8e7f45ba404445ce4b890adbae3660c3a3d25a4e25d2cd5c1c63e84d9bfb293c

Analysis

max time kernel
146s
max time network
123s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
24/11/2023, 12:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Agenzia_Entrate (20)(1).js
Size

4KB
MD5

34a5dd0102028beff127a458276fdb43
SHA1

0f428b7ecee697d5a4be044a776f5e37e3435fd5
SHA256

8e7f45ba404445ce4b890adbae3660c3a3d25a4e25d2cd5c1c63e84d9bfb293c
SHA512

d4b5f65eba75ee3813966797febefe2a4d32e6c9accbd369f14988d913c1fe46fe540020f910293f3829854294877d61bb5c9fbb6451850fe842f636c779132a
SSDEEP

96:a3w8+mAFu1VeheOC0uzmMdOs5GcgbrwXM8TGfJwAm/Ilcj2:a3wfFUegOZuiUfgXw86sw92

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2916	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
1768	fmsign.exe

Loads dropped DLL 7 IoCs

pid	Process
2728	WerFault.exe
2728	WerFault.exe
2728	WerFault.exe
2728	WerFault.exe
2728	WerFault.exe
2728	WerFault.exe
2728	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2728	1768	WerFault.exe	28

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	wscript.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1768	fmsign.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 1768	2916	wscript.exe	28
PID 2916 wrote to memory of 1768	2916	wscript.exe	28
PID 2916 wrote to memory of 1768	2916	wscript.exe	28
PID 2916 wrote to memory of 1768	2916	wscript.exe	28
PID 2916 wrote to memory of 1768	2916	wscript.exe	28
PID 2916 wrote to memory of 1768	2916	wscript.exe	28
PID 2916 wrote to memory of 1768	2916	wscript.exe	28
PID 1768 wrote to memory of 2728	1768	fmsign.exe	29
PID 1768 wrote to memory of 2728	1768	fmsign.exe	29
PID 1768 wrote to memory of 2728	1768	fmsign.exe	29
PID 1768 wrote to memory of 2728	1768	fmsign.exe	29

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Agenzia_Entrate (20)(1).js"
1⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\Temp\fmsign.exe
  "C:\Windows\Temp\fmsign.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 204
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\fmsign.exe

Filesize
1.1MB

MD5
b54702f7e532b9f96c07e8afdf5a54ed

SHA1
fce5328a4e8854111bc2deb49b5c11f2ead3e189

SHA256
8cc48f95b1a247eda6d8d095b59083fcf66f6df8c7636e226fda3c84f4b05031

SHA512
fcfb13661076cdd72ca36ea5ada4561bdf7ef406e4921d4043f77833583f41a2bb6f7f3b29f1c7c908ed07676ac9dd8b5cee77c8dbc22e876ce9ce565a7462db

Download Submit
C:\Windows\Temp\fmsign.exe

Filesize
1.1MB

MD5
b54702f7e532b9f96c07e8afdf5a54ed

SHA1
fce5328a4e8854111bc2deb49b5c11f2ead3e189

SHA256
8cc48f95b1a247eda6d8d095b59083fcf66f6df8c7636e226fda3c84f4b05031

SHA512
fcfb13661076cdd72ca36ea5ada4561bdf7ef406e4921d4043f77833583f41a2bb6f7f3b29f1c7c908ed07676ac9dd8b5cee77c8dbc22e876ce9ce565a7462db

Download Submit
C:\Windows\Temp\fmsign.exe

Filesize
1.1MB

MD5
b54702f7e532b9f96c07e8afdf5a54ed

SHA1
fce5328a4e8854111bc2deb49b5c11f2ead3e189

SHA256
8cc48f95b1a247eda6d8d095b59083fcf66f6df8c7636e226fda3c84f4b05031

SHA512
fcfb13661076cdd72ca36ea5ada4561bdf7ef406e4921d4043f77833583f41a2bb6f7f3b29f1c7c908ed07676ac9dd8b5cee77c8dbc22e876ce9ce565a7462db

