cc60fd66292a5edd37d23b5f3928015bd7aefa106df32d27adfe0604564ca682

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-10-2024 00:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Proof of payment.js
Size

199KB
MD5

efe96b774d716e94b8ddf67f11799f72
SHA1

cebf7446b7712b0be7d4139690413cb0a3ec2926
SHA256

cc60fd66292a5edd37d23b5f3928015bd7aefa106df32d27adfe0604564ca682
SHA512

795ff59eab0a6d253c5e039e6695d9f00f6e0a13714f311ecb744102c67fdbf5158812b570b7198bdd21349c6a2757ee85101517e71c446e56910f488cccf853
SSDEEP

3072:DQ18m6EBIFcNzKF2+uKr0rZvInqhvFm+LeOn6dHihG+KwszDU:DQv6DSNWFUKrOQnqhvFm+0Vio+jR

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 2792 wrote to memory of 2564	2792	wscript.exe	javaw.exe
PID 2792 wrote to memory of 2564	2792	wscript.exe	javaw.exe
PID 2792 wrote to memory of 2564	2792	wscript.exe	javaw.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Proof of payment.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Program Files\Java\jre7\bin\javaw.exe
  "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\fyzfsfffz.txt"
  2⤵
  PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\fyzfsfffz.txt

Filesize
92KB

MD5
7b51be77942ed021489dbf24edec3de0

SHA1
87c16cedede053c98a0e8ee17ffbfdeb8525071b

SHA256
489004af1fd6085da359ab80ecce733e9bda9d5f7ddf08edcd5ae38a24826177

SHA512
5590644bcebbebd12d597ab11a5fe6fa584800ca8eda8cea45b5bd5b81bccccc92a1f5362282b74934f68ce5820bb6cd89c5e43cf328445105c42d4367194706

Download Submit
memory/2564-4-0x00000000024E0000-0x0000000002750000-memory.dmp

Filesize
2.4MB

Download
memory/2564-12-0x0000000001CE0000-0x0000000001CE1000-memory.dmp

Filesize
4KB

Download
memory/2564-19-0x0000000001CE0000-0x0000000001CE1000-memory.dmp

Filesize
4KB

Download
memory/2564-20-0x0000000001CE0000-0x0000000001CE1000-memory.dmp

Filesize
4KB

Download
memory/2564-26-0x0000000001CE0000-0x0000000001CE1000-memory.dmp

Filesize
4KB

Download
memory/2564-27-0x0000000001CE0000-0x0000000001CE1000-memory.dmp

Filesize
4KB

Download
memory/2564-38-0x0000000001CE0000-0x0000000001CE1000-memory.dmp

Filesize
4KB

Download
memory/2564-39-0x0000000001CE0000-0x0000000001CE1000-memory.dmp

Filesize
4KB

Download
memory/2564-40-0x00000000024E0000-0x0000000002750000-memory.dmp

Filesize
2.4MB

Download
memory/2564-42-0x0000000001CE0000-0x0000000001CE1000-memory.dmp

Filesize
4KB

Download
memory/2564-46-0x0000000001CE0000-0x0000000001CE1000-memory.dmp

Filesize
4KB

Download
memory/2564-52-0x0000000001CE0000-0x0000000001CE1000-memory.dmp

Filesize
4KB

Download
memory/2564-82-0x0000000001CE0000-0x0000000001CE1000-memory.dmp

Filesize
4KB

Download