209a4474cb7f906d4fd6c7df839841b7944b4917ec5f65bc0c92acfa552f9040

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28/05/2024, 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/ask.exe
Size

174KB
MD5

fac0274b791a442b44a6bdb052afa88d
SHA1

7b36694b1c61a820e54d04df6e28e83b54b32de8
SHA256

b03adb8851703fad0dfc74f21e537c8834f1305cfd0cfe765b107407794a0b5f
SHA512

9e7f75d8332d0d580bbb554de7e05dc1bf0d16eec881571dd17c21e0871b2cd5f7cf6f90ef888fcb481951a0aab387174d563c7e2b993850b7b890a5760c0ba9
SSDEEP

3072:4X7DItrfaocyTgfsqQOlJI0glTLiyIwmTWzec6E83No7G+97gIWpq:4saocyLCAlXiyTmTW58Nepcjpq

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	2204	cscript.exe
6	2752	cscript.exe

Loads dropped DLL 4 IoCs

pid	Process
2380	ask.exe
2380	ask.exe
2380	ask.exe
2380	ask.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2204	2380	ask.exe	28
PID 2380 wrote to memory of 2204	2380	ask.exe	28
PID 2380 wrote to memory of 2204	2380	ask.exe	28
PID 2380 wrote to memory of 2204	2380	ask.exe	28
PID 2380 wrote to memory of 2752	2380	ask.exe	30
PID 2380 wrote to memory of 2752	2380	ask.exe	30
PID 2380 wrote to memory of 2752	2380	ask.exe	30
PID 2380 wrote to memory of 2752	2380	ask.exe	30

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ask.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ask.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\cscript.exe
  cscript.exe //Nologo "ping.js" "http://cdnstats-a.akamaihd.net/s.gif?t=prxask&ptsk=s&v=1.1.20140801&appid=35852&pid=0&zone=0" "" ""
  2⤵
  - Blocklisted process makes network request
  PID:2204
- C:\Windows\SysWOW64\cscript.exe
  cscript.exe //Nologo "ping.js" "http://cdnstats-a.akamaihd.net/s.gif?t=prxask&ptsk=a&v=1.1.20140801&appid=35852&pid=0&zone=0" "" ""
  2⤵
  - Blocklisted process makes network request
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsy1F36.tmp\ping.js

Filesize
497B

MD5
17f3d5334f9123558915c180f73ebbbe

SHA1
423a865524b2d5981deee06197430ccb47444506

SHA256
34d45cff2d0b7d11472fde24e899bcd277e396b29e7ac6ca88662889f4433057

SHA512
240dfeae556717448d8882373b46839802938242dab18c4d819337d0f9769411afffba0986430508209c6c411d9cfa9b7384c435bc4b3b0e03decd10edd09776

Download Submit
\Users\Admin\AppData\Local\Temp\nsy1F36.tmp\System.dll

Filesize
23KB

MD5
125aebb055446fb52aa5956cf99e8a9a

SHA1
6b58fd08a8ff2763219cc6b0dcdb875f9970f850

SHA256
2e1b11ee20e5061ea86dc6b01e3efc659e887540afcab7317cdfd6a8eff87ec3

SHA512
5f85e48bd3ae2fd2be0595b93cbf74674e0281210688dcc73691178b295a702e8d43898afb6e5d8b7e82de98b4ee28194c9838ddf8279cde85f7fe48d34dc8b7

Download Submit
\Users\Admin\AppData\Local\Temp\nsy1F36.tmp\nsDialogs.dll

Filesize
11KB

MD5
790d227d847f7571c8d58a79057a469e

SHA1
75c347b1441383c61166b615dfd6e7e65b04629f

SHA256
37e99ab9db0045870e31db147438cf0c69b6fcdec4f3737a9743c447cbc0c3c0

SHA512
5821605bfb3e57ddfcc1a74829968814aae92b13cb713ef3628913d9112d493117e8aa9cc437770facdcd2d4bd1e53a271d491e6b4d3e4cff53bd027f4b07f4c

Download Submit
\Users\Admin\AppData\Local\Temp\nsy1F36.tmp\nsExec.dll

Filesize
8KB

MD5
249ae678f0dac4c625c6de6aca53823a

SHA1
6ac2b9e90e8445fed4c45c5dbf2d0227cd3b5201

SHA256
7298024a36310b7c4c112be87b61b62a0b1be493e2d5252a19e5e976daf674ce

SHA512
66e4081a40f3191bf28b810cf8411cb3c8c3e3ec5943e18d6672414fb5e7b4364f862cba44c9115c599ac90890ef02a773e254e7c979e930946bc52b0693aad7

Download Submit
memory/2380-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download