Overview
overview
10Static
static
1014052163e5...43.exe
windows7-x64
1014052163e5...43.exe
windows10-1703-x64
1014052163e5...43.exe
windows10-2004-x64
1014052163e5...43.exe
windows11-21h2-x64
10Antimalwar...ble.js
windows7-x64
8Antimalwar...ble.js
windows10-1703-x64
8Antimalwar...ble.js
windows10-2004-x64
8Antimalwar...ble.js
windows11-21h2-x64
8EmbraTor M...et.exe
windows7-x64
1EmbraTor M...et.exe
windows10-1703-x64
1EmbraTor M...et.exe
windows10-2004-x64
1EmbraTor M...et.exe
windows11-21h2-x64
1Java Install.jar
windows7-x64
1Java Install.jar
windows10-1703-x64
10Java Install.jar
windows10-2004-x64
7Java Install.jar
windows11-21h2-x64
10MsMpEng.js
windows7-x64
10MsMpEng.js
windows10-1703-x64
9MsMpEng.js
windows10-2004-x64
10MsMpEng.js
windows11-21h2-x64
10Windows Dr...on.vbs
windows7-x64
10Windows Dr...on.vbs
windows10-1703-x64
10Windows Dr...on.vbs
windows10-2004-x64
10Windows Dr...on.vbs
windows11-21h2-x64
10Resubmissions
09-04-2024 13:34
240409-qvlrtabe9s 1009-04-2024 13:34
240409-qvk6aabe81 1009-04-2024 13:33
240409-qthzjabe5z 1009-04-2024 13:33
240409-qthc1abe5y 1007-07-2023 11:45
230707-nw632ahf6w 10Analysis
-
max time kernel
1799s -
max time network
1801s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
09-04-2024 13:34
Behavioral task
behavioral1
Sample
14052163e50c197697c64b143.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral2
Sample
14052163e50c197697c64b143.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral3
Sample
14052163e50c197697c64b143.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral4
Sample
14052163e50c197697c64b143.exe
Resource
win11-20240214-en
windows11-21h2-x64
Behavioral task
behavioral5
Sample
Antimalware Service Executable.js
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
Antimalware Service Executable.js
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral7
Sample
Antimalware Service Executable.js
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
Antimalware Service Executable.js
Resource
win11-20240221-en
windows11-21h2-x64
Behavioral task
behavioral9
Sample
EmbraTor Mac Smash Bullet.exe
Resource
win7-20240319-en
windows7-x64
Behavioral task
behavioral10
Sample
EmbraTor Mac Smash Bullet.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral11
Sample
EmbraTor Mac Smash Bullet.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
EmbraTor Mac Smash Bullet.exe
Resource
win11-20240319-en
windows11-21h2-x64
Behavioral task
behavioral13
Sample
Java Install.jar
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral14
Sample
Java Install.jar
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral15
Sample
Java Install.jar
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
Java Install.jar
Resource
win11-20240221-en
windows11-21h2-x64
Behavioral task
behavioral17
Sample
MsMpEng.js
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral18
Sample
MsMpEng.js
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral19
Sample
MsMpEng.js
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
MsMpEng.js
Resource
win11-20240221-en
windows11-21h2-x64
Behavioral task
behavioral21
Sample
Windows Driver Foundation.vbs
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral22
Sample
Windows Driver Foundation.vbs
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral23
Sample
Windows Driver Foundation.vbs
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
Windows Driver Foundation.vbs
Resource
win11-20240221-en
windows11-21h2-x64
General
-
Target
Antimalware Service Executable.js
-
Size
713KB
-
MD5
c958a31d5e439d5b0d01900e5a85992a
-
SHA1
fc40d0ef637fe55fbaf83e8f4891e008ac736df6
-
SHA256
e3a33757c2e596f7ee50a4a41ff58f2e64dbdb062257fe5749ca19b955b0baaf
-
SHA512
2aa0c813b7c17b01e1c18a3a12fb4f3c8ba9c9fee79a3ed66421959fd0440571e0cba5e90569970655342ce2730e823feae23ef6c5da09248f3da68fc0f3cf1c
-
SSDEEP
12288:KOmMdaDXBuOdAAxcHaMp7yk0AaDhlLBO0Xzaj1B+UquKbLZaQlx+2CRQlD+EhajH:KOmMdaDXBuOdAAxcHaMp7yk0AaDhlLBc
Malware Config
Signatures
-
Blocklisted process makes network request 64 IoCs
flow pid Process 2 2016 wscript.exe 3 2016 wscript.exe 5 2016 wscript.exe 7 2016 wscript.exe 8 2016 wscript.exe 10 2016 wscript.exe 11 2016 wscript.exe 12 2016 wscript.exe 13 2016 wscript.exe 14 2016 wscript.exe 15 2016 wscript.exe 16 2016 wscript.exe 17 2016 wscript.exe 18 2016 wscript.exe 23 2016 wscript.exe 24 2016 wscript.exe 25 2016 wscript.exe 27 2016 wscript.exe 28 2016 wscript.exe 30 2016 wscript.exe 31 2016 wscript.exe 32 2016 wscript.exe 33 2016 wscript.exe 34 2016 wscript.exe 35 2016 wscript.exe 36 2016 wscript.exe 37 2016 wscript.exe 38 2016 wscript.exe 39 2016 wscript.exe 40 2016 wscript.exe 41 2016 wscript.exe 42 2016 wscript.exe 43 2016 wscript.exe 44 2016 wscript.exe 45 2016 wscript.exe 46 2016 wscript.exe 47 2016 wscript.exe 48 2016 wscript.exe 49 2016 wscript.exe 50 2016 wscript.exe 51 2016 wscript.exe 52 2016 wscript.exe 53 2016 wscript.exe 54 2016 wscript.exe 55 2016 wscript.exe 56 2016 wscript.exe 57 2016 wscript.exe 58 2016 wscript.exe 59 2016 wscript.exe 60 2016 wscript.exe 61 2016 wscript.exe 62 2016 wscript.exe 63 2016 wscript.exe 64 2016 wscript.exe 65 2016 wscript.exe 66 2016 wscript.exe 67 2016 wscript.exe 68 2016 wscript.exe 69 2016 wscript.exe 70 2016 wscript.exe 71 2016 wscript.exe 72 2016 wscript.exe 73 2016 wscript.exe 74 2016 wscript.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antimalware Service Executable.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antimalware Service Executable.js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Windows\CurrentVersion\Run\Antimalware Service Executable = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Antimalware Service Executable.js\"" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Antimalware Service Executable = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Antimalware Service Executable.js\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Windows\CurrentVersion\Run\Antimalware Service Executable = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Antimalware Service Executable.js\"" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Antimalware Service Executable = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Antimalware Service Executable.js\"" wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4908 wrote to memory of 2016 4908 wscript.exe 77 PID 4908 wrote to memory of 2016 4908 wscript.exe 77
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Antimalware Service Executable.js"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Antimalware Service Executable.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:2016
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
713KB
MD5c958a31d5e439d5b0d01900e5a85992a
SHA1fc40d0ef637fe55fbaf83e8f4891e008ac736df6
SHA256e3a33757c2e596f7ee50a4a41ff58f2e64dbdb062257fe5749ca19b955b0baaf
SHA5122aa0c813b7c17b01e1c18a3a12fb4f3c8ba9c9fee79a3ed66421959fd0440571e0cba5e90569970655342ce2730e823feae23ef6c5da09248f3da68fc0f3cf1c