20eff877aeff0afaa8a5d29fe272bdd61e49779b9e308c4a202ad868a901a5cd

Analysis

max time kernel
153s
max time network
159s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
14-10-2022 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5c09a6fff4dee7dee7f302c1d4d586ba6bc83f2.js
Size

27.3MB
MD5

8b274243a5179028388a2c17c75afb9f
SHA1

d5c09a6fff4dee7dee7f302c1d4d586ba6bc83f2
SHA256

20eff877aeff0afaa8a5d29fe272bdd61e49779b9e308c4a202ad868a901a5cd
SHA512

6848fe1763e2ec535b05374687cce02eeca59de0de21cbf1501defbb100ebe2bfaca68f6f75f4d34b8dbf1cda776b077096f550ca85a97586e311ab66e56e2af
SSDEEP

49152:i0ivhMr3KWDux3B2PfsN7B0eP3GBxGwJzMvY+DHEAh7BeE3bt3FK6/Zas9gthH/t:X

Score

8^/10

persistence upx

Malware Config

Signatures

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a0000000122b7-79.dat	upx
behavioral1/files/0x000a0000000122b7-80.dat	upx
behavioral1/memory/1660-81-0x000007FEFA960000-0x000007FEFA9E1000-memory.dmp	upx
behavioral1/memory/1660-88-0x000007FEFA960000-0x000007FEFA9E1000-memory.dmp	upx
behavioral1/files/0x00080000000122ce-89.dat	upx
behavioral1/files/0x00080000000122ce-90.dat	upx
behavioral1/memory/1984-91-0x000007FEFAA80000-0x000007FEFAB01000-memory.dmp	upx
behavioral1/memory/1984-92-0x000007FEFAA80000-0x000007FEFAB01000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1660	regsvr32.exe
1984	regsvr32.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ESTsoftAutoUpdate = "regsvr32.exe /s \"C:\\ProgramData\\Software\\ESTsoft\\Common\\ESTCommon.dll\""	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ESTsoftAutoUpdate = "regsvr32.exe /s \"C:\\ProgramData\\Software\\ESTsoft\\Common\\ESTCommon.dll\""	regsvr32.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	regsvr32.exe
File opened (read-only)	\??\X:	regsvr32.exe
File opened (read-only)	\??\Z:	regsvr32.exe
File opened (read-only)	\??\B:	regsvr32.exe
File opened (read-only)	\??\I:	regsvr32.exe
File opened (read-only)	\??\R:	regsvr32.exe
File opened (read-only)	\??\P:	regsvr32.exe
File opened (read-only)	\??\G:	regsvr32.exe
File opened (read-only)	\??\H:	regsvr32.exe
File opened (read-only)	\??\N:	regsvr32.exe
File opened (read-only)	\??\T:	regsvr32.exe
File opened (read-only)	\??\V:	regsvr32.exe
File opened (read-only)	\??\W:	regsvr32.exe
File opened (read-only)	\??\Y:	regsvr32.exe
File opened (read-only)	\??\F:	regsvr32.exe
File opened (read-only)	\??\J:	regsvr32.exe
File opened (read-only)	\??\O:	regsvr32.exe
File opened (read-only)	\??\K:	regsvr32.exe
File opened (read-only)	\??\L:	regsvr32.exe
File opened (read-only)	\??\M:	regsvr32.exe
File opened (read-only)	\??\Q:	regsvr32.exe
File opened (read-only)	\??\S:	regsvr32.exe
File opened (read-only)	\??\D:	regsvr32.exe
File opened (read-only)	\??\A:	regsvr32.exe
File opened (read-only)	\??\E:	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1288	powershell.exe
608	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeDebugPrivilege	608	powershell.exe
Token: SeDebugPrivilege	1984	regsvr32.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1196	AcroRd32.exe
1196	AcroRd32.exe
1196	AcroRd32.exe
1196	AcroRd32.exe
1196	AcroRd32.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 1196	1148	wscript.exe	27
PID 1148 wrote to memory of 1196	1148	wscript.exe	27
PID 1148 wrote to memory of 1196	1148	wscript.exe	27
PID 1148 wrote to memory of 1196	1148	wscript.exe	27
PID 1148 wrote to memory of 1288	1148	wscript.exe	28
PID 1148 wrote to memory of 1288	1148	wscript.exe	28
PID 1148 wrote to memory of 1288	1148	wscript.exe	28
PID 1288 wrote to memory of 1340	1288	powershell.exe	30
PID 1288 wrote to memory of 1340	1288	powershell.exe	30
PID 1288 wrote to memory of 1340	1288	powershell.exe	30
PID 1148 wrote to memory of 608	1148	wscript.exe	31
PID 1148 wrote to memory of 608	1148	wscript.exe	31
PID 1148 wrote to memory of 608	1148	wscript.exe	31
PID 608 wrote to memory of 1660	608	powershell.exe	33
PID 608 wrote to memory of 1660	608	powershell.exe	33
PID 608 wrote to memory of 1660	608	powershell.exe	33
PID 608 wrote to memory of 1660	608	powershell.exe	33
PID 608 wrote to memory of 1660	608	powershell.exe	33
PID 1660 wrote to memory of 1992	1660	regsvr32.exe	34
PID 1660 wrote to memory of 1992	1660	regsvr32.exe	34
PID 1660 wrote to memory of 1992	1660	regsvr32.exe	34
PID 1660 wrote to memory of 1336	1660	regsvr32.exe	36
PID 1660 wrote to memory of 1336	1660	regsvr32.exe	36
PID 1660 wrote to memory of 1336	1660	regsvr32.exe	36
PID 1660 wrote to memory of 1984	1660	regsvr32.exe	38
PID 1660 wrote to memory of 1984	1660	regsvr32.exe	38
PID 1660 wrote to memory of 1984	1660	regsvr32.exe	38
PID 1660 wrote to memory of 1984	1660	regsvr32.exe	38
PID 1660 wrote to memory of 1984	1660	regsvr32.exe	38

