Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
21-05-2024 22:00
Static task
static1
Behavioral task
behavioral1
Sample
call and put contracts 16318.js
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
call and put contracts 16318.js
Resource
win10v2004-20240508-en
General
-
Target
call and put contracts 16318.js
-
Size
8.8MB
-
MD5
88ab74d84774855d0a2c24d5a1b50389
-
SHA1
83ce4e759d3443332eb223689717b4895bd4e6cc
-
SHA256
f8f3fa45eced0c32fbbf912f3f8ba6100a8b59e14f12a125c88340a47cf7e57b
-
SHA512
cf5adf3cb923ddb264b6f2182be043859c3c16544bbc2d3c01f0469ca6a25702ece7b140438928067226a334d88ac7567e808ecab5b97731678a2e948e399e87
-
SSDEEP
49152:kYytwpCQK+aGYytwpCQK+aGYytwpCQK+aGYytwpCQK+aGYytwpCQK+aGYytwpCQO:f
Malware Config
Signatures
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2796 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2796 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
taskeng.exewscript.EXEcscript.exedescription pid process target process PID 2700 wrote to memory of 2604 2700 taskeng.exe wscript.EXE PID 2700 wrote to memory of 2604 2700 taskeng.exe wscript.EXE PID 2700 wrote to memory of 2604 2700 taskeng.exe wscript.EXE PID 2604 wrote to memory of 1768 2604 wscript.EXE cscript.exe PID 2604 wrote to memory of 1768 2604 wscript.EXE cscript.exe PID 2604 wrote to memory of 1768 2604 wscript.EXE cscript.exe PID 1768 wrote to memory of 2796 1768 cscript.exe powershell.exe PID 1768 wrote to memory of 2796 1768 cscript.exe powershell.exe PID 1768 wrote to memory of 2796 1768 cscript.exe powershell.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\call and put contracts 16318.js"1⤵PID:1280
-
C:\Windows\system32\taskeng.exetaskeng.exe {78B0E0BE-B14E-4B76-94DE-B0FD8D38A4F7} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\system32\wscript.EXEC:\Windows\system32\wscript.EXE GLOBAL~1.JS2⤵
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\System32\cscript.exe"C:\Windows\System32\cscript.exe" "GLOBAL~1.JS"3⤵
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43.3MB
MD54fa4b4d068f722cbfe719be7ab4c8c52
SHA11b7b04c22e9bf7075f9c8b6ba88effe50f42bfc5
SHA256a92381a403a1463b64ebc547de7ec2a4225a7755d23c4e56503582b9cb33c3c8
SHA512486b1fa557da6ee6ce601514d2682767d3350ffc66fbcf29b50aba6b19d30bd4027bb086dfa5f0599294f31fa16ad598df8ba4e4560ce8f042098ec6ef470643