Analysis
-
max time kernel
142s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-09-2024 01:26
Static task
static1
Behavioral task
behavioral1
Sample
af448bd9c6a6315bfa00b0301e57545cffe8ed75d30fbd18fdbd4cec606283b7.js
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
af448bd9c6a6315bfa00b0301e57545cffe8ed75d30fbd18fdbd4cec606283b7.js
Resource
win10v2004-20240802-en
General
-
Target
af448bd9c6a6315bfa00b0301e57545cffe8ed75d30fbd18fdbd4cec606283b7.js
-
Size
30KB
-
MD5
86185d6d160eabe88692b9dbf3ff3e71
-
SHA1
66cf746399849a72487a7ce9f8dd652d982a72bd
-
SHA256
af448bd9c6a6315bfa00b0301e57545cffe8ed75d30fbd18fdbd4cec606283b7
-
SHA512
15da27ecca298442aded5ad4a5a45522880013e7f9906d386167b27ad9439d08ecafdfd6c3de638bc3719d46d89f45116cf560772db11d3aae420cfbf059bd3e
-
SSDEEP
768:OVWm9aFqK2YmaQ4Vg4vf4bQuvAsBvPquk6Q:Omkk6Q
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 2 2388 WScript.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2060 powershell.exe 2060 powershell.exe 704 powershell.exe 704 powershell.exe 3040 powershell.exe 3040 powershell.exe 3012 powershell.exe 3012 powershell.exe 1352 powershell.exe 1352 powershell.exe 1780 powershell.exe 1780 powershell.exe 2556 powershell.exe 2556 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 2060 powershell.exe Token: SeDebugPrivilege 704 powershell.exe Token: SeDebugPrivilege 3040 powershell.exe Token: SeDebugPrivilege 3012 powershell.exe Token: SeDebugPrivilege 1352 powershell.exe Token: SeDebugPrivilege 1780 powershell.exe Token: SeDebugPrivilege 2556 powershell.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 2536 wrote to memory of 2388 2536 wscript.exe 30 PID 2536 wrote to memory of 2388 2536 wscript.exe 30 PID 2536 wrote to memory of 2388 2536 wscript.exe 30 PID 2936 wrote to memory of 2780 2936 taskeng.exe 33 PID 2936 wrote to memory of 2780 2936 taskeng.exe 33 PID 2936 wrote to memory of 2780 2936 taskeng.exe 33 PID 2780 wrote to memory of 2060 2780 WScript.exe 35 PID 2780 wrote to memory of 2060 2780 WScript.exe 35 PID 2780 wrote to memory of 2060 2780 WScript.exe 35 PID 2060 wrote to memory of 2956 2060 powershell.exe 37 PID 2060 wrote to memory of 2956 2060 powershell.exe 37 PID 2060 wrote to memory of 2956 2060 powershell.exe 37 PID 2780 wrote to memory of 704 2780 WScript.exe 38 PID 2780 wrote to memory of 704 2780 WScript.exe 38 PID 2780 wrote to memory of 704 2780 WScript.exe 38 PID 704 wrote to memory of 1652 704 powershell.exe 40 PID 704 wrote to memory of 1652 704 powershell.exe 40 PID 704 wrote to memory of 1652 704 powershell.exe 40 PID 2780 wrote to memory of 3040 2780 WScript.exe 41 PID 2780 wrote to memory of 3040 2780 WScript.exe 41 PID 2780 wrote to memory of 3040 2780 WScript.exe 41 PID 3040 wrote to memory of 2080 3040 powershell.exe 43 PID 3040 wrote to memory of 2080 3040 powershell.exe 43 PID 3040 wrote to memory of 2080 3040 powershell.exe 43 PID 2780 wrote to memory of 3012 2780 WScript.exe 44 PID 2780 wrote to memory of 3012 2780 WScript.exe 44 PID 2780 wrote to memory of 3012 2780 WScript.exe 44 PID 3012 wrote to memory of 2168 3012 powershell.exe 46 PID 3012 wrote to memory of 2168 3012 powershell.exe 46 PID 3012 wrote to memory of 2168 3012 powershell.exe 46 PID 2780 wrote to memory of 1352 2780 WScript.exe 47 PID 2780 wrote to memory of 1352 2780 WScript.exe 47 PID 2780 wrote to memory of 1352 2780 WScript.exe 47 PID 1352 wrote to memory of 1708 1352 powershell.exe 49 PID 1352 wrote to memory of 1708 1352 powershell.exe 49 PID 1352 wrote to memory of 1708 1352 powershell.exe 49 PID 2780 wrote to memory of 1780 2780 WScript.exe 50 PID 2780 wrote to memory of 1780 2780 WScript.exe 50 PID 2780 wrote to memory of 1780 2780 WScript.exe 50 PID 1780 wrote to memory of 1548 1780 powershell.exe 52 PID 1780 wrote to memory of 1548 1780 powershell.exe 52 PID 1780 wrote to memory of 1548 1780 powershell.exe 52 PID 2780 wrote to memory of 2556 2780 WScript.exe 53 PID 2780 wrote to memory of 2556 2780 WScript.exe 53 PID 2780 wrote to memory of 2556 2780 WScript.exe 53 PID 2556 wrote to memory of 2816 2556 powershell.exe 55 PID 2556 wrote to memory of 2816 2556 powershell.exe 55 PID 2556 wrote to memory of 2816 2556 powershell.exe 55 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\af448bd9c6a6315bfa00b0301e57545cffe8ed75d30fbd18fdbd4cec606283b7.js1⤵
