6af509a247fccfa95589e9624b3d7a0c6f903822efb432d71e079272582f7fbe

Resubmissions

19-07-2023 21:16

230719-z4frlabb95 4

19-07-2023 21:13

230719-z2sndabb89 5

11-11-2022 04:56

221111-fkt1bsbcbk 5

Analysis

max time kernel
149s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
19-07-2023 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

var www html kemhan/wp-content/themes/menhan/js/zozo.tabs.min6b5a.js
Size

71KB
MD5

eceeac8af1ebff77c1f9020aa3256019
SHA1

fcfd5e117300ec45395963bba9b9c7e480cf7fbf
SHA256

f2860c5a201d8624e677dfe085a4b1c534897ce68713c2327648a1746485e8d0
SHA512

af990003a7c24cfa488609fdcc1685753f46b634b33f31975c9a7daa10915d0f659eae0b6a1679cd23508dd4eedd1213d872dbc082d105789ba01ab3671c1ff6
SSDEEP

768:3fGN8B0fxTkfR9YT0UDF3NH+f/v9XGbIAS79sbhWaI753UXuVa+hQlTHrpaMhuRd:vGCB05avsBhs

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{5FFCB993-6D9F-4EE3-ABDA-9BA7BDC2FF6D}.catalogItem	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	3236	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\var www html kemhan\wp-content\themes\menhan\js\zozo.tabs.min6b5a.js"
1⤵
PID:3908

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:112

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:1760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wsuA1CE.tmp

Filesize
14KB

MD5
c01eaa0bdcd7c30a42bbb35a9acbf574

SHA1
0aee3e1b873e41d040f1991819d0027b6cc68f54

SHA256
32297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40

SHA512
d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
0c2a1ed9e85a80de010e33961d51eb9c

SHA1
f8b1cdcfcc43879ee03a17b61466816e9e31449e

SHA256
6554311ab799e9d8cd6d8f9e4c5e9e57f800f366b66491a8e0419af1e132be27

SHA512
63a290263249ef0feb19ce5603c9314399b7f35c6f8f391eea7f1af27fce37c744df068c1e6fccb1dc1bfc6f33a8b3e77044acfbb46c06b36e699d8d13dc94d3

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
d7382a18a8dc3a30519051d55ca25731

SHA1
1f937018bd3d5130a7f2dc4de6613dc831d5874a

SHA256
e49f54cb38e7a66f053cd89c9d7fabfc12e843692aa3e6fc988b9dff210096d1

SHA512
616da16d0eeb3bf36843ae83a9d77c2222cae0fc89a95b74a3cf722a565682a4435059923b4f0f2492ef9f07c885a43eb5534aae5c7797a5c4fb24d203ec0eb6

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
2ff0f4c855dca2c0b0280408cacc0d26

SHA1
1844bf277a8e08b46d41b8b082ba0872e1b73c4e

SHA256
370f9abaae748e97163c94c8633eefb73575c7bebe54ae24473f97f9003920bf

SHA512
c6aa0a35db9ceb9b8c52878d4cc83b75cddfca88e35ae79a8c13f4592892ecd03f23fb07314068a411a46274f337353198ce686e2fa0ce0ea7d5e9bb42cb93f7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
f56159648f5e0fc00eff6cf2507bd1c2

SHA1
e21f925e0a03b469a31cc99b6d1e74c7377af6f8

SHA256
a91d7a7a2ce111e494113f0a2ac0676e663629bac2087f02541f2e34e5be07a2

SHA512
db799d7e3035421c37d688b0a201234d8a477a706f660b642bc7457aefd050725d3baf35eafbf7bfbfa70b2a6563afcacbe0981b00eeaab83703da584422637e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
dee088db3dfbc19f5ce9526737e8e66c

SHA1
f54ade20df12150c889dfa01ab20d400c792d8fb

SHA256
9fc45e47976bb2fb2ab736ab1dfb394d7f49cafb0c5f55d02d05eab318f637ee

SHA512
490f1c8b3debc6638d12921b65018c0ac0c8d80f40c0dd41698e5e3ba6712dfb4cec49dd594c0f9e66364564b3827346cdb537b315384db91631838a13adac6d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
45fcdb2baefb7a85505c3969bbdcfb67

SHA1
8d0175b6e740f241bbe0b899d1d9aee45ea1c035

SHA256
5094264c096f5feb703c2b0f7a130f05b9debdc556388007b1130f0fb784fa92

SHA512
8245592a67461f7ca1dd5a267fc4a69e9d71403102d728dbe2d4dc753edbd68a918f52bab80d289bf0bdaea0c618dafaf29809abbe59b44e3b79b928b44a003a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
26ecaa0c35312b06611edf8a0c4cdc6e

SHA1
fb5479bbe91db5f8ce730dc8a6b9714c19074fdd

SHA256
cdb56e33b79134671d418f4a4c2700b366bb7c824456f0064a4a52135acd476f

SHA512
20cd5c7427d0926287da93078112ea15f4b87229f25976184729e3c6f38f1762ddf192627b191e66d58382a34a5ae71546ee28d042ecdf422335961b29ee553e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
0ce2fcbea14851ce44182112ee2b974e

SHA1
bfb10b53a1bfcaebdb6d9ecbed014e8be288551f

SHA256
930806d523667e00be0e7483077340fb5ece6cc9625b19e77092c183dbde3708

SHA512
63b38cd6e83ec2034db46bda5b0018ac543cbc30d6ff4d22bc0e4296219ad0823fa6ef99e73f806b89221185d4acde732dac44c517c74682a9b6968fa30c8ce1

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
f6151af243857b266d3bc6debf4824ef

SHA1
70fe3d5efab7584024bca46da0ced1b75a69b7fc

SHA256
e41342278e8dde45c5b637180705d88d0f5d06c9c8d2c11ee9ba1e67ef260d48

SHA512
49fc97fc1df742b66fd52f08c213c181f2458fca4fe4346bdd89936c40a468fb751fc6d23c5c5bba6cd5befac2d1dcedabb82c1e13d9eaf0fa6b35598f3c2526

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
57cb60b11e375382067f9881237f7ae3

SHA1
e98043ac63be8b305b95e076561911fe0e05e049

SHA256
25c8b381325b5bf9f75e9acd5003134f43eb033bdd568323b77c9ebf49387ed9

SHA512
781f4dab5b4e70b74d9b50e5fa8fb6e66369a79caa7433e97266bd1ce9d9df17ecda5663b8a9dc720020271a944bf6c4715ff0da975c538d7e1fa9064366ccc9

Download Submit
memory/3236-351-0x000001FD6BA40000-0x000001FD6BA50000-memory.dmp

Filesize
64KB

Download
memory/3236-367-0x000001FD6BB40000-0x000001FD6BB50000-memory.dmp

Filesize
64KB

Download
memory/3236-386-0x000001FD73E80000-0x000001FD73E81000-memory.dmp

Filesize
4KB

Download
memory/3236-388-0x000001FD73EA0000-0x000001FD73EA1000-memory.dmp

Filesize
4KB

Download
memory/3236-389-0x000001FD73EA0000-0x000001FD73EA1000-memory.dmp

Filesize
4KB

Download
memory/3236-390-0x000001FD73FC0000-0x000001FD73FC1000-memory.dmp

Filesize
4KB

Download