740cfea615830a7aea63a90b732e95c09babefc43a2859ec210a47c08e8ea709

Analysis

max time kernel
127s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
14/01/2023, 13:21

Target

water corporation enterprise agreement 2018 wa 15722.js
Size

62KB
MD5

fbbd2ab87eb076d202e6bd929535c609
SHA1

b3627d701873263cf9a247e93dcbe5684ce65951
SHA256

d64d9cb448ff7dfea1e641471beae99893637de21f7801b2b45b1495b90b3088
SHA512

d7498b9ea9dd456ac49c074278a13257b74754ac074dbf49538e1177f8b864264a5872e0b948a3ad5578a39a0ee4cde99878e95c3c3e20ada2d6067982f36213
SSDEEP

768:v2ghJ5gba4sC/1a7Wuj2MgJlRhQMtUpoZEFNA/Ycik0aBZyxvDvl:/Aa4sFNK4MtA620y

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1640	poWERsHeLl.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1640	poWERsHeLl.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 1496	1016	taskeng.exe	29
PID 1016 wrote to memory of 1496	1016	taskeng.exe	29
PID 1016 wrote to memory of 1496	1016	taskeng.exe	29
PID 1496 wrote to memory of 760	1496	wscript.EXE	30
PID 1496 wrote to memory of 760	1496	wscript.EXE	30
PID 1496 wrote to memory of 760	1496	wscript.EXE	30
PID 760 wrote to memory of 1640	760	cscript.exe	32
PID 760 wrote to memory of 1640	760	cscript.exe	32
PID 760 wrote to memory of 1640	760	cscript.exe	32

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\water corporation enterprise agreement 2018 wa 15722.js"
1⤵
PID:1476

C:\Windows\system32\taskeng.exe
taskeng.exe {B8F99BC9-C18A-4716-88CA-55F867E9B3BC} S-1-5-21-3385717845-2518323428-350143044-1000:SABDUHNY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Windows\system32\wscript.EXE
  C:\Windows\system32\wscript.EXE BASEOF~1.JS
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Windows\System32\cscript.exe
    "C:\Windows\System32\cscript.exe" "BASEOF~1.JS"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:760
  - - C:\Windows\System32\WindowsPowerShell\v1.0\poWERsHeLl.exe
      poWERsHeLl
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1640

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Roaming\Identities\BASEOF~1.JS

Filesize
45.8MB

MD5
6737be198e60d008b9d6beb222088fc9

SHA1
fd93f3742e50dfb5a3d600a61b6e87c0028cd8d9

SHA256
ee085dde479b7a2b6148b2895551562bc182414da6d6b94bcbc81fe15e43a6f9

SHA512
37eecf82c3d24849e4b34996e620bd293237a97db616061f4296238596597d0db7076757b091acf4b3e2065ee8d8deb0014e93f5c72719d28fbf1f52ca2ee0eb

Download Submit
memory/1640-58-0x000007FEFC101000-0x000007FEFC103000-memory.dmp

Filesize
8KB

Download
memory/1640-59-0x000007FEF3A30000-0x000007FEF4453000-memory.dmp

Filesize
10.1MB

Download
memory/1640-60-0x000007FEF2ED0000-0x000007FEF3A2D000-memory.dmp

Filesize
11.4MB

Download
memory/1640-61-0x0000000002834000-0x0000000002837000-memory.dmp

Filesize
12KB

Download
memory/1640-62-0x000000001B810000-0x000000001BB0F000-memory.dmp

Filesize
3.0MB

Download
memory/1640-63-0x000000000283B000-0x000000000285A000-memory.dmp

Filesize
124KB

Download
memory/1640-64-0x0000000002834000-0x0000000002837000-memory.dmp

Filesize
12KB

Download