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\d5c09a6fff4dee7dee7f302c1d4d586ba6bc83f2.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\ProgramData\ï¿½Ü±ï¿½ï¿½ï¿½ ï¿½ï¿½ï¿½ï¿½ 2021-05-07.pdf"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden certutil -decode C:\Windows\..\ProgramData\efVo8cq.sIhn C:\Windows\..\ProgramData\glK7UwV.pR9a
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\system32\certutil.exe
    "C:\Windows\system32\certutil.exe" -decode C:\Windows\..\ProgramData\efVo8cq.sIhn C:\Windows\..\ProgramData\glK7UwV.pR9a
    3⤵
    PID:1340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden regsvr32.exe /s C:\Windows\..\ProgramData\glK7UwV.pR9a
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:608
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s C:\Windows\..\ProgramData\glK7UwV.pR9a
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Windows\system32\cmd.exe
      cmd /c C:\ProgramData\temp\B972.tmp.bat
      4⤵
      PID:1992
  - - C:\Windows\system32\cmd.exe
      cmd /c C:\ProgramData\temp\C056.tmp.bat
      4⤵
      PID:1336
  - - C:\Windows\system32\regsvr32.exe
      regsvr32.exe /s "C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll"
      4⤵
      Loads dropped DLL
      Adds Run key to start application
      Enumerates connected drives
      Suspicious use of AdjustPrivilegeToken
      PID:1984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll

Filesize
190KB

MD5
14e01ed4d086206d3c4b7159dc887f25

SHA1
2918b5af300e979593df44696e947da396018532

SHA256
0a4f2cff4d4613c08b39c9f18253af0fd356697368eecddf7c0fa560386377e6

SHA512
ed9a19513f27d40620c38ea9a18cae3a8b806cdd6acfa44d9fff58faefd23d2d085e382b10412a01f6672304cbfb3d01aedafcf8de7ab41e3caffdf069bd88e6

Download Submit
C:\ProgramData\efVo8cq.sIhn

Filesize
253KB

MD5
184188b0c846fab897e0f95e596a6d7c

SHA1
f5c265a92f919a3372053f6d2b4e057e1b33a992

SHA256
cf605e3bb8181ed066b3750917a6244b599b5350f758afccb77ef244948a4ff0

SHA512
415099eddce21e792f72f84d7bd1fef2ba47cc53a20071b1feb935e6aa8815e2f5dffe4affc85c8b13bc5318468bbd485de4f5ffca0707b6178cdec6b74ec243

Download Submit
C:\ProgramData\glK7UwV.pR9a

Filesize
190KB

MD5
14e01ed4d086206d3c4b7159dc887f25

SHA1
2918b5af300e979593df44696e947da396018532

SHA256
0a4f2cff4d4613c08b39c9f18253af0fd356697368eecddf7c0fa560386377e6

SHA512
ed9a19513f27d40620c38ea9a18cae3a8b806cdd6acfa44d9fff58faefd23d2d085e382b10412a01f6672304cbfb3d01aedafcf8de7ab41e3caffdf069bd88e6

Download Submit
C:\ProgramData\temp\B972.tmp.bat

Filesize
126B

MD5
e561532826670ba83ec2411d4a92ffcf

SHA1
7217ea782868198a4f837f2d82c35f0f0071dcdb

SHA256
5a5c5c76c93441b3fb159d13886e5a8581959aa3b0c044e00cb00c592243adb4

SHA512
853632628d988955ee11633c5050b27b6da1ce6b00bdb666c90cb1299b7d2c1b1bf96d3b41bb7f0bb2bb01bbf64783f7124690913f4ae1a726404c3768dd7997

Download Submit
C:\ProgramData\temp\C056.tmp.bat

Filesize
124B

MD5
6de26458039b1131b1937434c146b1f6

SHA1
3e03d515e7b26dbaee04d0a71c3aa4ce3d8bbe3d

SHA256
9e193b27f408b9ea2a791160b57162f181281bbde6b2c7a1f4829ad3b153468e

SHA512
86854d68eb46ac17720493c65b9bbec9bff6bc759d3e5e2e25a1348621997ad5e471f15c929f3663ad7c68aeb601582da88816d91076b31724c8cd355e414aeb

