0c13ee253e4413e43fd053b49b014d30b66a921aa3dbaecfaa1797e3e0241368

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 11:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c13ee253e4413e43fd053b49b014d30b66a921aa3dbaecfaa1797e3e0241368.js
Size

9.3MB
MD5

d7000b36225b7029ba2b4b60740509ce
SHA1

7d173ae7775b24be2f84047d0a6e15b3874878d0
SHA256

0c13ee253e4413e43fd053b49b014d30b66a921aa3dbaecfaa1797e3e0241368
SHA512

1674e0c46b9e44e65eccdaa827ad7c4b8b8cdb95d7168c8639594b356ac84093656200edd9d4658269191369d8b583371792a0dd10fff8dc5d39d82a44bf201e
SSDEEP

49152:19y4nBjOwE9VTXa/s+LfHQI9y4nBjOwE9VTXa/s+LfHQI9y4nBjOwE9VTXa/s+L7:1DDDDDDt

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2500	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2500	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2072	3056	taskeng.exe	31
PID 3056 wrote to memory of 2072	3056	taskeng.exe	31
PID 3056 wrote to memory of 2072	3056	taskeng.exe	31
PID 2072 wrote to memory of 2612	2072	wscript.EXE	32
PID 2072 wrote to memory of 2612	2072	wscript.EXE	32
PID 2072 wrote to memory of 2612	2072	wscript.EXE	32
PID 2612 wrote to memory of 2500	2612	cscript.exe	34
PID 2612 wrote to memory of 2500	2612	cscript.exe	34
PID 2612 wrote to memory of 2500	2612	cscript.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\0c13ee253e4413e43fd053b49b014d30b66a921aa3dbaecfaa1797e3e0241368.js
1⤵
PID:2204

C:\Windows\system32\taskeng.exe
taskeng.exe {1D20EA58-D081-4AC2-975D-799694544114} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\system32\wscript.EXE
  C:\Windows\system32\wscript.EXE CURREN~1.JS
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\System32\cscript.exe
    "C:\Windows\System32\cscript.exe" "CURREN~1.JS"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Media Center Programs\CURREN~1.JS

Filesize
40.0MB

MD5
5dc99b56dd713e59d79f2da034b940ac

SHA1
dab70272c4ce07c588b4e2e70d6939e076de1537

SHA256
b3a5017a48a87d524766f6fb2c0bd1d04e715ab8d718742cc088f1780147775f

SHA512
ef311fdfd34b99038c6c70cc16937a66215db43919fed19a32dc3cb107b6d97424436c49801e171bf331747e8f16c051ecb7b68212609d6ce55eb2a59b2d227b

Download Submit
memory/2500-7-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/2500-8-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

Filesize
32KB

Download