Analysis

  • max time kernel
    37s
  • max time network
    101s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    14/06/2023, 12:12 UTC

General

  • Target

    docu_DF631_Jun_14_3.js

  • Size

    22KB

  • MD5

    c6c69d731f0d8972ad9c949054fe3a61

  • SHA1

    c5d8530883a26074eea3bcaee046930710b70c53

  • SHA256

    b0deea498617139a91f4fa0c43645268d0cdb0e5e7c19f31957c4708b7675875

  • SHA512

    57f4220019e12d21a95fa4d1fc35cba6cf2f034c4663959c6b6dccbab93c9f5fd75f634aa6ef9e72e5ac1b11d11e28c4789bcfc9b6ccc1c8eacdc5529217ad49

  • SSDEEP

    384:IlxwNHnWmEwxhJyyzgZT7yOjOt4kmtd70Sft:IlxwtWpwM9yV2d

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\docu_DF631_Jun_14_3.js
    1⤵
    • Blocklisted process makes network request
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:1692
    • C:\Windows\System32\conhost.exe
      "C:\Windows\System32\conhost.exe" rundll32.exe prism.tmp,must
      2⤵
        PID:1044

    Network

    • flag-us
      DNS
      www.computerhope.com
      wscript.exe
      Remote address:
      8.8.8.8:53
      Request
      www.computerhope.com
      IN A
      Response
      www.computerhope.com
      IN A
      172.67.0.39
      www.computerhope.com
      IN A
      104.20.18.53
      www.computerhope.com
      IN A
      104.20.19.53
    • flag-us
      GET
      https://www.computerhope.com/jargon/t/tilde.htm
      wscript.exe
      Remote address:
      172.67.0.39:443
      Request
      GET /jargon/t/tilde.htm HTTP/1.1
      Accept: */*
      UA-CPU: AMD64
      Accept-Encoding: gzip, deflate
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
      Host: www.computerhope.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Wed, 14 Jun 2023 12:12:59 GMT
      Content-Type: text/html; charset=utf-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      Last-Modified: Tue, 02 May 2023 03:31:10 GMT
      Vary: Accept-Encoding,User-Agent
      Cache-Control: max-age=604800
      CF-Cache-Status: DYNAMIC
      Server: cloudflare
      CF-RAY: 7d727c196d800bcc-AMS
      Content-Encoding: gzip
    • 172.67.0.39:443
      https://www.computerhope.com/jargon/t/tilde.htm
      tls, http
      wscript.exe
      1.2kB
      9.2kB
      12
      16

      HTTP Request

      GET https://www.computerhope.com/jargon/t/tilde.htm

      HTTP Response

      200
    • 8.8.8.8:53
      www.computerhope.com
      dns
      wscript.exe
      66 B
      114 B
      1
      1

      DNS Request

      www.computerhope.com

      DNS Response

      172.67.0.39
      104.20.18.53
      104.20.19.53

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1692-67-0x00000000023F0000-0x00000000023F1000-memory.dmp

      Filesize

      4KB

    • memory/1692-68-0x00000000023F0000-0x00000000023F1000-memory.dmp

      Filesize

      4KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.