Overview

overview

10

Static

static

1

f0035572ee...04f.js

windows7-x64

3

f0035572ee...04f.js

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2024 11:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f0035572eeaa0b2c6163c2d10a25e3a0c288dd0a0ff421aace09dcecfb91104f.js

  • Size

    10.6MB

  • MD5

    21d81b3dbba892299cafc36f383fcdf6

  • SHA1

    c1f7302534ddc799e2d8f3adf8bad88197f4d630

  • SHA256

    f0035572eeaa0b2c6163c2d10a25e3a0c288dd0a0ff421aace09dcecfb91104f

  • SHA512

    e060c3e4f78b6712ec5c3c0cb9c572877661b875085fe1e9b20dbb85cf41c4a6f021dab295f85f537f0b4dd2176b1256d68e6ddbaf467c0542aa0954756be818

  • SSDEEP

    49152:V1Yyna8vwbV5brH/s+LfHQe1Yyna8vwbV5brH/s+LfHQe1Yyna8vwbV5brH/s+Ly:VUUUUUUUo

Score
3/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\f0035572eeaa0b2c6163c2d10a25e3a0c288dd0a0ff421aace09dcecfb91104f.js
    1⤵
      PID:2924
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {4DCF9C8C-F53A-49F4-A379-9E8C94E6672D} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Windows\system32\wscript.EXE
        C:\Windows\system32\wscript.EXE ORDERO~1.JS
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2572
        • C:\Windows\System32\cscript.exe
          "C:\Windows\System32\cscript.exe" "ORDERO~1.JS"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1880
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1692

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Identities\ORDERO~1.JS
      Filesize

      45.2MB

      MD5

      faf3c2b45d723140ced09007e5302736

      SHA1

      243b0dd2e46e372a29fd3baa8e621ad012b27d72

      SHA256

      463566000ed764f59c916cae1b9bf13227fdbc6a57fc78aeb784af7e531b4aa7

      SHA512

      747657d21635b115bdecae26e3b9b59db0b2a2cf6ceb5b5a990968700f2fb2a6ae893fa280e3d9003828ab267e5d689e45a9313714e6676933e80ce59038049a

      Download Submit

    • memory/1692-7-0x000000001B660000-0x000000001B942000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1692-8-0x00000000022A0000-0x00000000022A8000-memory.dmp

      Filesize

      32KB

      Download