95ae75280d51130009fa5e1b468dfbf6dc8bb1e80d1e1c343892cf3950bfcd14

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

call and put contracts 16318.js
Size

8.8MB
MD5

88ab74d84774855d0a2c24d5a1b50389
SHA1

83ce4e759d3443332eb223689717b4895bd4e6cc
SHA256

f8f3fa45eced0c32fbbf912f3f8ba6100a8b59e14f12a125c88340a47cf7e57b
SHA512

cf5adf3cb923ddb264b6f2182be043859c3c16544bbc2d3c01f0469ca6a25702ece7b140438928067226a334d88ac7567e808ecab5b97731678a2e948e399e87
SSDEEP

49152:kYytwpCQK+aGYytwpCQK+aGYytwpCQK+aGYytwpCQK+aGYytwpCQK+aGYytwpCQO:f

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2796 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2796 powershell.exe

pid	process
2796	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2796	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

taskeng.exewscript.EXEcscript.exe

description	pid	process	target process
PID 2700 wrote to memory of 2604	2700	taskeng.exe	wscript.EXE
PID 2700 wrote to memory of 2604	2700	taskeng.exe	wscript.EXE
PID 2700 wrote to memory of 2604	2700	taskeng.exe	wscript.EXE
PID 2604 wrote to memory of 1768	2604	wscript.EXE	cscript.exe
PID 2604 wrote to memory of 1768	2604	wscript.EXE	cscript.exe
PID 2604 wrote to memory of 1768	2604	wscript.EXE	cscript.exe
PID 1768 wrote to memory of 2796	1768	cscript.exe	powershell.exe
PID 1768 wrote to memory of 2796	1768	cscript.exe	powershell.exe
PID 1768 wrote to memory of 2796	1768	cscript.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\call and put contracts 16318.js"
1⤵
PID:1280

C:\Windows\system32\taskeng.exe
taskeng.exe {78B0E0BE-B14E-4B76-94DE-B0FD8D38A4F7} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE GLOBAL~1.JS
2⤵
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\System32\cscript.exe
"C:\Windows\System32\cscript.exe" "GLOBAL~1.JS"
3⤵
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Media Center Programs\GLOBAL~1.JS

Filesize
43.3MB

MD5
4fa4b4d068f722cbfe719be7ab4c8c52

SHA1
1b7b04c22e9bf7075f9c8b6ba88effe50f42bfc5

SHA256
a92381a403a1463b64ebc547de7ec2a4225a7755d23c4e56503582b9cb33c3c8

SHA512
486b1fa557da6ee6ce601514d2682767d3350ffc66fbcf29b50aba6b19d30bd4027bb086dfa5f0599294f31fa16ad598df8ba4e4560ce8f042098ec6ef470643

Download Submit
memory/2796-7-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2796-8-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download