1d19eb0b7add204f80dec7102ac0dd016b7891fe73993ace5a354b049f2b5aa4

Analysis

max time kernel
115s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
12/05/2023, 00:17

Target

bcb4586ef48cc7a9526f726f2fdbf778bb6f6af0318d7a9e0eb30ff55747be36.js
Size

175KB
MD5

279e2e86f1ee8221bd561646d55d8bbd
SHA1

0c6ad09cec581196e1c71de4d4311fbd6eefb8ac
SHA256

bcb4586ef48cc7a9526f726f2fdbf778bb6f6af0318d7a9e0eb30ff55747be36
SHA512

a32fc106597ff73b33a648d6713e3cd5baf5f0a30fafc1e83d0dd4b8f0b8db67fe2232a2568007fef275a59210f728b65cfe3d5641eedc022ee01cf47393a87f
SSDEEP

3072:oqg1kjSdLUyyLEk3tnQwF+wSTrTzzp+K6+T1gtoI3CstpH5vatBN2HOdEI1o2nDt:oqg1kjSdLUyyAk3tnQwF+wmrTzzp+K66

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1552	pOWershelL.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1552	pOWershelL.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 268	1188	taskeng.exe	29
PID 1188 wrote to memory of 268	1188	taskeng.exe	29
PID 1188 wrote to memory of 268	1188	taskeng.exe	29
PID 268 wrote to memory of 1932	268	wscript.EXE	30
PID 268 wrote to memory of 1932	268	wscript.EXE	30
PID 268 wrote to memory of 1932	268	wscript.EXE	30
PID 1932 wrote to memory of 1552	1932	cscript.exe	32
PID 1932 wrote to memory of 1552	1932	cscript.exe	32
PID 1932 wrote to memory of 1552	1932	cscript.exe	32

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\bcb4586ef48cc7a9526f726f2fdbf778bb6f6af0318d7a9e0eb30ff55747be36.js
1⤵
PID:1324

C:\Windows\system32\taskeng.exe
taskeng.exe {35DA8A4E-D32F-43D3-B64A-4248ABDC7688} S-1-5-21-3948302646-268491222-1934009652-1000:KXZDHPUW\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Windows\system32\wscript.EXE
  C:\Windows\system32\wscript.EXE CELEBR~1.JS
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Windows\System32\cscript.exe
    "C:\Windows\System32\cscript.exe" "CELEBR~1.JS"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\Windows\System32\WindowsPowerShell\v1.0\pOWershelL.exe
      pOWershelL
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1552

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Roaming\Media Center Programs\CELEBR~1.JS

Filesize
43.3MB

MD5
4eda6802aba3fdfbaf7d0e4b5782599a

SHA1
76971f5c5fabba83bdf553489632ae574325f1ae

SHA256
1e1008512565c63ef306758030e8d6ee903c9a853cfbc11dd13a415c67f0c5e6

SHA512
5c092231bd84d7149a379d27c17bb53c5c533a4aff92dd18494f34c038064ae11ed6202b3585dda4ea837c42b1baee1733dfa4eac92e850f8299337a7796a553

Download Submit
memory/1552-61-0x000000001B260000-0x000000001B542000-memory.dmp

Filesize
2.9MB

Download
memory/1552-62-0x00000000024B0000-0x00000000024B8000-memory.dmp

Filesize
32KB

Download
memory/1552-64-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/1552-63-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/1552-65-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/1552-66-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/1552-67-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/1552-68-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/1552-69-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/1552-70-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download