Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30-01-2024 11:05
Static task
static1
Behavioral task
behavioral1
Sample
147981734725653.js
Resource
win7-20231215-en
General
-
Target
147981734725653.js
-
Size
1.1MB
-
MD5
f0aa642d6a0e4a0021bb5a006da8f659
-
SHA1
6da83194b6e3acb7fa7537b179b96c0a21654983
-
SHA256
7b513b60bf0c42e4dea6b545591088954a1ed63348d085cbeee97c03ef163a42
-
SHA512
bd023360956eec5c06bd322d52d3881072955f6b22b9e99cdaf4f2a3f726d23e8bab0f3ab85d2bfaafbbfa5c696683026dbd50c7a5849e8aee893083662ae41e
-
SSDEEP
12288:3lyp9BJQJzEk/e0clTeD1FUEnYC1b3XC4Ksl8iUVfloiMKQsKJlmgAzE27UKEZtl:olcDR666E/NSnGQbR3xGJZ3
Malware Config
Signatures
-
Loads dropped DLL 4 IoCs
pid Process 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_Classes\Local Settings rundll32.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2168 wrote to memory of 2440 2168 wscript.exe 28 PID 2168 wrote to memory of 2440 2168 wscript.exe 28 PID 2168 wrote to memory of 2440 2168 wscript.exe 28 PID 2440 wrote to memory of 2124 2440 cmd.exe 30 PID 2440 wrote to memory of 2124 2440 cmd.exe 30 PID 2440 wrote to memory of 2124 2440 cmd.exe 30 PID 2440 wrote to memory of 2304 2440 cmd.exe 31 PID 2440 wrote to memory of 2304 2440 cmd.exe 31 PID 2440 wrote to memory of 2304 2440 cmd.exe 31 PID 2440 wrote to memory of 2296 2440 cmd.exe 32 PID 2440 wrote to memory of 2296 2440 cmd.exe 32 PID 2440 wrote to memory of 2296 2440 cmd.exe 32 PID 2440 wrote to memory of 2060 2440 cmd.exe 34 PID 2440 wrote to memory of 2060 2440 cmd.exe 34 PID 2440 wrote to memory of 2060 2440 cmd.exe 34 PID 2060 wrote to memory of 2504 2060 cmd.exe 33 PID 2060 wrote to memory of 2504 2060 cmd.exe 33 PID 2060 wrote to memory of 2504 2060 cmd.exe 33
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\147981734725653.js1⤵
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\147981734725653.js" "C:\Users\Admin\AppData\Local\Temp\\killwindow.bat" && "C:\Users\Admin\AppData\Local\Temp\\killwindow.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\NUL3⤵
- Modifies registry class
PID:2124
-
-
C:\Windows\system32\findstr.exefindstr /V stickykick ""C:\Users\Admin\AppData\Local\Temp\\killwindow.bat""3⤵PID:2304
-
-
C:\Windows\system32\certutil.execertutil -f -decode economicknife playgroundstructure.dll3⤵PID:2296
-
-
C:\Windows\system32\cmd.execmd /c rundll32 playgroundstructure.dll,m3⤵
- Suspicious use of WriteProcessMemory
PID:2060
-
-
-
C:\Windows\system32\rundll32.exerundll32 playgroundstructure.dll,m1⤵
- Loads dropped DLL
PID:2504
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5b1eb68af4adfd3c1b2c9bebc96f7476f
SHA1c0b9a3b8b98a07884d6a200c9f1f4789584efffe
SHA2568ef40cddfde7f269cee9d4167f78540c74a5176c11a875d3e139b39d784616d2
SHA5125e9860af3ac660b24a41bbffd3b4b1b6fad213cc22efe7eeb103384e1b237e21f610cec63743f5329a9ad0c4b0452e5bb9eb56ca70a10b7b23240de5f2696bba
-
Filesize
1.1MB
MD5f0aa642d6a0e4a0021bb5a006da8f659
SHA16da83194b6e3acb7fa7537b179b96c0a21654983
SHA2567b513b60bf0c42e4dea6b545591088954a1ed63348d085cbeee97c03ef163a42
SHA512bd023360956eec5c06bd322d52d3881072955f6b22b9e99cdaf4f2a3f726d23e8bab0f3ab85d2bfaafbbfa5c696683026dbd50c7a5849e8aee893083662ae41e
-
Filesize
805KB
MD56a1f4bd07b38e35b007978bb130742b5
SHA1fa396ca0dcc3738555f07c6ffbcbbd48ab67de92
SHA256cce183b5df0c236e4d89fb64d34c35909b7fc04c54b3447340b2c44dd7030593
SHA512e9dab28fb33f2cec7dec5332236a55554d5ba6e8eaea92cd7e6b0c47dbce8b08c7b45e4c11abd017f4cddd7930ee7214abefeccecba68362157f24710906b657