Overview

overview

10

Static

static

1

6220_837_pdf.js

windows10-2004-x64

10

Resubmissions

05-07-2023 19:03

230705-xqpfgafc97 10

05-07-2023 18:13

230705-wtsrmage2t 10

Analysis

  • max time kernel
    5s
  • max time network
    60s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-07-2023 19:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6220_837_pdf.js

  • Size

    320KB

  • MD5

    8008857b28d94bb0df9b513906ed1508

  • SHA1

    d88e06d7ace9289d09a652e294c0654cfd0b573d

  • SHA256

    de98a33ed6bbd7f0d48346d4a55fb7519b9d6c5afa0e1b46e97c41d0a722fd47

  • SHA512

    720f41be8cbd3545d54d4a307559a460e4b2da0a75dc48914f1bd6645911cfb9a0a95f493afdb91f825d8296d2d1d578750f414a31580851a2be0d8c5a15bacc

  • SSDEEP

    1536:JAYMJMMPQXgBFhHZqOQYcEp24+zVevP5e+3kGra+TmarAYvJMMPQXgBFhHZrOQYW:RgBFhQOQY06TagBFhFOQY06T4

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://cryptersandtools.minhacasa.tv/e/js_startup

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\6220_837_pdf.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4256
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionPolicy Bypass -File "C:\Users\Public\WnKdUR.ps1"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2824
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2484
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4948
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4948.0.617128377\434725314" -parentBuildID 20221007134813 -prefsHandle 1836 -prefMapHandle 1828 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f78a1076-63b9-42ca-b21f-fffce1162e94} 4948 "\\.\pipe\gecko-crash-server-pipe.4948" 1916 27262dba858 gpu
        3⤵
          PID:4448
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4948.1.135766353\733880977" -parentBuildID 20221007134813 -prefsHandle 2304 -prefMapHandle 2292 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {496b71e8-6636-4e4b-aba2-c1518579992a} 4948 "\\.\pipe\gecko-crash-server-pipe.4948" 2316 2725656f858 socket
          3⤵
            PID:4252
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4948.2.958608818\935293346" -childID 1 -isForBrowser -prefsHandle 3220 -prefMapHandle 3348 -prefsLen 21077 -prefMapSize 232675 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea123bfe-2e58-4749-821f-871e39d84fe4} 4948 "\\.\pipe\gecko-crash-server-pipe.4948" 3540 27266cabc58 tab
            3⤵
              PID:1832
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4948.3.438881172\161029758" -childID 2 -isForBrowser -prefsHandle 3776 -prefMapHandle 3772 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e919f8fc-39c3-4e95-bdac-10f9203ec063} 4948 "\\.\pipe\gecko-crash-server-pipe.4948" 2928 27256562858 tab
              3⤵
                PID:5040
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4948.4.1573664590\953722689" -childID 3 -isForBrowser -prefsHandle 4384 -prefMapHandle 4400 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9ad207c-d05b-4c7d-b240-0223116042f8} 4948 "\\.\pipe\gecko-crash-server-pipe.4948" 4136 27268ad3658 tab
                3⤵
                  PID:1156
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4948.7.806432860\1213020643" -childID 6 -isForBrowser -prefsHandle 5224 -prefMapHandle 5228 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5f7db78-8ce2-43ff-9b1d-d79268393fa0} 4948 "\\.\pipe\gecko-crash-server-pipe.4948" 5216 272693f5858 tab
                  3⤵
                    PID:1804
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4948.6.1729555338\588557734" -childID 5 -isForBrowser -prefsHandle 5024 -prefMapHandle 5028 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d65aa15-2b9d-4a57-b85c-4d51fd58d100} 4948 "\\.\pipe\gecko-crash-server-pipe.4948" 5108 2726921d458 tab
                    3⤵
                      PID:3992
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4948.5.1764353406\579405764" -childID 4 -isForBrowser -prefsHandle 4900 -prefMapHandle 4852 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e79a85b7-ca8d-47ec-b550-650c3baa14d9} 4948 "\\.\pipe\gecko-crash-server-pipe.4948" 4872 2725652ed58 tab
                      3⤵
                        PID:4320
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4948.8.237773259\1464974326" -childID 7 -isForBrowser -prefsHandle 2880 -prefMapHandle 4860 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9bd62a0-400a-41bd-907b-cc56faa79940} 4948 "\\.\pipe\gecko-crash-server-pipe.4948" 4868 27262dc9458 tab
                        3⤵
                          PID:4992

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nxs4tixn.2jr.ps1
                      Filesize

                      60B

                      MD5

                      d17fe0a3f47be24a6453e9ef58c94641

                      SHA1

                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                      SHA256

                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                      SHA512

                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hw21aoqh.default-release\prefs-1.js
                      Filesize

                      6KB

                      MD5

                      64d3e5d54e3c52a3adf0d017d0c9bc72

                      SHA1

                      07eee373ae3ee552852d6a7d3d1ac38a7bc3906d

                      SHA256

                      4b6b773f5fc450d0c2fbaa5e9cb5e3783b0107d5d233b4c32f3d77b93038bdb4

                      SHA512

                      907e8da03bbcb799c90ac8546ae2c57e3b3b1343d283069a83c103aa40e0d47a01d057ddb5d716006e348b59dcaae4e735d93393a387280a454c2fed2a83c9ba

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hw21aoqh.default-release\prefs-1.js
                      Filesize

                      7KB

                      MD5

                      1dbc4c3815585352abc2843a7f9bb945

                      SHA1

                      15f39e705c9883c4dded59906328a714f0c59c0b

                      SHA256

                      ec552ea77a3d6157017d3f3ad894b6f95a818daf28af181d650bad50c6e4a92a

                      SHA512

                      6f81c87d41797c8b30413f89645ab4daf11df2e0556c9bfa04b6877d2c3b3fc00b09bd5c3eb0dd274bc99b051407ea3e636194d6ee18b15ceb357c1e7bbe62b6

