Overview

overview

3

Static

static

1

guarantor ...024.js

windows7-x64

3

guarantor ...024.js

windows10-2004-x64

1

Analysis

  • max time kernel
    119s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    31/10/2023, 01:20

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    guarantor for rental agreement ontario 62024.js

  • Size

    133KB

  • MD5

    e21a7f9dbeee716106bf85fb37bdbd10

  • SHA1

    a30ee88381bfc7d93ecf24b86359aab928338c04

  • SHA256

    0bc9687045dcf86189e9821894ff8b9c15f3a48825ae35457ec95469d4d692bb

  • SHA512

    1aa92dfcfc47fa581bbd0a1a7ef574eb8aa722e54edb3c212f28e9d20a271bf5079fa7e83f75073c5f14ab94530d419bf0421443b7f38b02d3e478fb40a464f8

  • SSDEEP

    3072:2Ll4jQx6C5Ruqbob/4nh+SEAPVnYB5bbch4TiqJ/16zoKSC/Cf4Z61s:2L1e49n8Yh4TfJ/1oxb61s

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\guarantor for rental agreement ontario 62024.js"
    1⤵
      PID:2416
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {9B3C7A4D-3EB6-42F6-849B-89F838CAF1EA} S-1-5-21-2084844033-2744876406-2053742436-1000:GGPVHMXR\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2804
      • C:\Windows\system32\wscript.EXE
        C:\Windows\system32\wscript.EXE PROGRA~1.JS
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2724
        • C:\Windows\System32\cscript.exe
          "C:\Windows\System32\cscript.exe" "PROGRA~1.JS"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1924
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2692

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Mozilla\PROGRA~1.JS
            Filesize

            42.3MB

            MD5

            b751471baa72c20208affcd2ac8e8e4f

            SHA1

            f7fa85ac5a2bf85883371bf887b844b8eb7f1ee7

            SHA256

            b0f5ba4c335738302b72bd1a3fea441caaf44fcd05604746533bb788d481b2bb

            SHA512

            cde87ebe12508a9c61c1acabf62f0636abeb01c0401bbe7ee17a49a904eb6b71f2014a638f33f11619b34591d4921118b2d3b9c255a27354c76ebea040a17215

            Download Submit

          • memory/2692-7-0x000000001B2C0000-0x000000001B5A2000-memory.dmp

            Filesize

            2.9MB

            Download

          • memory/2692-8-0x0000000002410000-0x0000000002418000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2692-9-0x000007FEF4B80000-0x000007FEF551D000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2692-11-0x0000000002440000-0x00000000024C0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2692-10-0x0000000002440000-0x00000000024C0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2692-12-0x0000000002440000-0x00000000024C0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2692-13-0x000007FEF4B80000-0x000007FEF551D000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2692-14-0x0000000002440000-0x00000000024C0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2692-15-0x000007FEF4B80000-0x000007FEF551D000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2692-16-0x0000000002440000-0x00000000024C0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2692-17-0x0000000002440000-0x00000000024C0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2692-18-0x0000000002440000-0x00000000024C0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2692-19-0x0000000002440000-0x00000000024C0000-memory.dmp

            Filesize

            512KB

            Download