Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    28/05/2024, 07:44

General

  • Target

    $PLUGINSDIR/ask.exe

  • Size

    174KB

  • MD5

    fac0274b791a442b44a6bdb052afa88d

  • SHA1

    7b36694b1c61a820e54d04df6e28e83b54b32de8

  • SHA256

    b03adb8851703fad0dfc74f21e537c8834f1305cfd0cfe765b107407794a0b5f

  • SHA512

    9e7f75d8332d0d580bbb554de7e05dc1bf0d16eec881571dd17c21e0871b2cd5f7cf6f90ef888fcb481951a0aab387174d563c7e2b993850b7b890a5760c0ba9

  • SSDEEP

    3072:4X7DItrfaocyTgfsqQOlJI0glTLiyIwmTWzec6E83No7G+97gIWpq:4saocyLCAlXiyTmTW58Nepcjpq

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ask.exe
    "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ask.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Windows\SysWOW64\cscript.exe
      cscript.exe //Nologo "ping.js" "http://cdnstats-a.akamaihd.net/s.gif?t=prxask&ptsk=s&v=1.1.20140801&appid=35852&pid=0&zone=0" "" ""
      2⤵
      • Blocklisted process makes network request
      PID:2204
    • C:\Windows\SysWOW64\cscript.exe
      cscript.exe //Nologo "ping.js" "http://cdnstats-a.akamaihd.net/s.gif?t=prxask&ptsk=a&v=1.1.20140801&appid=35852&pid=0&zone=0" "" ""
      2⤵
      • Blocklisted process makes network request
      PID:2752

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsy1F36.tmp\ping.js

    Filesize

    497B

    MD5

    17f3d5334f9123558915c180f73ebbbe

    SHA1

    423a865524b2d5981deee06197430ccb47444506

    SHA256

    34d45cff2d0b7d11472fde24e899bcd277e396b29e7ac6ca88662889f4433057

    SHA512

    240dfeae556717448d8882373b46839802938242dab18c4d819337d0f9769411afffba0986430508209c6c411d9cfa9b7384c435bc4b3b0e03decd10edd09776

  • \Users\Admin\AppData\Local\Temp\nsy1F36.tmp\System.dll

    Filesize

    23KB

    MD5

    125aebb055446fb52aa5956cf99e8a9a

    SHA1

    6b58fd08a8ff2763219cc6b0dcdb875f9970f850

    SHA256

    2e1b11ee20e5061ea86dc6b01e3efc659e887540afcab7317cdfd6a8eff87ec3

    SHA512

    5f85e48bd3ae2fd2be0595b93cbf74674e0281210688dcc73691178b295a702e8d43898afb6e5d8b7e82de98b4ee28194c9838ddf8279cde85f7fe48d34dc8b7

  • \Users\Admin\AppData\Local\Temp\nsy1F36.tmp\nsDialogs.dll

    Filesize

    11KB

    MD5

    790d227d847f7571c8d58a79057a469e

    SHA1

    75c347b1441383c61166b615dfd6e7e65b04629f

    SHA256

    37e99ab9db0045870e31db147438cf0c69b6fcdec4f3737a9743c447cbc0c3c0

    SHA512

    5821605bfb3e57ddfcc1a74829968814aae92b13cb713ef3628913d9112d493117e8aa9cc437770facdcd2d4bd1e53a271d491e6b4d3e4cff53bd027f4b07f4c

  • \Users\Admin\AppData\Local\Temp\nsy1F36.tmp\nsExec.dll

    Filesize

    8KB

    MD5

    249ae678f0dac4c625c6de6aca53823a

    SHA1

    6ac2b9e90e8445fed4c45c5dbf2d0227cd3b5201

    SHA256

    7298024a36310b7c4c112be87b61b62a0b1be493e2d5252a19e5e976daf674ce

    SHA512

    66e4081a40f3191bf28b810cf8411cb3c8c3e3ec5943e18d6672414fb5e7b4364f862cba44c9115c599ac90890ef02a773e254e7c979e930946bc52b0693aad7

  • memory/2380-32-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB