Malware Analysis Report

2025-01-23 15:07

Sample ID 240826-zltkqsvdqf
Target sample
SHA256 633d26a1267dba3a067c8d13e63586d5ede386c80116f81cba9fb09fa675d0d1
Tags
execution antivm
score
4/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
4/10

SHA256

633d26a1267dba3a067c8d13e63586d5ede386c80116f81cba9fb09fa675d0d1

Threat Level: Likely benign

The file sample was found to be: Likely benign.

Malicious Activity Summary

execution antivm

Changes its process name

Checks CPU configuration

Command and Scripting Interpreter: JavaScript

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-26 20:48

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-26 20:48

Reported

2024-08-26 21:19

Platform

win11-20240802-en

Max time kernel

1468s

Max time network

1480s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\sample.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\sample.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-26 20:48

Reported

2024-08-26 21:21

Platform

debian9-mipsel-20240729-en

Max time kernel

9s

Max time network

1679s

Command Line

[nodejs /tmp/sample.js]

Signatures

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself V8 WorkerThread N/A N/A
Changes the process name, possibly in an attempt to hide itself V8 WorkerThread N/A N/A
Changes the process name, possibly in an attempt to hide itself V8 WorkerThread N/A N/A
Changes the process name, possibly in an attempt to hide itself V8 WorkerThread N/A N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/nodejs N/A

Processes

/usr/bin/nodejs

[nodejs /tmp/sample.js]

Network

Country Destination Domain Proto
US 1.1.1.1:53 debian9-mipsel-20240729-en-5 udp
US 1.1.1.1:53 debian9-mipsel-20240729-en-5 udp

Files

N/A