a739645788a95ede796f883defd315ab0d3a931a9fafb31a265437abdb0e2030

Analysis

max time kernel
38s
max time network
101s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
15/06/2023, 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

document_DE108_Jun_15_2.js
Size

5KB
MD5

1a8676bc806b4221e67c22a3072f63a8
SHA1

124f33af11b78b7a235d1fc7e03e509bf3af7db0
SHA256

4649e7c67e3a015c569c3d8c0942ea6a33f28dafdde7fc2588e82ab4ccd7a533
SHA512

b1ae9b6915c3206acfceda8da5f7b147f23540be144d03d7cecfcf8d29791203a029e1fe9aa96ecfc24ae4c19f172ee268d966ac5fe92e4db8db56bf70193bb1
SSDEEP

96:lFixAWJRj78V8bo6y3yq6y3y9p6y3y5Fhn6y3yq6y3y9p6y3yWhR7UnyEX6y3yWw:riaWL4kohyChyyXcZjDx

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	920	wscript.exe
6	920	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 552	920	wscript.exe	29
PID 920 wrote to memory of 552	920	wscript.exe	29
PID 920 wrote to memory of 552	920	wscript.exe	29

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\document_DE108_Jun_15_2.js
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:920
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\conhost.exe" rundll32.exe c:\users\public\qualitative.tmp,must
  2⤵
  PID:552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/920-67-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download