Overview
overview
10Static
static
1014052163e5...43.exe
windows7-x64
1014052163e5...43.exe
windows10-1703-x64
1014052163e5...43.exe
windows10-2004-x64
1014052163e5...43.exe
windows11-21h2-x64
10Antimalwar...ble.js
windows7-x64
8Antimalwar...ble.js
windows10-1703-x64
8Antimalwar...ble.js
windows10-2004-x64
8Antimalwar...ble.js
windows11-21h2-x64
8EmbraTor M...et.exe
windows7-x64
1EmbraTor M...et.exe
windows10-1703-x64
1EmbraTor M...et.exe
windows10-2004-x64
1EmbraTor M...et.exe
windows11-21h2-x64
1Java Install.jar
windows7-x64
1Java Install.jar
windows10-1703-x64
7Java Install.jar
windows10-2004-x64
7Java Install.jar
windows11-21h2-x64
7MsMpEng.js
windows7-x64
10MsMpEng.js
windows10-1703-x64
9MsMpEng.js
windows10-2004-x64
10MsMpEng.js
windows11-21h2-x64
10Windows Dr...on.vbs
windows7-x64
10Windows Dr...on.vbs
windows10-1703-x64
10Windows Dr...on.vbs
windows10-2004-x64
10Windows Dr...on.vbs
windows11-21h2-x64
10Resubmissions
09-04-2024 13:34
240409-qvlrtabe9s 1009-04-2024 13:34
240409-qvk6aabe81 1009-04-2024 13:33
240409-qthzjabe5z 1009-04-2024 13:33
240409-qthc1abe5y 1007-07-2023 11:45
230707-nw632ahf6w 10Analysis
-
max time kernel
1175s -
max time network
1196s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
14-04-2024 10:31
Behavioral task
behavioral1
Sample
14052163e50c197697c64b143.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
14052163e50c197697c64b143.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral3
Sample
14052163e50c197697c64b143.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral4
Sample
14052163e50c197697c64b143.exe
Resource
win11-20240412-en
windows11-21h2-x64
Behavioral task
behavioral5
Sample
Antimalware Service Executable.js
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
Antimalware Service Executable.js
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral7
Sample
Antimalware Service Executable.js
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
Antimalware Service Executable.js
Resource
win11-20240412-en
windows11-21h2-x64
Behavioral task
behavioral9
Sample
EmbraTor Mac Smash Bullet.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral10
Sample
EmbraTor Mac Smash Bullet.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral11
Sample
EmbraTor Mac Smash Bullet.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
EmbraTor Mac Smash Bullet.exe
Resource
win11-20240412-en
windows11-21h2-x64
Behavioral task
behavioral13
Sample
Java Install.jar
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral14
Sample
Java Install.jar
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral15
Sample
Java Install.jar
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
Java Install.jar
Resource
win11-20240412-en
windows11-21h2-x64
Behavioral task
behavioral17
Sample
MsMpEng.js
Resource
win7-20240319-en
windows7-x64
Behavioral task
behavioral18
Sample
MsMpEng.js
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral19
Sample
MsMpEng.js
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
MsMpEng.js
Resource
win11-20240412-en
windows11-21h2-x64
Behavioral task
behavioral21
Sample
Windows Driver Foundation.vbs
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral22
Sample
Windows Driver Foundation.vbs
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral23
Sample
Windows Driver Foundation.vbs
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
Windows Driver Foundation.vbs
Resource
win11-20240412-en
windows11-21h2-x64
General
-
Target
Antimalware Service Executable.js
-
Size
713KB
-
MD5
c958a31d5e439d5b0d01900e5a85992a
-
SHA1
fc40d0ef637fe55fbaf83e8f4891e008ac736df6
-
SHA256
e3a33757c2e596f7ee50a4a41ff58f2e64dbdb062257fe5749ca19b955b0baaf
-
SHA512
2aa0c813b7c17b01e1c18a3a12fb4f3c8ba9c9fee79a3ed66421959fd0440571e0cba5e90569970655342ce2730e823feae23ef6c5da09248f3da68fc0f3cf1c
-
SSDEEP
12288:KOmMdaDXBuOdAAxcHaMp7yk0AaDhlLBO0Xzaj1B+UquKbLZaQlx+2CRQlD+EhajH:KOmMdaDXBuOdAAxcHaMp7yk0AaDhlLBc
Malware Config
Signatures
-
Blocklisted process makes network request 47 IoCs
flow pid Process 10 4904 wscript.exe 11 4904 wscript.exe 19 4904 wscript.exe 32 4904 wscript.exe 40 4904 wscript.exe 45 4904 wscript.exe 46 4904 wscript.exe 49 4904 wscript.exe 50 4904 wscript.exe 52 4904 wscript.exe 53 4904 wscript.exe 54 4904 wscript.exe 55 4904 wscript.exe 56 4904 wscript.exe 57 4904 wscript.exe 58 4904 wscript.exe 59 4904 wscript.exe 60 4904 wscript.exe 62 4904 wscript.exe 64 4904 wscript.exe 65 4904 wscript.exe 66 4904 wscript.exe 67 4904 wscript.exe 68 4904 wscript.exe 69 4904 wscript.exe 70 4904 wscript.exe 71 4904 wscript.exe 72 4904 wscript.exe 73 4904 wscript.exe 74 4904 wscript.exe 75 4904 wscript.exe 76 4904 wscript.exe 77 4904 wscript.exe 78 4904 wscript.exe 79 4904 wscript.exe 80 4904 wscript.exe 81 4904 wscript.exe 82 4904 wscript.exe 83 4904 wscript.exe 84 4904 wscript.exe 85 4904 wscript.exe 86 4904 wscript.exe 87 4904 wscript.exe 88 4904 wscript.exe 89 4904 wscript.exe 90 4904 wscript.exe 91 4904 wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antimalware Service Executable.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antimalware Service Executable.js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4041115548-3858121278-1660933110-1000\Software\Microsoft\Windows\CurrentVersion\Run\Antimalware Service Executable = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Antimalware Service Executable.js\"" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Antimalware Service Executable = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Antimalware Service Executable.js\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4041115548-3858121278-1660933110-1000\Software\Microsoft\Windows\CurrentVersion\Run\Antimalware Service Executable = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Antimalware Service Executable.js\"" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Antimalware Service Executable = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Antimalware Service Executable.js\"" wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1220 wrote to memory of 4904 1220 wscript.exe 81 PID 1220 wrote to memory of 4904 1220 wscript.exe 81
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Antimalware Service Executable.js"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Antimalware Service Executable.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:4904
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
713KB
MD5c958a31d5e439d5b0d01900e5a85992a
SHA1fc40d0ef637fe55fbaf83e8f4891e008ac736df6
SHA256e3a33757c2e596f7ee50a4a41ff58f2e64dbdb062257fe5749ca19b955b0baaf
SHA5122aa0c813b7c17b01e1c18a3a12fb4f3c8ba9c9fee79a3ed66421959fd0440571e0cba5e90569970655342ce2730e823feae23ef6c5da09248f3da68fc0f3cf1c