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\restored.vbe"2⤵
- Blocklisted process makes network request
PID:2388
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {30A65BAB-2C9C-4C68-9AA7-264D9F6AE96D} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\lwRdEznrBuqLMiX.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2060" "1240"4⤵PID:2956
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "704" "1240"4⤵PID:1652
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "3040" "1244"4⤵PID:2080
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "3012" "1248"4⤵PID:2168
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "1352" "1240"4⤵PID:1708
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "1780" "1240"4⤵PID:1548
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2556" "1244"4⤵PID:2816
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5a51620220423d15df9de991aa0b10742
SHA15c571d6a3e025ee9ab6eff03c7064ecc37fff450
SHA256ff2ab43a5ebbea267159e3cfce4ecdf829d050d92ffdcb34097afc12699d6501
SHA5121d392a7f9ca92a42819b891a01fdcd4d19b3f93ddc025efa20d421b65bcfaf8452d01f0f25994befd35ec61b9e4c27ddadb8c7b07866dcc7cbcfc1ee766df5bf
-
Filesize
1KB
MD5ce5a4d71b6bd61cfbf74aaa912203c88
SHA1efd656e51cc96efba0c004c15c2cf63897e72223
SHA2560c5fca7a7107a914b57289eeba2a29b3f8273d618af5a2745365960031764669
SHA5127fd452af8b4c4c2638ce8355e6f8317a3da7bfc254735f1538eda1ca4ddddcd5136f2ed116ea86e5478aea9600c1300be1cec1e4c54958216e600dacb7309912
-
Filesize
1KB
MD5ad78fde0e72f3f8bd7ca77a216d8f831
SHA1d23cd29f74bd867c9d87a0dbca5bbe7742b2ee1f
SHA256022c094793cdf2f047cc4032bc411fc8154c55bab6ee28c8b1d4af2a37d49311
SHA512bc1e594c78d316440f96e3df2b1f9dfad6a60e3855fb853b7d0d1586f4e6773c390e3be69a1ea7adb3c7a47cdfed48df6bcca78e40eef030d14b1d5bdf446f9d
-
Filesize
1KB
MD5448e87d7890fb74e4923d83367e9d53e
SHA193dade6d38570c97d2941c7bd0f85f7aa7c5310d
SHA25647b5e19128b2701f47c173b93e6d340e086c5e4b1a4f04483e071ded7ffb74c9
SHA512f1a330de14d259316ab765a7db5475adb753f18f14a3cac617da96bd017db1785fa5307299f3b081f01e5693aaec0ee52c0b1ea925bf2665f4685fe6035bf42f
-
Filesize
1KB
MD55835dddc66af1f111de2b2f3a0ff29a9
SHA1b06210885ef07f32e44194419bfbba2d1f51c748
SHA256291044ecf457e83f1d5045c5c37dfebd316955ebf255666a7d660654fb9dc213
SHA5125b7f04c509a50c761c9d08e1a04175ea49048635ec9b855741ff44536ce1b9125bc225ec748f5a3be2472b50cedcb1959ead6faf619613a8c4d11854ea984a3d
-
Filesize
1KB
MD5a726aad80720a76dbffa06ad988a08b1
SHA19300e4a23829ee2b0b711a3eed8742d418b57ab0
SHA256f68f2094fc10464a9c7c45e6d1e7758a00c3dee9b00935fbf0d2adb9c8f7fdcf
SHA512c892f7feb177f616b728349e272fbabaa328db6c21552a05087611e4b0d2a3f8f5fed5da309755cfbfd7257898d24d558345fc3fbcbda584e426b910eef6d00c
-
Filesize
1KB
MD5cf85a24f53051dc7d89edc22b1da0eaf
SHA188dbfa4f51c4a98524b542288b781aa8b04616d7
SHA2567db6189a96dbcbfcd00844491c2d2e44b2064d268d9848cc9e4e2bc8eb68b61b
SHA5127ecad4a33e15dda2492bc2f04ebb574a5f39e8a0cd0682ea51a162ecf5822fc41f044987890c6372de556be6e351b9bdfda466536d483f01b7640c68ca6cf244
-
Filesize
1KB
MD5d66b81120ba572b0bcedb5fe33f9eabb
SHA1ed24531a71c731df34e8da66deb8e2ab0c7254f6
SHA256bd07d1e1dc0ed6365d2c86d6fc203fb1c5a06d6146d79e96b92b32643a89e7c8
SHA5122ee603d9cd9a93470c6c71e36d56d1e15f73efc11d170d2a942f52560c5b33e7f6123733212c1f2ae5f0cbe79cd9ec35a79917862b300cd7087222d06e4318bd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5101b453f33792a0b2b9a92d0882bc623
SHA1f7a809e96cd17646cb49493063a166a462f3ebbc
SHA256cae87695693bc4a519072bb03cd5acb3e9e856921b5ea7608112a25faf780b15
SHA512e2b2bbc7f17176c20964ec6624273dbf90b58709e1f635e9aab1f9f51e1597f463dc52aa26223c2f0c448c83ce496c2a5902624b876732cd417dfc2312932120
-
Filesize
2KB
MD52f1ec696b66433614ccd5ab314649206
SHA1dace4eeba067b5446d5b149d7b0c3cfd7abb0359
SHA2563d64a72c07ea79fbeaefc7ec6e12b755d9ce55815e60cb872ca8d94a47e977e7
SHA512fe3b70a5e31b77221fa0ab6501909a07260c912735d93991c4812c5b70806b78ac689a6628b4b045b83db6870dcab1a6e0cdb57dc5bf514c9e2a3608873d9ff7