Analysis
-
max time kernel
287s -
max time network
293s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-es -
resource tags
-
submitted
04-08-2023 21:48
General
-
Target
x4b4ier.js
-
Size
1.7MB
-
MD5
ab01b574d043fee15b3fc37aa7da09b7
-
SHA1
df20c798b6d3faf2feb769fea68ae32507989320
-
SHA256
885c5f1c8ddc46424971c0e128f8287ec7f7c0effeab7e848d2ef56a1dc8b8af
-
SHA512
77ceea2e77586c69ae42b0ea246bd8023d4df6d03ec3c8201cfbb4b6aec95ac72c04b88ceb5916a11386935e0a082977925b0fb5d011ece6d70acc7325dc37ea
-
SSDEEP
24576:1oBtBRwdH5U2XVFuX9Ty29FjrVa82JSFDu/0PTGxDvbISH/gorRJ5hJzIE3EoUcd:YvxF3WcTcQCxzUzQ
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
-
Suspicious use of FindShellTrayWindow 33 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 21 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\x4b4ier.js1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\x4b4ier.html1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff81e0646f8,0x7ff81e064708,0x7ff81e0647182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,23133033372116460,10692385264781142385,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,23133033372116460,10692385264781142385,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,23133033372116460,10692385264781142385,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,23133033372116460,10692385264781142385,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,23133033372116460,10692385264781142385,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,23133033372116460,10692385264781142385,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,23133033372116460,10692385264781142385,131072 --lang=es --service-sandbox-type=collections --mojo-platform-channel-handle=5240 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,23133033372116460,10692385264781142385,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,23133033372116460,10692385264781142385,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=3244 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,23133033372116460,10692385264781142385,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5932 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,23133033372116460,10692385264781142385,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5932 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,23133033372116460,10692385264781142385,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,23133033372116460,10692385264781142385,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,23133033372116460,10692385264781142385,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,23133033372116460,10692385264781142385,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,23133033372116460,10692385264781142385,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\TimbreFiscalDigital_Estado_De_NoPago-ID-H6H464L-921691184854\Factura_NoPago-7H43Y5K664cd6ed6a2aad.vbs"1⤵
- Blocklisted process makes network request
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\TimbreFiscalDigital_Estado_De_NoPago-ID-H6H464L-921691184854\Factura_NoPago-7H43Y5K664cd6ed6a2aad.vbs"1⤵
- Blocklisted process makes network request
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\TimbreFiscalDigital_Estado_De_NoPago-ID-H6H464L-921691184854\Factura_NoPago-7H43Y5K664cd6ed6a2aad.vbs"2⤵
- Blocklisted process makes network request
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD58411007bafe7b1182af1ad3a1809b4f8
SHA14a78ee0762aadd53accae8bb211b8b18dc602070
SHA2561f274d0d144942d00e43fb94f9c27fc91c68dce50cd374ac6be4472b08215ca3
SHA512909e2e33b7614cb8bbd14e0dfff1b7f98f4abbf735f88292546ce3bfa665e4cb5ee4418561004e56afc5dd30d21483b05f6358dad5624c0dc3ab1ba9a3be18eb
-
Filesize
912B
MD57c3a112aa3b3bf4326d3dc850606f01d
SHA1d10b4d6f127813bcac7598d31f1747e160a2f1b1
SHA25657994a7d1279217114c17794a059fcb4375ca19168581179b243b686b346c197
