7cd89f7f6d7d41ebc7059689827073c0bbad2101c5a639c62a68278629f477d9

Analysis

max time kernel
32s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21/04/2023, 01:00

Target

ec04a1d07720f0c856844906b040d3876a7801f90640c15fa23aa4e3001ed400.js
Size

3.5MB
MD5

0c39ad338f05da2c25ce56b23531f1f3
SHA1

a51227fa9755cf0bd5c3660d016bdd871e500e7f
SHA256

ec04a1d07720f0c856844906b040d3876a7801f90640c15fa23aa4e3001ed400
SHA512

c7074aeeb63472cb6b2f1be1f61221c683908c7f3f7d6348b345db398ed52558b1ad9b65b3097e43d79561818c8b98ea2a60679bfd7457b149877b53025c0d2f
SSDEEP

24576:ejGw6bEVDPNoa+w7jOvCjAjODdJkEQTDTPmhH3NqEL8qELFiiKNpO28wb0XHpJh6:uNrsHo

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
1276	Payloa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1276	Payloa.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1276	Payloa.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 1276	864	wscript.exe	28
PID 864 wrote to memory of 1276	864	wscript.exe	28
PID 864 wrote to memory of 1276	864	wscript.exe	28
PID 864 wrote to memory of 1276	864	wscript.exe	28

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ec04a1d07720f0c856844906b040d3876a7801f90640c15fa23aa4e3001ed400.js
1⤵
- Suspicious use of WriteProcessMemory
PID:864
- C:\Users\Admin\AppData\Roaming\Payloa.exe
  "C:\Users\Admin\AppData\Roaming\Payloa.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1276

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Roaming\Payloa.exe

Filesize
825KB

MD5
b178c0250cc3f84a8101eb263c52d716

SHA1
0bcb484264be368704de6028040a7552ebaf9a46

SHA256
aa2359fab304db99e520d8f343c579886debe677003f04695db008e3f2c90f99

SHA512
0927124a400b321d166a9122521760d2f922aaaff38d42e7d9e975d6ff6ddcc47038c4eea9e19a0a909d5d5cab1bed1a36fa2294c1175ee492250f19868dfda1

Download Submit
C:\Users\Admin\AppData\Roaming\Payloa.exe

Filesize
825KB

MD5
b178c0250cc3f84a8101eb263c52d716

SHA1
0bcb484264be368704de6028040a7552ebaf9a46

SHA256
aa2359fab304db99e520d8f343c579886debe677003f04695db008e3f2c90f99

SHA512
0927124a400b321d166a9122521760d2f922aaaff38d42e7d9e975d6ff6ddcc47038c4eea9e19a0a909d5d5cab1bed1a36fa2294c1175ee492250f19868dfda1

Download Submit
memory/1276-60-0x00000000001D0000-0x00000000002A4000-memory.dmp

Filesize
848KB

Download
memory/1276-61-0x00000000043A0000-0x00000000043E0000-memory.dmp

Filesize
256KB

Download