Analysis

  • max time kernel
    142s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17-09-2024 01:26

General

  • Target

    af448bd9c6a6315bfa00b0301e57545cffe8ed75d30fbd18fdbd4cec606283b7.js

  • Size

    30KB

  • MD5

    86185d6d160eabe88692b9dbf3ff3e71

  • SHA1

    66cf746399849a72487a7ce9f8dd652d982a72bd

  • SHA256

    af448bd9c6a6315bfa00b0301e57545cffe8ed75d30fbd18fdbd4cec606283b7

  • SHA512

    15da27ecca298442aded5ad4a5a45522880013e7f9906d386167b27ad9439d08ecafdfd6c3de638bc3719d46d89f45116cf560772db11d3aae420cfbf059bd3e

  • SSDEEP

    768:OVWm9aFqK2YmaQ4Vg4vf4bQuvAsBvPquk6Q:Omkk6Q

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in System32 directory 7 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\af448bd9c6a6315bfa00b0301e57545cffe8ed75d30fbd18fdbd4cec606283b7.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2536
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\restored.vbe"
      2⤵
      • Blocklisted process makes network request
      PID:2388
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {30A65BAB-2C9C-4C68-9AA7-264D9F6AE96D} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2936
    • C:\Windows\System32\WScript.exe
      C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\lwRdEznrBuqLMiX.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2780
      • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
        3⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2060
        • C:\Windows\system32\wermgr.exe
          "C:\Windows\system32\wermgr.exe" "-outproc" "2060" "1240"
          4⤵
            PID:2956
        • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
          3⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:704
          • C:\Windows\system32\wermgr.exe
            "C:\Windows\system32\wermgr.exe" "-outproc" "704" "1240"
            4⤵
              PID:1652
          • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
            3⤵
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3040
            • C:\Windows\system32\wermgr.exe
              "C:\Windows\system32\wermgr.exe" "-outproc" "3040" "1244"
              4⤵
                PID:2080
            • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
              3⤵
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3012
              • C:\Windows\system32\wermgr.exe
                "C:\Windows\system32\wermgr.exe" "-outproc" "3012" "1248"
                4⤵
                  PID:2168
              • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                3⤵
                • Drops file in System32 directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1352
                • C:\Windows\system32\wermgr.exe
                  "C:\Windows\system32\wermgr.exe" "-outproc" "1352" "1240"
                  4⤵
                    PID:1708
                • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                  3⤵
                  • Drops file in System32 directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1780
                  • C:\Windows\system32\wermgr.exe
                    "C:\Windows\system32\wermgr.exe" "-outproc" "1780" "1240"
                    4⤵
                      PID:1548
                  • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                    3⤵
                    • Drops file in System32 directory
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2556
                    • C:\Windows\system32\wermgr.exe
                      "C:\Windows\system32\wermgr.exe" "-outproc" "2556" "1244"
                      4⤵
                        PID:2816

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\ProgramData\restored.vbe

                  Filesize

                  14KB

                  MD5

                  a51620220423d15df9de991aa0b10742

                  SHA1

                  5c571d6a3e025ee9ab6eff03c7064ecc37fff450

                  SHA256

                  ff2ab43a5ebbea267159e3cfce4ecdf829d050d92ffdcb34097afc12699d6501

                  SHA512

                  1d392a7f9ca92a42819b891a01fdcd4d19b3f93ddc025efa20d421b65bcfaf8452d01f0f25994befd35ec61b9e4c27ddadb8c7b07866dcc7cbcfc1ee766df5bf

                • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259488943.txt

                  Filesize

                  1KB

                  MD5

                  ce5a4d71b6bd61cfbf74aaa912203c88

                  SHA1

                  efd656e51cc96efba0c004c15c2cf63897e72223

                  SHA256

                  0c5fca7a7107a914b57289eeba2a29b3f8273d618af5a2745365960031764669

                  SHA512

                  7fd452af8b4c4c2638ce8355e6f8317a3da7bfc254735f1538eda1ca4ddddcd5136f2ed116ea86e5478aea9600c1300be1cec1e4c54958216e600dacb7309912

                • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259501458.txt

                  Filesize

                  1KB

                  MD5

                  ad78fde0e72f3f8bd7ca77a216d8f831

                  SHA1

                  d23cd29f74bd867c9d87a0dbca5bbe7742b2ee1f

                  SHA256

                  022c094793cdf2f047cc4032bc411fc8154c55bab6ee28c8b1d4af2a37d49311

                  SHA512

                  bc1e594c78d316440f96e3df2b1f9dfad6a60e3855fb853b7d0d1586f4e6773c390e3be69a1ea7adb3c7a47cdfed48df6bcca78e40eef030d14b1d5bdf446f9d

                • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259514815.txt

                  Filesize

                  1KB

                  MD5

                  448e87d7890fb74e4923d83367e9d53e

                  SHA1

                  93dade6d38570c97d2941c7bd0f85f7aa7c5310d

                  SHA256

                  47b5e19128b2701f47c173b93e6d340e086c5e4b1a4f04483e071ded7ffb74c9

                  SHA512

                  f1a330de14d259316ab765a7db5475adb753f18f14a3cac617da96bd017db1785fa5307299f3b081f01e5693aaec0ee52c0b1ea925bf2665f4685fe6035bf42f

                • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259534414.txt

                  Filesize

                  1KB

                  MD5

                  5835dddc66af1f111de2b2f3a0ff29a9

                  SHA1

                  b06210885ef07f32e44194419bfbba2d1f51c748

                  SHA256

                  291044ecf457e83f1d5045c5c37dfebd316955ebf255666a7d660654fb9dc213

                  SHA512

                  5b7f04c509a50c761c9d08e1a04175ea49048635ec9b855741ff44536ce1b9125bc225ec748f5a3be2472b50cedcb1959ead6faf619613a8c4d11854ea984a3d

                • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259548655.txt

                  Filesize

                  1KB

                  MD5

                  a726aad80720a76dbffa06ad988a08b1

                  SHA1

                  9300e4a23829ee2b0b711a3eed8742d418b57ab0

                  SHA256

                  f68f2094fc10464a9c7c45e6d1e7758a00c3dee9b00935fbf0d2adb9c8f7fdcf

                  SHA512

                  c892f7feb177f616b728349e272fbabaa328db6c21552a05087611e4b0d2a3f8f5fed5da309755cfbfd7257898d24d558345fc3fbcbda584e426b910eef6d00c

                • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259562864.txt

                  Filesize

                  1KB

                  MD5

                  cf85a24f53051dc7d89edc22b1da0eaf

                  SHA1

                  88dbfa4f51c4a98524b542288b781aa8b04616d7

                  SHA256

                  7db6189a96dbcbfcd00844491c2d2e44b2064d268d9848cc9e4e2bc8eb68b61b

                  SHA512

                  7ecad4a33e15dda2492bc2f04ebb574a5f39e8a0cd0682ea51a162ecf5822fc41f044987890c6372de556be6e351b9bdfda466536d483f01b7640c68ca6cf244

                • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259579757.txt

                  Filesize

                  1KB

                  MD5

                  d66b81120ba572b0bcedb5fe33f9eabb

                  SHA1

                  ed24531a71c731df34e8da66deb8e2ab0c7254f6

                  SHA256

                  bd07d1e1dc0ed6365d2c86d6fc203fb1c5a06d6146d79e96b92b32643a89e7c8

                  SHA512

                  2ee603d9cd9a93470c6c71e36d56d1e15f73efc11d170d2a942f52560c5b33e7f6123733212c1f2ae5f0cbe79cd9ec35a79917862b300cd7087222d06e4318bd

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                  Filesize

                  7KB

                  MD5

                  101b453f33792a0b2b9a92d0882bc623

                  SHA1

                  f7a809e96cd17646cb49493063a166a462f3ebbc

                  SHA256

                  cae87695693bc4a519072bb03cd5acb3e9e856921b5ea7608112a25faf780b15

                  SHA512

                  e2b2bbc7f17176c20964ec6624273dbf90b58709e1f635e9aab1f9f51e1597f463dc52aa26223c2f0c448c83ce496c2a5902624b876732cd417dfc2312932120

                • C:\Users\Admin\AppData\Roaming\lwRdEznrBuqLMiX.vbs

                  Filesize

                  2KB

                  MD5

                  2f1ec696b66433614ccd5ab314649206

                  SHA1

                  dace4eeba067b5446d5b149d7b0c3cfd7abb0359

                  SHA256

                  3d64a72c07ea79fbeaefc7ec6e12b755d9ce55815e60cb872ca8d94a47e977e7

                  SHA512

                  fe3b70a5e31b77221fa0ab6501909a07260c912735d93991c4812c5b70806b78ac689a6628b4b045b83db6870dcab1a6e0cdb57dc5bf514c9e2a3608873d9ff7

                • memory/704-20-0x0000000001E70000-0x0000000001E78000-memory.dmp

                  Filesize

                  32KB

                • memory/704-19-0x000000001B860000-0x000000001BB42000-memory.dmp

                  Filesize

                  2.9MB

                • memory/2060-11-0x00000000028B0000-0x00000000028BA000-memory.dmp

                  Filesize

                  40KB

                • memory/2060-10-0x0000000001E10000-0x0000000001E18000-memory.dmp

                  Filesize

                  32KB

                • memory/2060-9-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

                  Filesize

                  2.9MB