Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
02-02-2024 14:52
Static task
static1
Behavioral task
behavioral1
Sample
24946_15193478413494.js
Resource
win7-20231215-en
General
-
Target
24946_15193478413494.js
-
Size
1.9MB
-
MD5
c587f03e38a7ca5ac023ef8745264eb4
-
SHA1
a01598d9c8812f2609f0a868c8e44a81ad3c0685
-
SHA256
1bf9722c0d8d00609a12614e512f662ea693a8d22a8854ccfcb2de8ca858d16a
-
SHA512
e6ee7687dddc0e23717c42ba2bf0b46cc19dcf3ff557c5be3e06fbea3e82520f5fa39afa315ff78408d812308ae04ed10a9e3cfa837a4ac5e11d9c4989f4d816
-
SSDEEP
24576:z7wlkCvWJPN4RQjEdsFCOlJ+IbY68A7ckHsgPp2K9mkkCJzIrytG7sjxsSzMYOnY:ojTUwehMs
Malware Config
Signatures
-
Loads dropped DLL 4 IoCs
pid Process 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3016 wrote to memory of 2724 3016 wscript.exe 28 PID 3016 wrote to memory of 2724 3016 wscript.exe 28 PID 3016 wrote to memory of 2724 3016 wscript.exe 28 PID 2724 wrote to memory of 3028 2724 cmd.exe 30 PID 2724 wrote to memory of 3028 2724 cmd.exe 30 PID 2724 wrote to memory of 3028 2724 cmd.exe 30 PID 2724 wrote to memory of 2624 2724 cmd.exe 31 PID 2724 wrote to memory of 2624 2724 cmd.exe 31 PID 2724 wrote to memory of 2624 2724 cmd.exe 31 PID 2724 wrote to memory of 2832 2724 cmd.exe 32 PID 2724 wrote to memory of 2832 2724 cmd.exe 32 PID 2724 wrote to memory of 2832 2724 cmd.exe 32
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\24946_15193478413494.js1⤵
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\24946_15193478413494.js" "C:\Users\Admin\\vaguetongue.bat" && "C:\Users\Admin\\vaguetongue.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\system32\findstr.exefindstr /V agreetrick ""C:\Users\Admin\\vaguetongue.bat""3⤵PID:3028
-
-
C:\Windows\system32\certutil.execertutil -f -decode insidiouswall ladybugwork.dll3⤵PID:2624
-
-
C:\Windows\system32\rundll32.exerundll32 ladybugwork.dll,main3⤵
- Loads dropped DLL
PID:2832
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
302KB
MD520d4ef96f2f9caa7370ff1ad48c45fec
SHA13e0050926e1053b98ec31f4cbf605fc4a4f6f649
SHA256c156b77e4b3ab8420ed28b9ef833a9f5347599b8105f437cf528eb8a5b94cc61
SHA51261926516dbb1074fc3d4440113c90d4648cd68df51b8b78cce512aca10824638c3df7aa3fde3dd03e17a4327043ee65feba2c94829e1a4ab9248a4b0f8986ea5
-
Filesize
153KB
MD5890552c641f835a3c95cff37c723dd03
SHA1091e988bc7a0964f0f4f5713963a2c10dd55eb69
SHA25674dba4602420500949cc29d49b1a3a4c2eda117a57e8b381e160ea776e0a7aca
SHA512ae91a294130995e928e4a70be92cb805d37c6f7cf8cd243c559d76592d3c10d43be9175a42274a0cfd22ae9fe0da7f37a6402e19ca2e68475a0ba2fe658843fd
-
Filesize
1.3MB
MD523bec89b6b4e73b890e6373139e1b510
SHA1d84d91af2f42c977b61a6ee5a5ff5c825abbb5fa
SHA2560b172321d9251d2348df4291672ee7307e7c97100072bd9e765cce99bb13127c
SHA51231e54378d606ecbc46b6f7caba9c7bb6b2914180a2e254bc88e5aa2587b815ec3a372eb779072f79c8a2174240512272eabf60a7abf3ba11c9e8445bb25c5dda
-
Filesize
1.9MB
MD5c587f03e38a7ca5ac023ef8745264eb4
SHA1a01598d9c8812f2609f0a868c8e44a81ad3c0685
SHA2561bf9722c0d8d00609a12614e512f662ea693a8d22a8854ccfcb2de8ca858d16a
SHA512e6ee7687dddc0e23717c42ba2bf0b46cc19dcf3ff557c5be3e06fbea3e82520f5fa39afa315ff78408d812308ae04ed10a9e3cfa837a4ac5e11d9c4989f4d816
-
Filesize
164KB
MD538a8e89fa048a9e16da38ed856b0de7a
SHA11d10e416ad37270b52a9fea220b14b83a478b510
SHA2561fd09bae3d70c44ae72babbe071c0ef0b1553bb807b20e8b625802e5a7e9bad1
SHA512ba7da3fa6f804e1f743aadf199d838136acf3458ba774b7590f04925b2c0b3161dc7693db0e1ffba25f8486da27897c8414d48b0a8747c393eb7c3811acfe711
-
Filesize
131KB
MD59a1a23f5933c216e489a7f70aaf59b3d
SHA1850542e45108caed0785f3b97e98ec12c176c685
SHA25620175eaff3959a9e83350e9086cf9d892344b52ec88606c5be74103be1eef793
SHA51294154a9019f912062fe541cee7ac3847ef0c3da3db9dd58bc52f2ca443e78e9d2058da1c87b1e03e996862423f4025053ac2d46bbfdc90b16e7f6dc0ae24974b
-
Filesize
137KB
MD5325026c11fbe6981a88e05ef236fbb60
SHA18ec4f01340d6810b0f2b58f0854892f0a14db606
SHA25617b6adf1b6e29a589bff2bed3b4288cf3edcda6f84a131377c8c64e942323c53
SHA51272be7001376f9c47a70b7f32bb7cbce08f94296f296a715968e15683a2a13108980f074afab0bd9b7e245da3ba604a89cb3a0160349b433b2d9ac857e0d0552f
-
Filesize
105KB
MD52576ea62768fb301fe7db961e005ee21
SHA1e985dd24f96fa26b803dbc573465820007bfe304
SHA256ca2f8f9266aefefad9b32479aca3acf74a814b4670daf6ffe8e6c305fdd1f203
SHA512574ec796787e8eb5466c542cfa886115ebf24a802feefbb38e1eea49a07acd49b87fd202862bc139472a1fe35089475a00541d9c083c029d3eb0459537773bb9