Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
02-02-2024 13:44
Static task
static1
Behavioral task
behavioral1
Sample
24946_15193478413494.js
Resource
win7-20231215-en
General
-
Target
24946_15193478413494.js
-
Size
1.9MB
-
MD5
c587f03e38a7ca5ac023ef8745264eb4
-
SHA1
a01598d9c8812f2609f0a868c8e44a81ad3c0685
-
SHA256
1bf9722c0d8d00609a12614e512f662ea693a8d22a8854ccfcb2de8ca858d16a
-
SHA512
e6ee7687dddc0e23717c42ba2bf0b46cc19dcf3ff557c5be3e06fbea3e82520f5fa39afa315ff78408d812308ae04ed10a9e3cfa837a4ac5e11d9c4989f4d816
-
SSDEEP
24576:z7wlkCvWJPN4RQjEdsFCOlJ+IbY68A7ckHsgPp2K9mkkCJzIrytG7sjxsSzMYOnY:ojTUwehMs
Malware Config
Signatures
-
Loads dropped DLL 4 IoCs
pid Process 2992 rundll32.exe 2992 rundll32.exe 2992 rundll32.exe 2992 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1620 wrote to memory of 3000 1620 wscript.exe 29 PID 1620 wrote to memory of 3000 1620 wscript.exe 29 PID 1620 wrote to memory of 3000 1620 wscript.exe 29 PID 3000 wrote to memory of 2100 3000 cmd.exe 30 PID 3000 wrote to memory of 2100 3000 cmd.exe 30 PID 3000 wrote to memory of 2100 3000 cmd.exe 30 PID 3000 wrote to memory of 3012 3000 cmd.exe 31 PID 3000 wrote to memory of 3012 3000 cmd.exe 31 PID 3000 wrote to memory of 3012 3000 cmd.exe 31 PID 3000 wrote to memory of 2992 3000 cmd.exe 32 PID 3000 wrote to memory of 2992 3000 cmd.exe 32 PID 3000 wrote to memory of 2992 3000 cmd.exe 32
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\24946_15193478413494.js1⤵
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\24946_15193478413494.js" "C:\Users\Admin\\vaguetongue.bat" && "C:\Users\Admin\\vaguetongue.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\system32\findstr.exefindstr /V agreetrick ""C:\Users\Admin\\vaguetongue.bat""3⤵PID:2100
-
-
C:\Windows\system32\certutil.execertutil -f -decode insidiouswall ladybugwork.dll3⤵PID:3012
-
-
C:\Windows\system32\rundll32.exerundll32 ladybugwork.dll,main3⤵
- Loads dropped DLL
PID:2992
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5faef51ea997d7cd9d5e06163ac7e688d
SHA14d363cd37ae00a68c360a4007cafc7a9b1b39916
SHA25675e258a9a0b150d98276059a3083c32fb76ab8b6ccd8867a711d2efff1dad569
SHA5121ee6d5e2bd041cd40dd51dabb923c1038caea987c335ed0096a44bfa352a2df11d305ec65c725a0776068ccd4df1ad88d197253d0902f2a69a28d58c0444b0f7
-
Filesize
1.4MB
MD537da6d71a857781e6af959bf651b886c
SHA14947e02ade3269501720410aa0710f6bae388cca
SHA25659574b349e6554efb11b0ce11711cf0bf399311319f7a8ab17d23011f2715f72
SHA512783ae2f77abc6056aca179594ea5165977201378a18a4e871af1415ca9edc9174415130a7aff208785852ec21a5f12caea75910fd3d9f4463a9eac3ffb9ed8f6
-
Filesize
1.9MB
MD5c587f03e38a7ca5ac023ef8745264eb4
SHA1a01598d9c8812f2609f0a868c8e44a81ad3c0685
SHA2561bf9722c0d8d00609a12614e512f662ea693a8d22a8854ccfcb2de8ca858d16a
SHA512e6ee7687dddc0e23717c42ba2bf0b46cc19dcf3ff557c5be3e06fbea3e82520f5fa39afa315ff78408d812308ae04ed10a9e3cfa837a4ac5e11d9c4989f4d816