Overview

overview

7

Static

static

1

15042024_2...858.js

windows7-x64

6

15042024_2...858.js

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15-04-2024 12:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    15042024_2049_863858.js

  • Size

    5.7MB

  • MD5

    0dd1a6b7d7b3123fcf69757ca7d73eb9

  • SHA1

    4331e4a5faa2f30ae0629283c81f808482a70384

  • SHA256

    1608c6837a178ccb9af63150bd8eb5aa0f7e8ea59bd54929a7cf84d2edce7c6c

  • SHA512

    ecad0cd56831788ca086ceed5c05fc5b5af510543799c62b26d09c322438b0a85104964395ca083ae9fd3fa0485d106e18a64232a8ad91dba03b2ecabe6d8645

  • SSDEEP

    49152:4ZKCGqnaUy405pzJvdIp7z5nPfgxNExVziKEMSTwryEeCwWZb:c

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 13 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\15042024_2049_863858.js
    1⤵
    • Adds Run key to start application
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2060
    • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\Notification_314.pdf"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:1640

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MUSICP~1.ZIP
    Filesize

    636KB

    MD5

    3a087a0f8b569f831ab85b6a5dfe6b72

    SHA1

    412ed180798ef7499edbbfb3beb86d69a26ca7fa

    SHA256

    cc39d33ccb25cce23fa65f6ce0c688965104bb986ed9794659b0af4a27dc86cf

    SHA512

    2513998178f7feecbdd17242bb90ea0d81e6d6ebfe29cae7bb0bdde44c25d566f6b5009669c7e360593a7e0d8122da4260b26c5e6d11aa7ddf382d797f92a7b7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MUSICP~2.ZIP
    Filesize

    1.5MB

    MD5

    47ca46c8c5a09bcdfe8c1cf23488ef83

    SHA1

    cf3a00b348f042574696cdb4a3384e6c2970c841

    SHA256

    767cb666de4f6276c093a9cbf4239c0a5cb228dc05c8b8df4cbfa871bb5c128a

    SHA512

    23ff4bd5322b0330b4432443b8478dc184764c1a4a91df18d3de2650b85c150d62473e74442189f242ddd1e54303f1d54fcb89face604b9ec278505b9adaaaf2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
    Filesize

    3KB

    MD5

    60ca68d026b279b0029df77358dfa6d9

    SHA1

    ce15860d3c9897b8944ba6f088b5c19795e12e8d

    SHA256

    7e807d23f5f1b67ee99d2f957cf82ca20a3c93229c4755b3aaaa3518609cf12e

    SHA512

    66eaf9815c79389edcb7658085234608672958734f0ceaf4629f45b332593596720eb2a935c949891710bc528d32162efc7f2faf4231af70c619e6bde3541075

    Download Submit

  • C:\Users\Admin\Downloads\Notification_314.pdf
    Filesize

    21KB

    MD5

    224640dc1a7558695ee1035b9d392f70

    SHA1

    7a88e21f8207baaa646063c104e7eb01fd4c5a90

    SHA256

    43fd54f5457b9ece2519117083516e184a99910459428e5f90bea42e753195c0

    SHA512

    33767616a526a94cbba9169924f64628febeee89a4413481b84235435b5d2e1bc8d5778b0865a3d36364907c0557e1fe219e64555982305d9e7a76dc91bd0bc5

    Download Submit

  • memory/2060-25-0x0000000003680000-0x0000000003681000-memory.dmp

    Filesize

    4KB

    Download