Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31-01-2024 15:43
Static task
static1
Behavioral task
behavioral1
Sample
28836_2593959416481.js
Resource
win7-20231215-en
General
-
Target
28836_2593959416481.js
-
Size
1.4MB
-
MD5
6a6c6d9614e572fedbfb8d2eb108bb42
-
SHA1
347b37c4eb1c9d6f6d18d7ec13291436b43bab79
-
SHA256
23107ced99838695bf4391c1271bafce47fad96e95b28f52df0a060038f80a7b
-
SHA512
e7b0a9980f6a08c709ce251baf43553c1799dd7593ad8620d80aeaa1366934072bfd40edbc4d3b6660e8c31b6a74577ad34eb7fd93a3685ac4504eed58c22499
-
SSDEEP
24576:68+ynjkFpqZ5YszaGTWeo2a2QQrcuCUw2eQBJeOsvWthPVtd9qu2X+DlvCu0903s:aN
Malware Config
Signatures
-
Loads dropped DLL 4 IoCs
pid Process 240 rundll32.exe 240 rundll32.exe 240 rundll32.exe 240 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1944 wrote to memory of 2204 1944 wscript.exe 28 PID 1944 wrote to memory of 2204 1944 wscript.exe 28 PID 1944 wrote to memory of 2204 1944 wscript.exe 28 PID 2204 wrote to memory of 1316 2204 cmd.exe 30 PID 2204 wrote to memory of 1316 2204 cmd.exe 30 PID 2204 wrote to memory of 1316 2204 cmd.exe 30 PID 2204 wrote to memory of 2244 2204 cmd.exe 31 PID 2204 wrote to memory of 2244 2204 cmd.exe 31 PID 2204 wrote to memory of 2244 2204 cmd.exe 31 PID 2204 wrote to memory of 240 2204 cmd.exe 32 PID 2204 wrote to memory of 240 2204 cmd.exe 32 PID 2204 wrote to memory of 240 2204 cmd.exe 32
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\28836_2593959416481.js1⤵
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\28836_2593959416481.js" "C:\Users\Admin\\pleasantobject.bat" && "C:\Users\Admin\\pleasantobject.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\system32\findstr.exefindstr /V militarysnore ""C:\Users\Admin\\pleasantobject.bat""3⤵PID:1316
-
-
C:\Windows\system32\certutil.execertutil -f -decode shakyinconclusive gatewoman.dll3⤵PID:2244
-
-
C:\Windows\system32\rundll32.exerundll32 gatewoman.dll,main3⤵
- Loads dropped DLL
PID:240
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5d5f35509799fe456a67d41558f1b0f80
SHA1c7d1cb4541fadc69dc2f3a6f04b2940600d12e5c
SHA256ae1388f95f2678b7b6aabaf430b646710cdea10850c2556fbfcc0fb068e6fe4e
SHA512a9ed4db26bde7a085678ad15fb01e6be0ff4af0c8ffc5f6cdde99d9141b01e6889dbe2f172ae1723f479e0c75488eee6a7a6e79a7529c4dbb95381a80a1c6e48
-
Filesize
1.4MB
MD56a6c6d9614e572fedbfb8d2eb108bb42
SHA1347b37c4eb1c9d6f6d18d7ec13291436b43bab79
SHA25623107ced99838695bf4391c1271bafce47fad96e95b28f52df0a060038f80a7b
SHA512e7b0a9980f6a08c709ce251baf43553c1799dd7593ad8620d80aeaa1366934072bfd40edbc4d3b6660e8c31b6a74577ad34eb7fd93a3685ac4504eed58c22499
-
Filesize
1.4MB
MD56423b4a456dc34d7c6f67740aaa371fa
SHA1d9d4c432b60581b9d8b3fdd55e781ce5ff5e6df5
SHA25625abcd9fb9ee09402dbc40b58466283739f223932fef07239f11548af088e9b4
SHA51231c99c287ad497c14f70bd99163e9304952f662089b774ebbc94bf70c07e27ecc683d9e4ace957f17028883c0643e55a0e5ffcceaacc33e95ffd9f748c61b181