Analysis
-
max time kernel
315s -
max time network
888s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
13/07/2023, 22:35
Static task
static1
Behavioral task
behavioral1
Sample
Browser_update.js
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
Browser_update.js
Resource
win10-20230703-en
Behavioral task
behavioral3
Sample
Browser_update.js
Resource
win10v2004-20230703-en
General
-
Target
Browser_update.js
-
Size
1.1MB
-
MD5
c2d28d7c0d207d192595770e3af05063
-
SHA1
d48e522b518af2816b73f6a5ca345cd43ad2ea62
-
SHA256
1a011068e00ff24aaef338efc5d21f51abbf47cf1f1006b1b79c78bc84b1d3c6
-
SHA512
8871c12eb7de197f354be78ddce3db0f9f70e73bcc02e75be7b10759df43944e7adcf37d35224400847e6701d6b735010921f0da4d54d841813460837e42ca86
-
SSDEEP
24576:dUbU9UbU9UbU9UbU9UbU9UbU9UbU9UbU9UbU9UbUwUbU9UbU9UbUH:dUbU9UbU9UbU9UbU9UbU9UbU9UbU9Ub7
Malware Config
Signatures
-
Blocklisted process makes network request 5 IoCs
flow pid Process 2 4652 wscript.exe 4 4652 wscript.exe 6 4652 wscript.exe 8 4652 wscript.exe 14 4652 wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4652 wrote to memory of 4808 4652 wscript.exe 69 PID 4652 wrote to memory of 4808 4652 wscript.exe 69 PID 4808 wrote to memory of 4744 4808 cmd.exe 71 PID 4808 wrote to memory of 4744 4808 cmd.exe 71 PID 4808 wrote to memory of 4400 4808 cmd.exe 72 PID 4808 wrote to memory of 4400 4808 cmd.exe 72 PID 4808 wrote to memory of 4884 4808 cmd.exe 73 PID 4808 wrote to memory of 4884 4808 cmd.exe 73 PID 4808 wrote to memory of 2244 4808 cmd.exe 74 PID 4808 wrote to memory of 2244 4808 cmd.exe 74
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Browser_update.js1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C://ProgramData//UZlBsgwKyDcmKyPUIdMweSXYzWtz.bat2⤵
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\system32\cmd.execmd.exe /c C:\ProgramData\sett.bat"3⤵PID:4744
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\ProgramData\7z.bat"3⤵PID:4400
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\ProgramData\2.bat"3⤵PID:4884
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\ProgramData\2.bat"3⤵PID:2244
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
232B
MD56011bc3aa00cc9eefa63bd07c9676678
SHA19c8fb9c006ab9787254bd6ade3194a90c24d66c9
SHA2565a8a48a2be136200954f5f81de68363d5dd8c82489dacae5d6b717b598634079
SHA51293869d542de437ce4514c745153284163305256f4673139a91ce9253ea329941b1fc273ccb3c0a2710e761ad41698a3f96ea0a5516ab3f436a5ead82572d36ba
-
Filesize
239B
MD567404b0103100e3452532b69a46aa33f
SHA14bc62bfaecc1a4c5c95d906e2b64e161933f9965
SHA2566f1624a63e0713b8c0f86a461e9ce955f0d7eef8d4d3cdacf0b79e3ae843f19c
SHA5124c7f3e63746179413915f308dea04cf668f909a4111caa479b633587137483ff7af548e2aab7180617cc5a6363884151f546a58b0b40a7bdb7edc3024bb26989
-
Filesize
9KB
MD54b2794840b114be5011da81ad4c462d8
SHA166cf9461efa6fb1e55af037515121d2a856670ac
SHA25660dbaed2358a02ed2102cc2158c05fce9bba87674d68f1114198423bd8460a93
SHA51228d60ca188d99af1e6338d97cbcde497f5325c1a7da132b7d8f9c29a630d93570b488db40bc3ded89fa96c04153298b6a15128f641fcb1134cfa8d933d9e8b2c
-
Filesize
248B
MD57d1c3743cb7af1f479ef8a94c1dc44da
SHA1228abfe62f4f166bb0881e273c2bd6bffb3167d4
SHA256434d977609d8c580895a2b3b74f0948e2670bdeef5d06a1325c4940264b95f6c
SHA512e00f310e0c09b0e78ee98e8c1efdbb2caf6cac0e5fde51536123443f54f271c0232b4521c02de5083eb18cc03d350d37a0cb1ed2da58c6a0830b5462def34276