740cfea615830a7aea63a90b732e95c09babefc43a2859ec210a47c08e8ea709

Analysis

max time kernel
135s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
14/01/2023, 13:28 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

water corporation enterprise agreement 2018 wa 15722.js
Size

62KB
MD5

fbbd2ab87eb076d202e6bd929535c609
SHA1

b3627d701873263cf9a247e93dcbe5684ce65951
SHA256

d64d9cb448ff7dfea1e641471beae99893637de21f7801b2b45b1495b90b3088
SHA512

d7498b9ea9dd456ac49c074278a13257b74754ac074dbf49538e1177f8b864264a5872e0b948a3ad5578a39a0ee4cde99878e95c3c3e20ada2d6067982f36213
SSDEEP

768:v2ghJ5gba4sC/1a7Wuj2MgJlRhQMtUpoZEFNA/Ycik0aBZyxvDvl:/Aa4sFNK4MtA620y

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1068	poWERsHeLl.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1068	poWERsHeLl.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 1424	1548	taskeng.exe	29
PID 1548 wrote to memory of 1424	1548	taskeng.exe	29
PID 1548 wrote to memory of 1424	1548	taskeng.exe	29
PID 1424 wrote to memory of 1712	1424	wscript.EXE	30
PID 1424 wrote to memory of 1712	1424	wscript.EXE	30
PID 1424 wrote to memory of 1712	1424	wscript.EXE	30
PID 1712 wrote to memory of 1068	1712	cscript.exe	32
PID 1712 wrote to memory of 1068	1712	cscript.exe	32
PID 1712 wrote to memory of 1068	1712	cscript.exe	32

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\water corporation enterprise agreement 2018 wa 15722.js"
1⤵
PID:1080

C:\Windows\system32\taskeng.exe
taskeng.exe {17A5403D-B073-451B-95C5-FBAE6484911C} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Windows\system32\wscript.EXE
  C:\Windows\system32\wscript.EXE BASEOF~1.JS
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Windows\System32\cscript.exe
    "C:\Windows\System32\cscript.exe" "BASEOF~1.JS"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Windows\System32\WindowsPowerShell\v1.0\poWERsHeLl.exe
      poWERsHeLl
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Identities\BASEOF~1.JS

Filesize
45.8MB

MD5
5eb4f7a2d47a49ed804ab45b40ccb458

SHA1
02cccd7eb8d859cd374ec060b1a334b2c9423329

SHA256
868abb9b8267093f82bd30faa3fe9d294eeb3b298fefb5ac7122b4820b384c41

SHA512
6da274a9b3389596fb30657a5def3a25aad057c388f62de0e48fbb8deee9b1fabfe5a2609e5fa89e228bf9cecdbc1388981eeb721fad9081e13f31e5f36741fb

Download Submit
memory/1068-58-0x000007FEFBFE1000-0x000007FEFBFE3000-memory.dmp

Filesize
8KB

Download
memory/1068-59-0x000007FEF4460000-0x000007FEF4E83000-memory.dmp

Filesize
10.1MB

Download
memory/1068-60-0x000007FEF3900000-0x000007FEF445D000-memory.dmp

Filesize
11.4MB

Download
memory/1068-62-0x00000000027E4000-0x00000000027E7000-memory.dmp

Filesize
12KB

Download
memory/1068-61-0x000000001B770000-0x000000001BA6F000-memory.dmp

Filesize
3.0MB

Download
memory/1068-63-0x00000000027EB000-0x000000000280A000-memory.dmp

Filesize
124KB

Download
memory/1068-64-0x00000000027E4000-0x00000000027E7000-memory.dmp

Filesize
12KB

Download