Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-01-2024 12:16
Static task
static1
Behavioral task
behavioral1
Sample
22345804828167.js
Resource
win7-20231215-en
General
-
Target
22345804828167.js
-
Size
1.2MB
-
MD5
60e2ff683eaddef5aaddda1bd3ee7ea7
-
SHA1
4e94ed84ea0e838ba2da2173868c5f227cea8392
-
SHA256
4baaf14d0f1adc879c79b0a234b30330a93ea3fd1d8050ac5910ce40236a067a
-
SHA512
5db582af4de3e0243474b8637282aed3e089e55b5124e712d4f0d230dd0879fd2a921acce2bf5b7ed1cf4fdf1173b98b46b1fd42d544ce7e45acd852ba971564
-
SSDEEP
24576:u+qOfAjkFZ9gwzEoCmbvD1+Crry2Q/F/XJjTETzTvBkskkZe:hfZRgBCTTrc
Malware Config
Signatures
-
Loads dropped DLL 4 IoCs
pid Process 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2264 wrote to memory of 1996 2264 wscript.exe 28 PID 2264 wrote to memory of 1996 2264 wscript.exe 28 PID 2264 wrote to memory of 1996 2264 wscript.exe 28 PID 1996 wrote to memory of 1508 1996 cmd.exe 30 PID 1996 wrote to memory of 1508 1996 cmd.exe 30 PID 1996 wrote to memory of 1508 1996 cmd.exe 30 PID 1996 wrote to memory of 2020 1996 cmd.exe 31 PID 1996 wrote to memory of 2020 1996 cmd.exe 31 PID 1996 wrote to memory of 2020 1996 cmd.exe 31 PID 1996 wrote to memory of 2044 1996 cmd.exe 32 PID 1996 wrote to memory of 2044 1996 cmd.exe 32 PID 1996 wrote to memory of 2044 1996 cmd.exe 32 PID 2044 wrote to memory of 1596 2044 cmd.exe 33 PID 2044 wrote to memory of 1596 2044 cmd.exe 33 PID 2044 wrote to memory of 1596 2044 cmd.exe 33
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\22345804828167.js1⤵
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\22345804828167.js" "C:\Users\Admin\AppData\Local\Temp\\learnedscarce.bat" && "C:\Users\Admin\AppData\Local\Temp\\learnedscarce.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\system32\findstr.exefindstr /V sootheflat ""C:\Users\Admin\AppData\Local\Temp\\learnedscarce.bat""3⤵PID:1508
-
-
C:\Windows\system32\certutil.execertutil -f -decode uncoveredconfused brainyarm.dll3⤵PID:2020
-
-
C:\Windows\system32\cmd.execmd /c rundll32 brainyarm.dll,m3⤵
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\system32\rundll32.exerundll32 brainyarm.dll,m4⤵
- Loads dropped DLL
PID:1596
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
499KB
MD5005acd749b6bb0c7bf595883d781c3fa
SHA164bc4e0dc03321ad68d1dd4b5db90a1556a65910
SHA2560c1928e750bb49588e29b043b76fbb7fcde080c99b8d82d1195348b0925100e2
SHA51251b9fb853def4cdd8d4b46882bd83fd43d19024172aff324d144b45a12c3f3282cffc4370e51ab787b61e2aed15ef925d3fe83ae3b51dff29cae2804b5505cac
-
Filesize
1.2MB
MD560e2ff683eaddef5aaddda1bd3ee7ea7
SHA14e94ed84ea0e838ba2da2173868c5f227cea8392
SHA2564baaf14d0f1adc879c79b0a234b30330a93ea3fd1d8050ac5910ce40236a067a
SHA5125db582af4de3e0243474b8637282aed3e089e55b5124e712d4f0d230dd0879fd2a921acce2bf5b7ed1cf4fdf1173b98b46b1fd42d544ce7e45acd852ba971564
-
Filesize
388KB
MD5f92b29698a9b7636387d229b5a7b50d0
SHA1316420cbd0c0caec4248ed8cfed142788a8fb65b
SHA256ab47b00a09c5fd60dc4b10a6f28a35d544868c60306e7c6e99f293642eb145cb
SHA51244168a5798d54d8dff4840f8c7fad7210dbe18b9cdcd7340d4ee55649b1d7771e56db92f6162b2cc750a196c34d7a00f9d877e96bc896f3ef4324ff0a56597e0
-
Filesize
541KB
MD59ed108d12af975096039a82c16546669
SHA19e0253a42d67cbc02be1eab6a2c86ca6ac0a901e
SHA25656f29bdfd72403e3f332c3e8f49e1809a1c0c19e02b413fa080debd8d9a41f87
SHA512faf7ca28c7d09d5a8ecf1b79debc31bce1913b8e0900419310766187bd158efb1c9af25c45aa5cd709ac0171b2d5c57cdd4b8636d97c3e9d0b45c3973cfff3f2
-
Filesize
570KB
MD5344f3318e79655d0c3d08bc5f521f70f
SHA17da121d62e597ff5d86af21fe323d239ac72bba7
SHA2564d5895ecb53a11e809f9c81d1e1feebc429a0652cabbc6cbb1a33330aeb3e380
SHA512a6d1a8ffecb29c37ae86a35ff288a6b8ef3a37abd1481170d3e861253972ca52a62b0d7858fbdd3912750c42981c8771f74ae46687c2e40374f77e10654cb8b5
-
Filesize
423KB
MD58fb33febbe402ac7c5610f974e9a55e0
SHA12ee55f76b26da8724ec57b4047e2a97bce202ac5
SHA25634055365b3eb337d24f22d730cff24bde4402d03f25947048a46ece92bbd5bde
SHA5121cd713afdec5744b94ba13182f922cba790eb6acdf50435d75b87ffc5b33f0cffb7fd2e94167807519b7df28f5dd474ffb2bd34d6e3d0102610c1539cb0eb753
-
Filesize
496KB
MD57b42faf5885b0cfbbe9650a86d9de863
SHA156a7e53367a9bca1bce8f4bdf47935bb6a4dc141
SHA2564f23f48134caaccd478871b61b2fe4430e4299727b6fc88a8f47b79ab4bcf83a
SHA512b4d15cad65434f227c10e023ac3004610d47b5e84150e038b150cf2251f77d6e1bbb435844296819cd2c6245dc3cc1f52e3e5d81aa0f7228fbf5de5c5d06efbe
-
Filesize
490KB
MD5d93d651d119de6c5e14a93cba101f592
SHA100ff722d49fb9eb4aeb81cf831bfb55987f72afc
SHA2562a303aca1f09faa8a3d43ab18c7c12b9bb59466f0794704c7f6f5792a6ed351f
SHA512184de176a4d26dbb79c20d8c441ebf7c56b21e8215332ade746c232fe23abd94ad1f05268b21b4f07b5ee7946965b0d6e7c67462256ed987af8c72ada791fcc6