Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-01-2024 12:27
Static task
static1
Behavioral task
behavioral1
Sample
28325142147799.js
Resource
win7-20231215-en
General
-
Target
28325142147799.js
-
Size
959KB
-
MD5
e142b6e92af05edd784ecea426ea62ae
-
SHA1
4b4a1e8489acef2c4a27dfe4f9de1b2e4a14f86e
-
SHA256
4b2fb816282af672a02dd4f13fff81f00f6f3825c7c9329dca4bf934412b8322
-
SHA512
a69d6958f60427fcf8e66c41a6b64e9033eb6504aaf05d5be62a849efcf113996dfd14a24d256fab43e53e4694c3a5f19bd3a298052c793f346fe4d04f34cee3
-
SSDEEP
12288:H2DjmKxUlG7TcTEeHeauBdjGjNzWpEq0mqRVb86XFXZZSLY72i9TMY6Sms9aFG4M:WZU67qe/p9dtkoH2
Malware Config
Signatures
-
Loads dropped DLL 4 IoCs
Processes:
rundll32.exepid process 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
wscript.execmd.execmd.exedescription pid process target process PID 2336 wrote to memory of 2292 2336 wscript.exe cmd.exe PID 2336 wrote to memory of 2292 2336 wscript.exe cmd.exe PID 2336 wrote to memory of 2292 2336 wscript.exe cmd.exe PID 2292 wrote to memory of 1244 2292 cmd.exe findstr.exe PID 2292 wrote to memory of 1244 2292 cmd.exe findstr.exe PID 2292 wrote to memory of 1244 2292 cmd.exe findstr.exe PID 2292 wrote to memory of 1220 2292 cmd.exe certutil.exe PID 2292 wrote to memory of 1220 2292 cmd.exe certutil.exe PID 2292 wrote to memory of 1220 2292 cmd.exe certutil.exe PID 2292 wrote to memory of 2040 2292 cmd.exe cmd.exe PID 2292 wrote to memory of 2040 2292 cmd.exe cmd.exe PID 2292 wrote to memory of 2040 2292 cmd.exe cmd.exe PID 2040 wrote to memory of 1004 2040 cmd.exe rundll32.exe PID 2040 wrote to memory of 1004 2040 cmd.exe rundll32.exe PID 2040 wrote to memory of 1004 2040 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\28325142147799.js1⤵
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\28325142147799.js" "C:\Users\Admin\AppData\Local\Temp\\suspectfeeble.bat" && "C:\Users\Admin\AppData\Local\Temp\\suspectfeeble.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\system32\findstr.exefindstr /V ricehat ""C:\Users\Admin\AppData\Local\Temp\\suspectfeeble.bat""3⤵PID:1244
-
C:\Windows\system32\certutil.execertutil -f -decode tinsoak heapswim.dll3⤵PID:1220
-
C:\Windows\system32\cmd.execmd /c rundll32 heapswim.dll,m3⤵
- Suspicious use of WriteProcessMemory
PID:2040
-
C:\Windows\system32\rundll32.exerundll32 heapswim.dll,m1⤵
- Loads dropped DLL
PID:1004
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD5dd76999007aa8afa4f8e690bdb5111ac
SHA149c22b414e983d073c684830b3a3bbbdf1f9f14a
SHA2566f60d359d59b31d01bbf061837683fa0463c89bc7479950f2d1ce04bf8b77599
SHA5124f5f559178781d8d95bf10e67c485f3232b5612d732d0d4d4e01368b9662abe0cf72e96895ffbd77215c17a0264a979843e52d10f158b110b75cf819a7a17de7
-
Filesize
959KB
MD5e142b6e92af05edd784ecea426ea62ae
SHA14b4a1e8489acef2c4a27dfe4f9de1b2e4a14f86e
SHA2564b2fb816282af672a02dd4f13fff81f00f6f3825c7c9329dca4bf934412b8322
SHA512a69d6958f60427fcf8e66c41a6b64e9033eb6504aaf05d5be62a849efcf113996dfd14a24d256fab43e53e4694c3a5f19bd3a298052c793f346fe4d04f34cee3
-
Filesize
423KB
MD5696299aca72ee3192632033a0ddc3a8c
SHA1f584645bef95dbbcb0bcb5373fa2994333065fb0
SHA256600865ff3dff1938f2ac6d007e75b7e63b3f786eb0f5d17ec824c00ee44e70fa
SHA51233a2144fb0dcd2b6d33065cb63650e7d6a67ff7473549d79cc26d1fa3e6a35262e4a2dd7f08ad1b2e7fe619768af1aef46625c2f2810e8c82cec09eca6ea5e2a
-
Filesize
49KB
MD59416e6675854a25cd39e3fc0b1276651
SHA1b8b9abcfeb6da90f0232feb1a3852741639a937e
SHA256fd683f8c3e8ca5b3f78a9175f7deb61b6c4ebcd3d3ac0cb199f8b53f3dfe8d87
SHA512b1f1ebd36df70db8b57f4906e604a5947c1bc8f554c9d5b789d78414f6dfbcc0b9847a0ec95fce4ada188ca18b0202a2340b47e4dc626d20ee934c91a13f7eea
-
Filesize
23KB
MD55ddd27670ad2f96f60f647fb11a40144
SHA13ac045fc6232695d50be3f53851fd7e99e5acc7c
SHA256224bd873f90ae81f72370091401fc6b5e696073858337b2ebaf545f71aea5e0a
SHA5123de20a736326e6ebddda839d28deaff53ec7ebf1dd0e91349fd6880e4a946ab2ac4ce1f6ea39cd08b5f35c8361a91851afa1be344bb92e73048778286246a9ca
-
Filesize
58KB
MD5289cebd06358f2da993852c7d113dfd3
SHA1d3e7cf03a69846104c6d2cddd50620cb56d7c001
SHA2564d249b0e6c8ef4e3fd4e9de3458d9e4d50566aa660797418aa5e2b06dd9f2ba2
SHA51285e40b742937c5d6f8a3e8ebdb080a5a31bc4f4235b3a7ed4d9b2053e89be79988a3bd5eefbb6bcc3e2f345a5b284e1830832a48e1e7d7d3c6aad9e0b1db8fdc
-
Filesize
49KB
MD5062b9f193bad0d4ec3629e8267cc4fcf
SHA1a90705eb7d8777b8790a5075ec7dea38137558e2
SHA25692c95056a5785ba6b3d328e1b361053d2e57e7d8842a7b2f37ba0a71e58af12c
SHA51267b651a04c8ed3139c8fe3d50c6ea7160dcf530d38d7d973fec33350166989133a1b6c854b953c4c052049610307acedb5fefac17dbc9c5f02cfc79bedb51d31