3071ac42b0c7407d7982843858e9df6a697f4b83dd4281394fef5e79bfea2bb5

Analysis

max time kernel
142s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
25/07/2024, 09:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3071ac42b0c7407d7982843858e9df6a697f4b83dd4281394fef5e79bfea2bb5.js
Size

271KB
MD5

06423b5a0a4d4f444ea943e2bdaa5461
SHA1

3f839dd6da834bc4df8faf8bac49dd7f34b5cd50
SHA256

3071ac42b0c7407d7982843858e9df6a697f4b83dd4281394fef5e79bfea2bb5
SHA512

ce60a82182ab2cc122b50a34131d0c376ebf1c14286658603199a4eefb6153bae18201400a5b29c4dbead906be9aeb028155a1d1af531c1fb81cf79e00f5d759
SSDEEP

1536:PfINtK3IadjNM9h/IaOlaStsiuvErox1Rti/KCEBFjgnC2EoKyr/sK4tF6ROX1Lu:PIyuvuM2EM0l3hWAzmp4h2GWjyHW

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	3032	wscript.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2624	powershell.exe
2624	powershell.exe
1976	powershell.exe
1976	powershell.exe
1528	powershell.exe
1528	powershell.exe
2072	powershell.exe
2072	powershell.exe
900	powershell.exe
900	powershell.exe
380	powershell.exe
380	powershell.exe
1612	powershell.exe
1612	powershell.exe
1476	powershell.exe
1476	powershell.exe
2600	powershell.exe
2600	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	900	powershell.exe
Token: SeDebugPrivilege	380	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2880	2692	taskeng.exe	34
PID 2692 wrote to memory of 2880	2692	taskeng.exe	34
PID 2692 wrote to memory of 2880	2692	taskeng.exe	34
PID 2880 wrote to memory of 2624	2880	WScript.exe	36
PID 2880 wrote to memory of 2624	2880	WScript.exe	36
PID 2880 wrote to memory of 2624	2880	WScript.exe	36
PID 2624 wrote to memory of 1648	2624	powershell.exe	38
PID 2624 wrote to memory of 1648	2624	powershell.exe	38
PID 2624 wrote to memory of 1648	2624	powershell.exe	38
PID 2880 wrote to memory of 1976	2880	WScript.exe	39
PID 2880 wrote to memory of 1976	2880	WScript.exe	39
PID 2880 wrote to memory of 1976	2880	WScript.exe	39
PID 1976 wrote to memory of 2916	1976	powershell.exe	41
PID 1976 wrote to memory of 2916	1976	powershell.exe	41
PID 1976 wrote to memory of 2916	1976	powershell.exe	41
PID 2880 wrote to memory of 1528	2880	WScript.exe	42
PID 2880 wrote to memory of 1528	2880	WScript.exe	42
PID 2880 wrote to memory of 1528	2880	WScript.exe	42
PID 1528 wrote to memory of 2124	1528	powershell.exe	44
PID 1528 wrote to memory of 2124	1528	powershell.exe	44
PID 1528 wrote to memory of 2124	1528	powershell.exe	44
PID 2880 wrote to memory of 2072	2880	WScript.exe	45
PID 2880 wrote to memory of 2072	2880	WScript.exe	45
PID 2880 wrote to memory of 2072	2880	WScript.exe	45
PID 2072 wrote to memory of 1784	2072	powershell.exe	47
PID 2072 wrote to memory of 1784	2072	powershell.exe	47
PID 2072 wrote to memory of 1784	2072	powershell.exe	47
PID 2880 wrote to memory of 900	2880	WScript.exe	48
PID 2880 wrote to memory of 900	2880	WScript.exe	48
PID 2880 wrote to memory of 900	2880	WScript.exe	48
PID 900 wrote to memory of 2244	900	powershell.exe	50
PID 900 wrote to memory of 2244	900	powershell.exe	50
PID 900 wrote to memory of 2244	900	powershell.exe	50
PID 2880 wrote to memory of 380	2880	WScript.exe	51
PID 2880 wrote to memory of 380	2880	WScript.exe	51
PID 2880 wrote to memory of 380	2880	WScript.exe	51
PID 380 wrote to memory of 1668	380	powershell.exe	53
PID 380 wrote to memory of 1668	380	powershell.exe	53
PID 380 wrote to memory of 1668	380	powershell.exe	53
PID 2880 wrote to memory of 1612	2880	WScript.exe	54
PID 2880 wrote to memory of 1612	2880	WScript.exe	54
PID 2880 wrote to memory of 1612	2880	WScript.exe	54
PID 1612 wrote to memory of 1884	1612	powershell.exe	56
PID 1612 wrote to memory of 1884	1612	powershell.exe	56
PID 1612 wrote to memory of 1884	1612	powershell.exe	56
PID 2880 wrote to memory of 1476	2880	WScript.exe	57
PID 2880 wrote to memory of 1476	2880	WScript.exe	57
PID 2880 wrote to memory of 1476	2880	WScript.exe	57
PID 1476 wrote to memory of 2696	1476	powershell.exe	59
PID 1476 wrote to memory of 2696	1476	powershell.exe	59
PID 1476 wrote to memory of 2696	1476	powershell.exe	59
PID 2880 wrote to memory of 2600	2880	WScript.exe	60
PID 2880 wrote to memory of 2600	2880	WScript.exe	60
PID 2880 wrote to memory of 2600	2880	WScript.exe	60
PID 2600 wrote to memory of 2804	2600	powershell.exe	62
PID 2600 wrote to memory of 2804	2600	powershell.exe	62
PID 2600 wrote to memory of 2804	2600	powershell.exe	62

