskeng.exe	28
PID 608 wrote to memory of 772	608	taskeng.exe	28
PID 608 wrote to memory of 772	608	taskeng.exe	28
PID 772 wrote to memory of 520	772	wscript.EXE	29
PID 772 wrote to memory of 520	772	wscript.EXE	29
PID 772 wrote to memory of 520	772	wscript.EXE	29
PID 520 wrote to memory of 1708	520	cscript.exe	31
PID 520 wrote to memory of 1708	520	cscript.exe	31
PID 520 wrote to memory of 1708	520	cscript.exe	31

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\uk reciprocal tax agreement countries 25817.js"
1⤵
PID:1544

C:\Windows\system32\taskeng.exe
taskeng.exe {98ACF419-8387-4703-8D5F-0633471A5E51} S-1-5-21-1214520366-621468234-4062160515-1000:VDWSWJJD\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:608
- C:\Windows\system32\wscript.EXE
  C:\Windows\system32\wscript.EXE HIGHAN~1.JS
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Windows\System32\cscript.exe
    "C:\Windows\System32\cscript.exe" "HIGHAN~1.JS"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:520
  - - C:\Windows\System32\WindowsPowerShell\v1.0\PoWERshELL.exe
      PoWERshELL
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1708

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Roaming\Adobe\HIGHAN~1.JS

Filesize
45.8MB

MD5
99c1091b0f82a8429a5590fe6a6fd1a4

SHA1
ad1a75dc2970b7ead61142836f4ad137922088d0

SHA256
86208c20411d353c4f5dab4fbe9db192e2dcbe12181917cc98644c3cb196c02d

SHA512
9cd44f99b3fd152733134b21fd67eebba948dbe07bfdff50bb970351207f47d1e586ad71395f251bf78b6e45553ff26d5c0a9cbc993670185452f10149cb13f6

Download Submit
memory/1708-58-0x000007FEFC311000-0x000007FEFC313000-memory.dmp

Filesize
8KB

Download
memory/1708-59-0x000007FEF3FF0000-0x000007FEF4A13000-memory.dmp

Filesize
10.1MB

Download
memory/1708-60-0x000007FEF3490000-0x000007FEF3FED000-memory.dmp

Filesize
11.4MB

Download
memory/1708-61-0x0000000002434000-0x0000000002437000-memory.dmp

Filesize
12KB

Download
memory/1708-62-0x000000000243B000-0x000000000245A000-memory.dmp

Filesize
124KB

Download
memory/1708-63-0x0000000002434000-0x0000000002437000-memory.dmp

Filesize
12KB

Download