Download Submit
C:\ProgramData\ï¿½Ü±ï¿½ï¿½ï¿½ ï¿½ï¿½ï¿½ï¿½ 2021-05-07.pdf

Filesize
20.2MB

MD5
eca5b2616aea464e9b623a91aed3b691

SHA1
64d8e9c11253fa177fc45e439531c53c6830fc3c

SHA256
3251c02ff0fc90dccd79b94fb2064fb3d7f870c69192ac1f10ad136a43c1ccea

SHA512
e92e5013d43f4688dd61529a2e6d803a6fff7036e9ce68aa9137730a2c32fc9a84a6901f4c4da19a06985804dadb6320decff6b43ea8de600ab41af345542473

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b5aaf5e709d81b3bdccf8b46c2f538e6

SHA1
a24c3e4bc0fa07a47ab1704b5e537a032e2d81af

SHA256
bbbd269d14783cfed08b94ad3856095c097f46d149a850a6f31cf1886ec2168c

SHA512
f1fb76d9f56f9be37671fd70cb25b691521b7459f63605148df41bed6940066ad0748541f67a9c78a3ae453f7189ad24f68e8786b9f309a177d774a1e57f8a33

Download Submit
\ProgramData\Software\ESTsoft\Common\ESTCommon.dll

Filesize
190KB

MD5
14e01ed4d086206d3c4b7159dc887f25

SHA1
2918b5af300e979593df44696e947da396018532

SHA256
0a4f2cff4d4613c08b39c9f18253af0fd356697368eecddf7c0fa560386377e6

SHA512
ed9a19513f27d40620c38ea9a18cae3a8b806cdd6acfa44d9fff58faefd23d2d085e382b10412a01f6672304cbfb3d01aedafcf8de7ab41e3caffdf069bd88e6

Download Submit
\ProgramData\glK7UwV.pR9a

Filesize
190KB

MD5
14e01ed4d086206d3c4b7159dc887f25

SHA1
2918b5af300e979593df44696e947da396018532

SHA256
0a4f2cff4d4613c08b39c9f18253af0fd356697368eecddf7c0fa560386377e6

SHA512
ed9a19513f27d40620c38ea9a18cae3a8b806cdd6acfa44d9fff58faefd23d2d085e382b10412a01f6672304cbfb3d01aedafcf8de7ab41e3caffdf069bd88e6

Download Submit
memory/608-77-0x0000000002744000-0x0000000002747000-memory.dmp

Filesize
12KB

Download
memory/608-78-0x000000000274B000-0x000000000276A000-memory.dmp

Filesize
124KB

Download
memory/608-74-0x0000000002744000-0x0000000002747000-memory.dmp

Filesize
12KB

Download
memory/608-69-0x0000000000000000-mapping.dmp

Download
memory/608-72-0x000007FEF3290000-0x000007FEF3CB3000-memory.dmp

Filesize
10.1MB

Download
memory/608-73-0x000007FEF2730000-0x000007FEF328D000-memory.dmp

Filesize
11.4MB

Download
memory/1148-54-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmp

Filesize
8KB

Download
memory/1196-56-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download
memory/1196-55-0x0000000000000000-mapping.dmp

Download
memory/1288-63-0x000000000285B000-0x000000000287A000-memory.dmp

Filesize
124KB

Download
memory/1288-60-0x000007FEF1D90000-0x000007FEF28ED000-memory.dmp

Filesize
11.4MB

Download
memory/1288-67-0x000000000285B000-0x000000000287A000-memory.dmp

Filesize
124KB

Download
memory/1288-66-0x0000000002854000-0x0000000002857000-memory.dmp

Filesize
12KB

Download
memory/1288-57-0x0000000000000000-mapping.dmp

Download
memory/1288-59-0x000007FEF28F0000-0x000007FEF3313000-memory.dmp

Filesize
10.1MB

Download
memory/1288-61-0x0000000002854000-0x0000000002857000-memory.dmp

Filesize
12KB

Download
memory/1336-84-0x0000000000000000-mapping.dmp

Download
memory/1340-62-0x0000000000000000-mapping.dmp

Download
memory/1340-64-0x00000000FF9B1000-0x00000000FF9B3000-memory.dmp

Filesize
8KB

Download
memory/1660-75-0x0000000000000000-mapping.dmp

Download
memory/1660-81-0x000007FEFA960000-0x000007FEFA9E1000-memory.dmp

Filesize
516KB

Download
memory/1660-88-0x000007FEFA960000-0x000007FEFA9E1000-memory.dmp

Filesize
516KB

Download
memory/1984-86-0x0000000000000000-mapping.dmp

Download
memory/1984-91-0x000007FEFAA80000-0x000007FEFAB01000-memory.dmp

Filesize
516KB

Download
memory/1984-92-0x000007FEFAA80000-0x000007FEFAB01000-memory.dmp

Filesize
516KB

Download
memory/1992-82-0x0000000000000000-mapping.dmp

Download