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\3071ac42b0c7407d7982843858e9df6a697f4b83dd4281394fef5e79bfea2bb5.js
1⤵
- Blocklisted process makes network request
PID:3032

C:\Windows\system32\taskeng.exe
taskeng.exe {37EAACF5-FA6B-468E-99D2-12C3B51CDDF0} S-1-5-21-3434294380-2554721341-1919518612-1000:ELZYPTFV\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\YLhjFraZZwiadZg.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2624" "1244"
      4⤵
      PID:1648
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1976
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1976" "1240"
      4⤵
      PID:2916
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1528
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1528" "1248"
      4⤵
      PID:2124
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2072" "1240"
      4⤵
      PID:1784
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:900
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "900" "1248"
      4⤵
      PID:2244
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:380
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "380" "1244"
      4⤵
      PID:1668
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1612" "1244"
      4⤵
      PID:1884
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1476
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1476" "1240"
      4⤵
      PID:2696
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2600" "1244"
      4⤵
      PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259467451.txt

Filesize
1KB

MD5
0afc7d5fab0771a2964aa5dd2f95c8f5

SHA1
915ba68836c3f1be045380ba779ae699d16fe427

SHA256
7bdb3988fa1c4d5e10384323c29e50aa5df2d216a74dcd99705978c2f2c37e1a

SHA512
3305da2d4d0efd324d41b35d05eeb2a01e3e3469a3411fba75b9cb1111f25c9c4fa9e36932d18d1b74dc3829514040b75b0f0bdde924a6db9276663f13bb3e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259479967.txt

Filesize
1KB

MD5
ca1a839644b4f381099e6a99539374dd

SHA1
d013c9b3ebf2c76f6621594fc2a2ab9ae780fb6b

SHA256
8b3a8ec22cd1f32f810294d3bc34bee7809953acc727803efc6e8c9489f6820e

SHA512
6421026bdd552bdd9fb49ee362e15506116396dfd46b6d418cd290a0297e998ee8afede2c7ee9e375ad0395fce8ea21242b94f6f24bc7b207c85404d451eb5fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259494485.txt

Filesize
1KB

MD5
b283e0e5548027f1f0cabaa3240f57f3

SHA1
92e149f699ea37dcbf89c94f67415191612813ec

SHA256
0fabe2a1922b91a9eb48245839579f293ad4faa839be9330ab5277fbd29430f9

SHA512
bbdaf526ebc549d4265c287556a9d4d226698618096cc0a976a2b75456c90dc99a7f4b71da1841b56d4589e611d43d1950ff8c8d85ac46c92cd6850902442317

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259513446.txt

Filesize
1KB

MD5
35d7ef1de3313ae908d1f52404a64eff

SHA1
94b775f492da2fe2c2188ae7ed55498d4c8e79db

SHA256
64182cf5f51fb896a056a116bdeaaffa74bab4d65dd695b37d1db5e5ecd50fd4

SHA512
a467c81610772faef119904d3cd7e1acae1b0009a24b73db94e33ed83f09f463a2022370c41070ac6e856943c3f402c00f3525a56dce3bb379a9c3365c5d6647