SHA5127b285ee562baf5790c5b798714b2d59284eb414949e96753a0853619c9b239feb78e1fa6c6f2864b402eb872eac3f03af3cc393365b7fe4d6f5d56f0b18edf60
-
Filesize
480B
MD547b9b01f82a7476fdedb9c63dad5265a
SHA10608e38e17db0e6d43ce554453aa79955a806976
SHA256dcf451c90958c2e52417e4b7bd495fa85ccce90ae10e49a832089e385beba14c
SHA51251e9fc89cfd96b05afb9e3c5dc5c9c314ea151a679fcd8393b1ba10738331e35c8cfd913a9ef649d5fff527035d48098932c2a36a1e2e573b31300f66c3865b7
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
564B
MD56d0abd234db2db45623289a118480156
SHA1d65424a7e3433c29bf4129690a1b7d93e9784d3b
SHA25693ae4561a0243e41549ab4e7f1b0f136a259d0fdee9f9bea11eb8cf7adc7595f
SHA512a106ec87e314436393cd52527a2638b89d97a86d8ccb69315c2c76e7edb6bbf4f6ba4833ecc4ab22f1f23b637d1dbd68d05265ed6e0e75099141c6cb1eb2fd76
-
Filesize
5KB
MD53f3d639e5943c1b42be4d6b46e657852
SHA13ab7bc1172180e5c55f2d7edb8ab6a1b4907b90e
SHA25689c80d1d0bec0b11dd51770bac8567c48ce2b7f62c44a250db3e044a3ae77c46
SHA5128725733219f97124994b8d48ea35177002168339cfbeabaceece502b6a7c186ae0b22a8fcd9098e319d25bd146e7af692c9894c60c3ab92a8479d03ec1dae81d
-
Filesize
5KB
MD5f261117207ad7fc36d3028a895cd818a
SHA1ca093add894df5d6c5935ebf814e09f448ac58c3
SHA256a1512cb7dc4810c27291e11c47eaacebb49d88f66f3e35b633ff0df673a132a5
SHA512efe373664c3269bbc3e4a65c321b21ef7e200d4072167a3adc0af60e09b00aaa08d68d87bb1b78606b5554863e2f11b05a9080c3eb4f389d6d191b22806ba789
-
Filesize
6KB
MD5b4978ce4fc2006c899408691e823af5e
SHA140732bab9e0dd9a44907c31bee2aeccd7672d222
SHA25641e897c101a36d1d5ac799ca642d220b16469dd303199b5e0472d452c91ac410
SHA51289d9385fe9df1dd0cc6af3b3946019a42fc5e47ebb1970ee224f56c353f3a5fecd142b5d575dffeac7644b8bc4c7ac18180f2eff53c32af43e53d8a13e593048
-
Filesize
6KB
MD584b3271cd3e0d6a03ff230b778c54293
SHA1249fa9441a768bd4ea49903a94e8a82f68268736
SHA2561ef8ace235e4f11b5272059a4449d197ca8a140ba965763c952f3a1ff47059a0
SHA5120e312d2d516ef51deedaf716cbcf21a68c3b1bd6375a862018baa75ebac70fcea7fda8e25ec8a351160c1a0d89ac3df5a604c9c1b6a93c1cbc0053733cebfade
-
Filesize
24KB
MD58caf4d73cc5a7d5e3fb3f9f1a9d4a0cc
SHA183f8586805286b716c70ddd14a2b7ec6a4d9d0fe
SHA2560e0c905b688340512e84db6cf8af6dbdfe29195fefde15bd02e4917a2c5fda8c
SHA512084ef25ea21ee1083735c61b758281ba84b607e42d0186c35c3700b24a176ada47bf2e76ed7dadd3846f2b458c977e83835ced01cda47cdd7ab2d00e5a1a294e
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD53d78e1e2c85537267fd79a9c515f7295
SHA15b7f8a818aa7bda294c8cd930b109065fc03a6ac
SHA256474fbcfeb099c7a78481a7902b1cfa2ddadf6726d9168655b8fb91a4d5cbe68a
SHA5121bfb6b83c8b9f9a1258047303f83b0c7ae34a70fe8884d6719e24acdd275325dd17e56f6ab81aae4c1731cf2247d988e78a2f911e36efbfe2fd61532cce71c87
-
Filesize
12KB
MD52bb0ad9b6ed92e51863d5fbcf214fd23
SHA126d9f19d5184f7c0d389b3e2b4770961fc355281
SHA256fafdd880b4fb5e0c06b4a194ae8fb6021a607e227c0c0ed8cd19f02f99964a5d
SHA512e528464c60741d2506b06f425e34eff5f2267102fa6ec9d3742f996edbbafe24d02bc4e9d8a73f94010a97e9a0d451cd2ed2ba784679050a21f837a6d0da5d2e
-
Filesize
13KB
MD5fd6a02040183af0edab270854a534ef0
SHA1346189e6b250f9153bef01906e99b7f7913e7e68
SHA2566fbc003f36ea2873d31591a3e67d5dbfabfb58eed5ae23d691e574f21b64b31c
SHA512b39259ef409ee371a0dd8bf11d72f72975bf88ddcd24e0af02f023971baf2365096bfd2c06ec8cbbd839d367ec694d4b0e8013aea888270e84c22a01de7c9dc9
-
Filesize
12KB
MD59eaf4c3b202b55e953d7b53d1804787c
SHA182074b07b243769774a0fb007197a7d27f0a3953
SHA2565ed6dc72ec34940647e07fc5ca8e6fcdd2cc746a5093831e99638dc9fe86ca4c
SHA512e540331c2dce52e7abf85400dc6124f35a3e81fb11ace5b15fd65b9204d50c4eee8286bbe35cbe738a804fb1888ddf7add693129521bf3747a67ce5d10da7d21
-
Filesize
89B
MD5196cfacaffb725c92c6d5d4f16289e92
SHA1b6306fe94c164053882259f3d3105e6c4519bf81
SHA2563cd343b356e21807ba2d17e5de1fe01756ec53bcc76699572e78b0befbe5ac6f
SHA5129319817e1964ecb66fa16fc2ce02c8d140a5936a10174d7723906fc0ec99f07f88fc1b87319c345b21c36ef0243c80757eccd4ded89767fd1466b0687722aaab