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hw21aoqh.default-release\prefs.js
                      Filesize

                      6KB

                      MD5

                      a41b1b974af6a5c8b1bc056ce10d9896

                      SHA1

                      5979e30321d3091b55e26bffa8c5c9830b98b345

                      SHA256

                      03f052e1a946c1aa9f4b4b29ca4986633cd2380aee87075dbaeb9e04341cf9c7

                      SHA512

                      d02b2eeb2aa1f8673b92707904ae758ef2b71d7b8ee924899d9835a956006404ebc1942d4ffb00a75a02787fc36060095dc9dfaa98662ef675d439392ff10bfa

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hw21aoqh.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      1KB

                      MD5

                      c17e57671d4cf127a157c75c486c2b0d

                      SHA1

                      ca212f15eb6e49cbc4e0d0d1cabf7db17b2d11b4

                      SHA256

                      a38c24deaaef8810e98ae4c38ed26ae10a0564d42d3ebb7540da6b631d48493d

                      SHA512

                      8692b5b030b6bb0777057e691c2a2111b80d73ee29a0cc4c3648735056218aa07323c860a21d715ed9b418637120e155acdfcb151e4ca5b875c953b433593980

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hw21aoqh.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      64KB

                      MD5

                      44b959d3690ad4a988055234e1e5ae71

                      SHA1

                      dee482880cfb8ea6a5520090cae8e429d86a1c7a

                      SHA256

                      87161cff114b0a3b9b835bc4f38c75330f14b3547908134cae04622f0fbe6bc6

                      SHA512

                      ce2fcec266fda5da04e271905168a3ad0d7c02cc517e4ec0edc6ff7fab1a032050af6d955fcdffb9c39f230c14e39053f9b957fba30e4b28446e3ca2a19aea8d

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hw21aoqh.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      65KB

                      MD5

                      44541dd37b151134143af30aba6e2876

                      SHA1

                      abc04eee1e4651e3ecdeb1cc242e1c42afa43cff

                      SHA256

                      ed888fd6d92063e4076749efb11b4889ba8faf1e3bccf01d571d39574b5358ab

                      SHA512

                      e5875d5849d29ad94dfbea7b3760718453230afe78098d63aa892d4e4bfe314e61bf1a6f6e9803a862abdaf851c8e84759e90b9e749fc9cdc81b927a9056ea8a

                      Download Submit

                    • C:\Users\Public\WnKdUR.ps1
                      Filesize

                      471B

                      MD5

                      6e6269ed0b905042ee927c784c7a3942

                      SHA1

                      a86e24af3b84a17e2fef61b80887d2fee82c9098

                      SHA256

                      d0564475466126aca0b1ee5996fe2161becbe147406daeac12b6af3276a213ba

                      SHA512

                      7c1c4b71f4cb1de86dcdbc94f78760d29bbdeb671efeca16abf114ebfa015f32951d58da6deec355fac30ddb4b601a1ed5e5e866379a97478f59767d56cf1ffd

                      Download Submit

                    • memory/2824-218-0x0000023028790000-0x0000023028AAA000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2824-220-0x0000023028790000-0x0000023028AAA000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2824-186-0x0000023028790000-0x0000023028AAA000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2824-188-0x0000023028790000-0x0000023028AAA000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2824-192-0x0000023028790000-0x0000023028AAA000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2824-198-0x0000023028790000-0x0000023028AAA000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2824-200-0x0000023028790000-0x0000023028AAA000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2824-206-0x0000023028790000-0x0000023028AAA000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2824-208-0x0000023028790000-0x0000023028AAA000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2824-196-0x0000023028790000-0x0000023028AAA000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2824-210-0x0000023028790000-0x0000023028AAA000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2824-212-0x0000023028790000-0x0000023028AAA000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2824-214-0x0000023028790000-0x0000023028AAA000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2824-216-0x0000023028790000-0x0000023028AAA000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2824-177-0x0000023028790000-0x0000023028AAA000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2824-222-0x0000023028790000-0x0000023028AAA000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2824-226-0x0000023028790000-0x0000023028AAA000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2824-228-0x0000023028790000-0x0000023028AAA000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2824-224-0x0000023028790000-0x0000023028AAA000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2824-184-0x0000023028790000-0x0000023028AAA000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2824-230-0x0000023028790000-0x0000023028AAA000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2824-232-0x0000023028790000-0x0000023028AAA000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2824-234-0x0000023028790000-0x0000023028AAA000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2824-236-0x0000023028790000-0x0000023028AAA000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2824-238-0x0000023028790000-0x0000023028AAA000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2824-240-0x0000023028790000-0x0000023028AAA000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2824-242-0x0000023028790000-0x0000023028AAA000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2824-246-0x0000023028790000-0x0000023028AAA000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2824-248-0x0000023028790000-0x0000023028AAA000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2824-250-0x0000023028790000-0x0000023028AAA000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2824-253-0x000002300F240000-0x000002300F250000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/2824-255-0x000002300F240000-0x000002300F250000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/2824-252-0x000002300F240000-0x000002300F250000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/2824-244-0x0000023028790000-0x0000023028AAA000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2824-175-0x0000023028790000-0x0000023028AAA000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2824-174-0x0000023028790000-0x0000023028AAA000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2824-145-0x000002300F240000-0x000002300F250000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/2824-144-0x000002300F240000-0x000002300F250000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/2824-143-0x00000230282E0000-0x0000023028302000-memory.dmp

                      Filesize

                      136KB

                      Download