9fac136e14c41cb7d921001bdccfa54c2e3258436417383e495c5e9c9bc1b7e6

Analysis

max time kernel
315s
max time network
1587s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
22/05/2024, 15:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file01.js
Size

9KB
MD5

8e8d2c69942bfca618e4ab5f96f3165c
SHA1

764c3bde6c021af7a7fd2bf85e3cbc0d942997ee
SHA256

9fac136e14c41cb7d921001bdccfa54c2e3258436417383e495c5e9c9bc1b7e6
SHA512

8103e5e8b45e5c41d948fc3369f160bd604f65b27568db5afe4d2a2b4ffa7ab902fb7ff0516b3d875ee03b17384022c07fc940c04f2cac5b9f98ead1ba87391d
SSDEEP

192:Pz6nlgOO01ZRqU4Q8mN6vermFZb+u9JaXw/EwMettECxLozGCK:mm+rYvbQa2itECxL2o

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
2	4956	wscript.exe
4	4956	wscript.exe
6	4956	wscript.exe
10	4956	wscript.exe
12	4956	wscript.exe

Deletes itself 1 IoCs

pid	Process
4956	wscript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1432	OpenWith.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 1352	4956	wscript.exe	73
PID 4956 wrote to memory of 1352	4956	wscript.exe	73

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\file01.js
1⤵
- Blocklisted process makes network request
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\rad65B0E.tmp
  2⤵
  - Modifies registry class
  PID:1352

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rad65B0E.tmp

Filesize
117KB

MD5
3e4abd506fcecba406e201a01189e0de

SHA1
3b23dd809405dccb09dc942b1761f3880b0c0e86

SHA256
58c55a79af6679e9fe5678ae816efb348a63f681ceaa729864f223b905762f06

SHA512
77ef13835e13d31fa5782b62751781a6553e016068f9edd8bcc82aeeb784b22747df030a27d00c33393ac325de1a3682838cc06fee8ed672739924895a253028

Download Submit