Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
13-01-2023 08:39
Static task
static1
Behavioral task
behavioral1
Sample
Proforma DA request.js
Resource
win7-20221111-en
General
-
Target
Proforma DA request.js
-
Size
1.4MB
-
MD5
6ed6de4f3937d74a4a890fd63a731913
-
SHA1
e6e6c10575efbc35a55d47bd4769223da7a8d9cc
-
SHA256
d545270fe4ea4823d14c419ec38d3c1f861c6a24c096b3b0953960428c4ef395
-
SHA512
717911ec6dd302ad70a13da42bc877cc02b268bf515c09dfea302799665e6102a1585575232b4191ac586904b418f360aab46d5da7df7f63a97f661678579c82
-
SSDEEP
24576:7BqyjfTTfng/+3tHhRkeBQxoS+Vy9ePXG:7BRTTYQBRksQxoS+8f
Malware Config
Signatures
-
Blocklisted process makes network request 16 IoCs
Processes:
wscript.exeflow pid Process 5 660 wscript.exe 12 660 wscript.exe 13 660 wscript.exe 16 660 wscript.exe 17 660 wscript.exe 18 660 wscript.exe 20 660 wscript.exe 21 660 wscript.exe 22 660 wscript.exe 24 660 wscript.exe 25 660 wscript.exe 26 660 wscript.exe 28 660 wscript.exe 29 660 wscript.exe 30 660 wscript.exe 32 660 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
Payload.exepid Process 1656 Payload.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJuNhYQRCb.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJuNhYQRCb.js wscript.exe -
Loads dropped DLL 5 IoCs
Processes:
WerFault.exepid Process 1732 WerFault.exe 1732 WerFault.exe 1732 WerFault.exe 1732 WerFault.exe 1732 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Payload.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payload.exe Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payload.exe Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payload.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 1732 1656 WerFault.exe 29 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Payload.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Payload.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Payload.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Payload.exedescription pid Process Token: SeDebugPrivilege 1656 Payload.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
wscript.exePayload.exedescription pid Process procid_target PID 1540 wrote to memory of 660 1540 wscript.exe 28 PID 1540 wrote to memory of 660 1540 wscript.exe 28 PID 1540 wrote to memory of 660 1540 wscript.exe 28 PID 1540 wrote to memory of 1656 1540 wscript.exe 29 PID 1540 wrote to memory of 1656 1540 wscript.exe 29 PID 1540 wrote to memory of 1656 1540 wscript.exe 29 PID 1540 wrote to memory of 1656 1540 wscript.exe 29 PID 1656 wrote to memory of 1732 1656 Payload.exe 33 PID 1656 wrote to memory of 1732 1656 Payload.exe 33 PID 1656 wrote to memory of 1732 1656 Payload.exe 33 PID 1656 wrote to memory of 1732 1656 Payload.exe 33 -
outlook_office_path 1 IoCs
Processes:
Payload.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payload.exe -
outlook_win_path 1 IoCs
Processes:
Payload.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payload.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Proforma DA request.js"1⤵
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HJuNhYQRCb.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:660
-
-
C:\Users\Admin\AppData\Local\Temp\Payload.exe"C:\Users\Admin\AppData\Local\Temp\Payload.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1656 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 18723⤵
- Loads dropped DLL
- Program crash
PID:1732
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
755KB
MD52b7f757f0a02ced496481020f0b8f1eb
SHA121f11c5f725648d27af684ecff61c3ef7ecbcba3
SHA256e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9
SHA5121a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7
-
Filesize
755KB
MD52b7f757f0a02ced496481020f0b8f1eb
SHA121f11c5f725648d27af684ecff61c3ef7ecbcba3
SHA256e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9
SHA5121a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7
-
Filesize
16KB
MD5bc7e3f3b7e656d7210168ade916e46ed
SHA1210515856852a1563147ce7e86504c6ceede5f27
SHA2569cfe508ba1049698650251a3ae53bdc78770d77d1bbe6d30653eb5c4fa29acba
SHA512bb8424b6b60d66db6e021fcc6ab132437addbb196bd1709e855ea184c5dcfdd5aa8c3008c3526dc6f8c475165f18b966766850e758fccdd40bfd04874c6e5c17
-
Filesize
755KB
MD52b7f757f0a02ced496481020f0b8f1eb
SHA121f11c5f725648d27af684ecff61c3ef7ecbcba3
SHA256e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9
SHA5121a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7
-
Filesize
755KB
MD52b7f757f0a02ced496481020f0b8f1eb
SHA121f11c5f725648d27af684ecff61c3ef7ecbcba3
SHA256e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9
SHA5121a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7
-
Filesize
755KB
MD52b7f757f0a02ced496481020f0b8f1eb
SHA121f11c5f725648d27af684ecff61c3ef7ecbcba3
SHA256e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9
SHA5121a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7
-
Filesize
755KB
MD52b7f757f0a02ced496481020f0b8f1eb
SHA121f11c5f725648d27af684ecff61c3ef7ecbcba3
SHA256e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9
SHA5121a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7
-
Filesize
755KB
MD52b7f757f0a02ced496481020f0b8f1eb
SHA121f11c5f725648d27af684ecff61c3ef7ecbcba3
SHA256e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9
SHA5121a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7