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259526064.txt

Filesize
1KB

MD5
29133ec6b30f229e7e914259d584c74b

SHA1
e1b76ab04aaabc1a705ec1bdc6d81815cba19e29

SHA256
f9698bca8d70d15d148981c2e242030921af075628f9fac663fc29f11318c677

SHA512
8089fdea6acec24a0120a8985bf70ef312ac714909de746849bc6a3eb98689df9678d4e2de2b36cdcc7faca62110267c8753f00ea920cb28a44dc167f73ce69a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259542004.txt

Filesize
1KB

MD5
ee2eb462dcf2f1e4fe4f79c6cfdaf58b

SHA1
e175ce6922d53f8cfc4e4a11e21786e3dcdc3856

SHA256
9d1a7b9d83e52a760d855bc8df7a252be66b76828826586a6d1463d0d4b3fb84

SHA512
64d2400edf7de084383653a103629c2d5d237bda16f0d7f639c619eba1f90a2982db58f51f2286970a89c6de4c4951ad297ac49df9a17a99167730d3735a7c6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259556239.txt

Filesize
1KB

MD5
747d83198be4a9bf9cda29f6c9061186

SHA1
1f3f2938b489df81b6f119ac01881397fcc04542

SHA256
7a21681836d14590bff3a635a44dbdb5117e151ff32d4b8f0e313113d0420f32

SHA512
60540ba91406792f409f76433050489647ad0e17a6b21b9e691aea15ec44e084f9af3b11ed43b11c6f9e83bf2edf8c3121ca5636f3d6ebe2578309fccfcd08ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259572872.txt

Filesize
1KB

MD5
fc7bb25fe074cf8d87f6ae96dccbc8e6

SHA1
a79b0f890dac43abad9763dbecef1ab084d306fa

SHA256
99e7fa5a4058bdb02cbb3d47f0cb0bc8a5f2bc2b74bbdad980c1d487cd36888e

SHA512
1d49875cc4e728c79eef103334ff19cec61e654326ab88cba45f294cab968ca2f4134a4a0bf5e78691e641f5e6a1d6167ad75bf4ed50d60634a867e4f91a8cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259584202.txt

Filesize
1KB

MD5
b80c571870f4df4a0d32d7a3b451bb9d

SHA1
0c2d02430bbee4b350846b32a45e647b7d82d384

SHA256
52dbdf147effeb92c00f85add53676dc8135795ac90720056b83f6f0a85ce209

SHA512
f5288d5d6d636349a33259cedf3f983b6c075ba459d655181d7c9bceb4c13c306cf246684817094dc17a46f7b32a6c07185585423db4d6bf6c50eb351295fbf9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
34f04955c5cf1b60a93c4df455ad3ffd

SHA1
ae23b915b4755621286c2709033ded90bf128e81

SHA256
f8be942f157cd8d01f691b9a015024d07120afb1635687ce5587252729f6c135

SHA512
e6f95ae8b619fbe7a6a1580d7d0f124d126261dbbfa0da2db3d49b573869fb4bd753561e5ce7e26b1b5feb332e5ea03acfa55b74ae0a3d3064b9f767ed0e3b6d

Download Submit
C:\Users\Admin\YLhjFraZZwiadZg.vbs

Filesize
1KB

MD5
df8ff588cdd485fa5a69ac6622d2f279

SHA1
68ab587161288872a49a3aac287f61b9c6957ae3

SHA256
034ad208a95827c958f8d30d4f4dbe1b630c0cb60aed8e229d52df64816d8a46

SHA512
9d8baaad38fde02caec0d2a48b5c47b22e74b187cfaa82f1849b08172072efa5dc9fa0a11bd4c907a6ca2af2c184badd61549b0603b645190a39bb7970721475

Download Submit
memory/1976-18-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/1976-19-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/2624-9-0x00000000028A0000-0x00000000028A8000-memory.dmp

Filesize
32KB

Download
memory/2624-8-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/2624-10-0x0000000002C80000-0x0000000002C8A000-memory.dmp

Filesize
40KB

Download