Analysis
-
max time kernel
37s -
max time network
101s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
14/06/2023, 12:12 UTC
Static task
static1
Behavioral task
behavioral1
Sample
docu_DF631_Jun_14_1.js
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
docu_DF631_Jun_14_1.js
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
docu_DF631_Jun_14_2.js
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
docu_DF631_Jun_14_2.js
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
docu_DF631_Jun_14_3.js
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
docu_DF631_Jun_14_3.js
Resource
win10v2004-20230221-en
General
-
Target
docu_DF631_Jun_14_3.js
-
Size
22KB
-
MD5
c6c69d731f0d8972ad9c949054fe3a61
-
SHA1
c5d8530883a26074eea3bcaee046930710b70c53
-
SHA256
b0deea498617139a91f4fa0c43645268d0cdb0e5e7c19f31957c4708b7675875
-
SHA512
57f4220019e12d21a95fa4d1fc35cba6cf2f034c4663959c6b6dccbab93c9f5fd75f634aa6ef9e72e5ac1b11d11e28c4789bcfc9b6ccc1c8eacdc5529217ad49
-
SSDEEP
384:IlxwNHnWmEwxhJyyzgZT7yOjOt4kmtd70Sft:IlxwtWpwM9yV2d
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 4 1692 wscript.exe 6 1692 wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 wscript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 wscript.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1692 wrote to memory of 1044 1692 wscript.exe 30 PID 1692 wrote to memory of 1044 1692 wscript.exe 30 PID 1692 wrote to memory of 1044 1692 wscript.exe 30
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\docu_DF631_Jun_14_3.js1⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" rundll32.exe prism.tmp,must2⤵PID:1044
-
Network
-
Remote address:8.8.8.8:53Requestwww.computerhope.comIN AResponsewww.computerhope.comIN A172.67.0.39www.computerhope.comIN A104.20.18.53www.computerhope.comIN A104.20.19.53
-
Remote address:172.67.0.39:443RequestGET /jargon/t/tilde.htm HTTP/1.1
Accept: */*
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: www.computerhope.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Last-Modified: Tue, 02 May 2023 03:31:10 GMT
Vary: Accept-Encoding,User-Agent
Cache-Control: max-age=604800
CF-Cache-Status: DYNAMIC
Server: cloudflare
CF-RAY: 7d727c196d800bcc-AMS
Content-Encoding: gzip
-
1.2kB 9.2kB 12 16
HTTP Request
GET https://www.computerhope.com/jargon/t/tilde.htmHTTP Response
200