Analysis
-
max time kernel
145s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
29-02-2024 21:33
Static task
static1
Behavioral task
behavioral1
Sample
af85d8109ff251f1db6191b46ef8c66f.js
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
af85d8109ff251f1db6191b46ef8c66f.js
Resource
win10v2004-20240226-en
General
-
Target
af85d8109ff251f1db6191b46ef8c66f.js
-
Size
191KB
-
MD5
af85d8109ff251f1db6191b46ef8c66f
-
SHA1
b1f6c58407bd70c4819db5eecfbc2cdcb5af77e3
-
SHA256
5ec545f3cccb7dddd12196320fb5144f131818170d87000cdca10fe9fb0353d4
-
SHA512
1a7bf9da69cd189c15d33c0a7114670c0a0c5b76cf6f8cece60c33cac7b32cb7d22d13a989d19f61eebead584429d3ed9afdd8a222959b24ee31abc62353d48d
-
SSDEEP
3072:yWt8ruabx2MftvMQDvolUJSKqvCVfKzJme6TB+ZhUzzv9EZAUycwqeHZzL:yWt8ruEjMV3KqsaB+B+MzFpeSzL
Malware Config
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tKaUarDZDG.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tKaUarDZDG.js WScript.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\B02N3ZE1UL = "\"C:\\Users\\Admin\\AppData\\Roaming\\tKaUarDZDG.js\"" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2348 wrote to memory of 2736 2348 wscript.exe 28 PID 2348 wrote to memory of 2736 2348 wscript.exe 28 PID 2348 wrote to memory of 2736 2348 wscript.exe 28 PID 2348 wrote to memory of 3012 2348 wscript.exe 29 PID 2348 wrote to memory of 3012 2348 wscript.exe 29 PID 2348 wrote to memory of 3012 2348 wscript.exe 29
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\af85d8109ff251f1db6191b46ef8c66f.js1⤵
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\tKaUarDZDG.js"2⤵
- Drops startup file
- Adds Run key to start application
PID:2736
-
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\lizzyfox.txt"2⤵PID:3012
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5e960b9b8954afa303d7989eed1290637
SHA1a42410c56fb024243014c29334152c209ab88873
SHA2564439ce946a74288bc91360bee4b7ef43e7efeced81432ba10728220c323d7c7f
SHA512cdb3f0e2911f1841919847903c6f6bd695e3f15106c1a5b7fa19b70e549967beefa7c32c87a1a2040bbc2b7a75b1a90adc7a7e113f519e15b09f62dc0ea473c8
-
Filesize
5KB
MD51f7a1f50ddcaacd7c16098f452ae3ea9
SHA1c31e3feb895e9b69db5e014cc42a2b3e03473016
SHA256f14d01dc44ad040b5c3a8b418aa4c27bc476f0c5bd7af5e1554547fe0f6bb2ef
SHA5126835fe9faac663378a6bd96e4dcba1f492d4dc488d410e019a965ca3c989c0d66d39f71b213a579c0e55fa4e52deb542b64c9b68108763af6ffed89414867271