Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31-01-2024 03:05
Static task
static1
Behavioral task
behavioral1
Sample
287212633216314.js
Resource
win7-20231215-en
General
-
Target
287212633216314.js
-
Size
354KB
-
MD5
cd856039e0eadf0f5dfdcd036cb3edc9
-
SHA1
b0692de01ae5e2b4a0df6e41a5ba8e129fbd08bd
-
SHA256
805906250cc6d183deca8995103f8fc0848c5e25b4d67d72461af0e67ebb9c16
-
SHA512
a3c45d99c8b1ca02b475b6c2412e6db7e9eabc439228be8a822049708588971f349e504eeb15cac3b637832ee8ec7c6ae36cd84cfa185c82fcbf1b08a8256fcc
-
SSDEEP
6144:Gdk9VWlGxMJNlP6QDJxv6HXYUKEZ1O59CNXAfAQmKybf7tmgD:WuWIMJX6QH6HX1KEZ1xK65mgD
Malware Config
Signatures
-
Loads dropped DLL 4 IoCs
pid Process 692 rundll32.exe 692 rundll32.exe 692 rundll32.exe 692 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3048 wrote to memory of 2236 3048 wscript.exe 28 PID 3048 wrote to memory of 2236 3048 wscript.exe 28 PID 3048 wrote to memory of 2236 3048 wscript.exe 28 PID 2236 wrote to memory of 904 2236 cmd.exe 30 PID 2236 wrote to memory of 904 2236 cmd.exe 30 PID 2236 wrote to memory of 904 2236 cmd.exe 30 PID 2236 wrote to memory of 2300 2236 cmd.exe 31 PID 2236 wrote to memory of 2300 2236 cmd.exe 31 PID 2236 wrote to memory of 2300 2236 cmd.exe 31 PID 2236 wrote to memory of 2220 2236 cmd.exe 32 PID 2236 wrote to memory of 2220 2236 cmd.exe 32 PID 2236 wrote to memory of 2220 2236 cmd.exe 32 PID 2220 wrote to memory of 692 2220 cmd.exe 33 PID 2220 wrote to memory of 692 2220 cmd.exe 33 PID 2220 wrote to memory of 692 2220 cmd.exe 33
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\287212633216314.js1⤵
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\287212633216314.js" "C:\Users\Admin\AppData\Local\Temp\\obtainfaint.bat" && "C:\Users\Admin\AppData\Local\Temp\\obtainfaint.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\system32\findstr.exefindstr /V outrageousdepressed ""C:\Users\Admin\AppData\Local\Temp\\obtainfaint.bat""3⤵PID:904
-
-
C:\Windows\system32\certutil.execertutil -f -decode zephyrhome tickettoys.dll3⤵PID:2300
-
-
C:\Windows\system32\cmd.execmd /c rundll32 tickettoys.dll,m3⤵
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\system32\rundll32.exerundll32 tickettoys.dll,m4⤵
- Loads dropped DLL
PID:692
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
354KB
MD5cd856039e0eadf0f5dfdcd036cb3edc9
SHA1b0692de01ae5e2b4a0df6e41a5ba8e129fbd08bd
SHA256805906250cc6d183deca8995103f8fc0848c5e25b4d67d72461af0e67ebb9c16
SHA512a3c45d99c8b1ca02b475b6c2412e6db7e9eabc439228be8a822049708588971f349e504eeb15cac3b637832ee8ec7c6ae36cd84cfa185c82fcbf1b08a8256fcc
-
Filesize
257KB
MD54cc26a2da2049ff4509091cdbf004c5e
SHA10bba8d2338b7db224047760a27c57afa02748f05
SHA2563ad13a452ab86fb5eccbf0bf71f33700369fdd5114c3a8d13c52e722a1586312
SHA512cabc55978155dfddc6e6f2bbfe712b66998c3858dc52680c9e99f5a8040c001e52d76093e77636f6b03ba63f4798a04dc12c9f8438a5bfe97ccd90ccd2da02de
-
Filesize
344KB
MD5ec27c9d32b638666b649301419776e16
SHA11480c2bbd1de5aeed98401dca0378917461b9cfb
SHA256a3df024a2c70213924c7e13f2f891d5fbfe6d1d46057076cd53bef17cb78ad21
SHA512b360f85b7b6e0795afe1f7ca69dd0a0172199ba80b332af00d5110be2bd584b3cb08df0dbba384b32f15ef98a67ed4f045dd3b372717ab142890a8c7ed893efa