Download Submit
\Windows\Temp\fmsign.exe

Filesize
1.1MB

MD5
b54702f7e532b9f96c07e8afdf5a54ed

SHA1
fce5328a4e8854111bc2deb49b5c11f2ead3e189

SHA256
8cc48f95b1a247eda6d8d095b59083fcf66f6df8c7636e226fda3c84f4b05031

SHA512
fcfb13661076cdd72ca36ea5ada4561bdf7ef406e4921d4043f77833583f41a2bb6f7f3b29f1c7c908ed07676ac9dd8b5cee77c8dbc22e876ce9ce565a7462db

Download Submit
\Windows\Temp\fmsign.exe

Filesize
1.1MB

MD5
b54702f7e532b9f96c07e8afdf5a54ed

SHA1
fce5328a4e8854111bc2deb49b5c11f2ead3e189

SHA256
8cc48f95b1a247eda6d8d095b59083fcf66f6df8c7636e226fda3c84f4b05031

SHA512
fcfb13661076cdd72ca36ea5ada4561bdf7ef406e4921d4043f77833583f41a2bb6f7f3b29f1c7c908ed07676ac9dd8b5cee77c8dbc22e876ce9ce565a7462db

Download Submit
\Windows\Temp\fmsign.exe

Filesize
1.1MB

MD5
b54702f7e532b9f96c07e8afdf5a54ed

SHA1
fce5328a4e8854111bc2deb49b5c11f2ead3e189

SHA256
8cc48f95b1a247eda6d8d095b59083fcf66f6df8c7636e226fda3c84f4b05031

SHA512
fcfb13661076cdd72ca36ea5ada4561bdf7ef406e4921d4043f77833583f41a2bb6f7f3b29f1c7c908ed07676ac9dd8b5cee77c8dbc22e876ce9ce565a7462db

Download Submit
\Windows\Temp\fmsign.exe

Filesize
1.1MB

MD5
b54702f7e532b9f96c07e8afdf5a54ed

SHA1
fce5328a4e8854111bc2deb49b5c11f2ead3e189

SHA256
8cc48f95b1a247eda6d8d095b59083fcf66f6df8c7636e226fda3c84f4b05031

SHA512
fcfb13661076cdd72ca36ea5ada4561bdf7ef406e4921d4043f77833583f41a2bb6f7f3b29f1c7c908ed07676ac9dd8b5cee77c8dbc22e876ce9ce565a7462db

Download Submit
\Windows\Temp\fmsign.exe

Filesize
1.1MB

MD5
b54702f7e532b9f96c07e8afdf5a54ed

SHA1
fce5328a4e8854111bc2deb49b5c11f2ead3e189

SHA256
8cc48f95b1a247eda6d8d095b59083fcf66f6df8c7636e226fda3c84f4b05031

SHA512
fcfb13661076cdd72ca36ea5ada4561bdf7ef406e4921d4043f77833583f41a2bb6f7f3b29f1c7c908ed07676ac9dd8b5cee77c8dbc22e876ce9ce565a7462db

Download Submit
\Windows\Temp\fmsign.exe

Filesize
1.1MB

MD5
b54702f7e532b9f96c07e8afdf5a54ed

SHA1
fce5328a4e8854111bc2deb49b5c11f2ead3e189

SHA256
8cc48f95b1a247eda6d8d095b59083fcf66f6df8c7636e226fda3c84f4b05031

SHA512
fcfb13661076cdd72ca36ea5ada4561bdf7ef406e4921d4043f77833583f41a2bb6f7f3b29f1c7c908ed07676ac9dd8b5cee77c8dbc22e876ce9ce565a7462db

Download Submit
\Windows\Temp\fmsign.exe

Filesize
1.1MB

MD5
b54702f7e532b9f96c07e8afdf5a54ed

SHA1
fce5328a4e8854111bc2deb49b5c11f2ead3e189

SHA256
8cc48f95b1a247eda6d8d095b59083fcf66f6df8c7636e226fda3c84f4b05031

SHA512
fcfb13661076cdd72ca36ea5ada4561bdf7ef406e4921d4043f77833583f41a2bb6f7f3b29f1c7c908ed07676ac9dd8b5cee77c8dbc22e876ce9ce565a7462db

Download Submit
memory/1768-15-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1768-14-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1768-24-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1768-26-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2916-13-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

Filesize
9.6MB

Download
memory/2916-0-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

Filesize
9.6MB

Download
memory/2916-2-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

Filesize
9.6MB

Download
memory/2916-1-0x0000000004CA0000-0x0000000004D20000-memory.dmp

Filesize
512KB

Download