a1082d01ede1f5fa700be2420ec96047a699d0579c15ddb2f54233a24ac3a7e9

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01-01-2024 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b75b3ff65632b65d1d641075bd2f5ed0ede93da3a35d7f50068b9371ee5c4552.exe
Size

414KB
MD5

c2ed5b0eea4e4bf833e1a5549bde2024
SHA1

5b24af2e9802b503c7f41c17b561b0b6b38914d7
SHA256

b75b3ff65632b65d1d641075bd2f5ed0ede93da3a35d7f50068b9371ee5c4552
SHA512

0519a11af45ef901e0624e5b3f3ccdf5d3c8af7ca636304d8a1e8be6af607bf3df839b95381460342ca9fa25e8ac8c511be468b22c62e23c31322ad778bbf769
SSDEEP

6144:5ji4E09S/t71Pnk0vlg6D59mkwxpCkiesHjAqk55e5BT:Ji4E09qLnrbt9mCeujAJ55e5BT

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2224	wscript.exe

Deletes itself 1 IoCs

pid	Process
1420	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2224	2148	b75b3ff65632b65d1d641075bd2f5ed0ede93da3a35d7f50068b9371ee5c4552.exe	16
PID 2148 wrote to memory of 2224	2148	b75b3ff65632b65d1d641075bd2f5ed0ede93da3a35d7f50068b9371ee5c4552.exe	16
PID 2148 wrote to memory of 2224	2148	b75b3ff65632b65d1d641075bd2f5ed0ede93da3a35d7f50068b9371ee5c4552.exe	16
PID 2148 wrote to memory of 2224	2148	b75b3ff65632b65d1d641075bd2f5ed0ede93da3a35d7f50068b9371ee5c4552.exe	16
PID 2224 wrote to memory of 1420	2224	wscript.exe	18
PID 2224 wrote to memory of 1420	2224	wscript.exe	18
PID 2224 wrote to memory of 1420	2224	wscript.exe	18
PID 2224 wrote to memory of 1420	2224	wscript.exe	18

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" 002.jse
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /U /Q /C cd /D %TEMP% && del /Q/F *.exe *.jse && cd /D C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup && del /Q/F *.exe *.jse
  2⤵
  - Deletes itself
  PID:1420

C:\Users\Admin\AppData\Local\Temp\b75b3ff65632b65d1d641075bd2f5ed0ede93da3a35d7f50068b9371ee5c4552.exe
"C:\Users\Admin\AppData\Local\Temp\b75b3ff65632b65d1d641075bd2f5ed0ede93da3a35d7f50068b9371ee5c4552.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\002.jse

Filesize
62KB

MD5
b9d81c51c10abd64107edc5e73a26aea

SHA1
714a422876768ed423df93af419de0f37c4ea46c

SHA256
1817853fdaf2d35988ca22a6db2c939e0f56664576593d325cfd67d24e8fb75c

SHA512
3da7edd827c7dcb7d90b758dbec23fce5674d36081ec99831178a7e4b602062d0e581dd0aaabe3c5d8c127d1b4458024c60fc6be56ce4a3da9fa085a6e0eccac

Download Submit
memory/2148-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2148-2-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download