d2c8b31ed90c86ec267b673178ce22b36096ff8d705cbf9b5fa8ed4bac87550b

Analysis

max time kernel
240s
max time network
244s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
17-11-2024 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17112024_0044_twBkX.js
Size

199KB
MD5

4ceb1057e744898bc02ffe2a9daa061a
SHA1

ccc89e9d665bc204347fbc7346957ed65ef983ba
SHA256

d2c8b31ed90c86ec267b673178ce22b36096ff8d705cbf9b5fa8ed4bac87550b
SHA512

3a71dba04527b03bb0ee1384f92b33eaa3de7bb3f1521997fd3151ef9ce553bfb5608054919b37c35f0f6f611acf59805949e586e52e3ca2cfc85e57f246c87a
SSDEEP

6144:PsnbkwFgwHtYdNCI8UpzdKxJzyU+JnkdTm6YDwDB:jNCzxpDB

Score

7^/10

execution

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\myscript.lnk	wscript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2940	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2940	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2940	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2592	2220	wscript.exe	29
PID 2220 wrote to memory of 2592	2220	wscript.exe	29
PID 2220 wrote to memory of 2592	2220	wscript.exe	29
PID 2592 wrote to memory of 2940	2592	cmd.exe	31
PID 2592 wrote to memory of 2940	2592	cmd.exe	31
PID 2592 wrote to memory of 2940	2592	cmd.exe	31

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\17112024_0044_twBkX.js
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\UPDATE.ps1""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\UPDATE.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\UPDATE.ps1

Filesize
196KB

MD5
67ea1d562d1ed27916829a569dbc7fb5

SHA1
7d083620f91219c67b7e0a2925a3cb8c987d00ee

SHA256
61b54b21f003b1133e63b76fe99a0750303e17a7cc93ea4535c5533b028b1781

SHA512
5d03188a7e5e3fd5f9702b9ac2255cc8d5f23dc0d101f5ffb84d411d0c89021af704383f8f2ee88af3a696a7576b8a338fa4140d9396ff6a6e299f1b511d39b4

Download Submit
memory/2940-6-0x000007FEF67BE000-0x000007FEF67BF000-memory.dmp

Filesize
4KB

Download
memory/2940-7-0x000000001B280000-0x000000001B562000-memory.dmp

Filesize
2.9MB

Download
memory/2940-8-0x0000000001D70000-0x0000000001D78000-memory.dmp

Filesize
32KB

Download
memory/2940-9-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/2940-10-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/2940-11-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/2940-12-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/2940-14-0x0000000002880000-0x00000000028AA000-memory.dmp

Filesize
168KB

Download
memory/2940-15-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/2940-16-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download