Overview

overview

10

Static

static

1

6ab8c652ea...aa4.js

windows7-x64

3

6ab8c652ea...aa4.js

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    11-08-2024 12:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6ab8c652eaac3627f0e3420aa3d7a29de229e6f905d7180af589d3f47a3ecaa4.js

  • Size

    27.4MB

  • MD5

    d0015b3890d82fbb6dffbb1ab58538dd

  • SHA1

    07b60ff9c3c3bd163b6783643eda3abb84393458

  • SHA256

    6ab8c652eaac3627f0e3420aa3d7a29de229e6f905d7180af589d3f47a3ecaa4

  • SHA512

    6a27ae112fef1339b7144c983529ff7188b6701db9d35a37bb3d5918c9db9f11d058fa3bad95e14842e6f6a6acbc1fc89381fd4e23a5d86287396b6cdfa376f4

  • SSDEEP

    49152:YYRxr8uC0NjaCXjzgYRxr8uC0NjaCXjzgYRxr8uC0NjaCXjzgYRxr8uC0NjaCXj7:5lll7

Score
3/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\6ab8c652eaac3627f0e3420aa3d7a29de229e6f905d7180af589d3f47a3ecaa4.js
    1⤵
      PID:2536
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {24A5A21B-F340-4F07-9EF7-23C7160E1564} S-1-5-21-2958949473-3205530200-1453100116-1000:WHMFPZKA\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3024
      • C:\Windows\system32\wscript.EXE
        C:\Windows\system32\wscript.EXE PROCED~1.JS
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2636
        • C:\Windows\System32\cscript.exe
          "C:\Windows\System32\cscript.exe" "PROCED~1.JS"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2660
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:656

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Media Center Programs\PROCED~1.JS
      Filesize

      39.9MB

      MD5

      14db8327f3d06483e5d6f8706fdda970

      SHA1

      815ba490f015ef82dad4508dcb7221725e8a2b7e

      SHA256

      33e6db73bf8254878a97874e591c11327a95b0386a2a034b63b53db4dc335c86

      SHA512

      724a8398ce4dd8fc5e8420f66c5604927c9245014ec27a17112617a4a27b7966401f057c6f9b3477793cf4c5e67f95957d660a887cb642c70da22cec4bcaa756

      Download Submit

    • memory/656-7-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/656-8-0x0000000002340000-0x0000000002348000-memory.dmp

      Filesize

      32KB

      Download