Resubmissions
27-01-2024 09:27
240127-lezxaahdd2 727-01-2024 09:23
240127-lcrswshch8 1027-01-2024 07:59
240127-jvdymshgcp 7Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
27-01-2024 09:23
Static task
static1
Behavioral task
behavioral1
Sample
64201921222189.js
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
64201921222189.js
Resource
win10-20231215-en
Behavioral task
behavioral3
Sample
64201921222189.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral4
Sample
64201921222189.js
Resource
win11-20231222-en
General
-
Target
64201921222189.js
-
Size
6.4MB
-
MD5
9ad0dc56c7f7492b4555812c774fe3d6
-
SHA1
4b18214b4b08864f0073f56d098e2b4f0f1997ec
-
SHA256
dbd9dcd47010476f23da069f9d2c41c9f20b08bf3eb506c5c8bdb6dfa6811c4d
-
SHA512
01195cd51e6e47026d12b1c07c235704abe3e953e518ae14d0bcde6ee724667d318420d5e1b4e0784fcd52a388fd44046a44eacca017cd7e2da7e15d561707d2
-
SSDEEP
49152:pDH/1og88w/d8Q3YOkgPJs8vU/knfBLi7kj6dXjocM:M
Malware Config
Signatures
-
Loads dropped DLL 4 IoCs
pid Process 2972 rundll32.exe 2972 rundll32.exe 2972 rundll32.exe 2972 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main hh.exe Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main hh.exe Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main hh.exe Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main hh.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1904 Notepad.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 600 hh.exe 1564 hh.exe 1904 Notepad.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 600 hh.exe 600 hh.exe 1564 hh.exe 1564 hh.exe 2444 hh.exe 2444 hh.exe 2096 hh.exe 2096 hh.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 1992 wrote to memory of 2752 1992 wscript.exe 28 PID 1992 wrote to memory of 2752 1992 wscript.exe 28 PID 1992 wrote to memory of 2752 1992 wscript.exe 28 PID 2752 wrote to memory of 600 2752 cmd.exe 30 PID 2752 wrote to memory of 600 2752 cmd.exe 30 PID 2752 wrote to memory of 600 2752 cmd.exe 30 PID 2752 wrote to memory of 1564 2752 cmd.exe 31 PID 2752 wrote to memory of 1564 2752 cmd.exe 31 PID 2752 wrote to memory of 1564 2752 cmd.exe 31 PID 2752 wrote to memory of 2444 2752 cmd.exe 32 PID 2752 wrote to memory of 2444 2752 cmd.exe 32 PID 2752 wrote to memory of 2444 2752 cmd.exe 32 PID 2752 wrote to memory of 2096 2752 cmd.exe 35 PID 2752 wrote to memory of 2096 2752 cmd.exe 35 PID 2752 wrote to memory of 2096 2752 cmd.exe 35 PID 2752 wrote to memory of 2960 2752 cmd.exe 38 PID 2752 wrote to memory of 2960 2752 cmd.exe 38 PID 2752 wrote to memory of 2960 2752 cmd.exe 38 PID 2752 wrote to memory of 1716 2752 cmd.exe 39 PID 2752 wrote to memory of 1716 2752 cmd.exe 39 PID 2752 wrote to memory of 1716 2752 cmd.exe 39 PID 2752 wrote to memory of 1992 2752 cmd.exe 40 PID 2752 wrote to memory of 1992 2752 cmd.exe 40 PID 2752 wrote to memory of 1992 2752 cmd.exe 40 PID 1992 wrote to memory of 2972 1992 cmd.exe 41 PID 1992 wrote to memory of 2972 1992 cmd.exe 41 PID 1992 wrote to memory of 2972 1992 cmd.exe 41
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\64201921222189.js1⤵
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\64201921222189.js" "C:\Users\Admin\AppData\Local\Temp\\geeserecord.bat" && "C:\Users\Admin\AppData\Local\Temp\\geeserecord.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\hh.exeHh /////0SLhCTAFwEAQYHw/////0UhxkQJ8YPx/0GD9f9Ei4QkwBcBAEGB8CYC/rVECelBgcgmAv61g/H/RCHBQYnoQYPw/0GB4P////+LnCTAFwEAgfP/////Id1BCehEifuD8/+B4/////+LrCTAFwEAgfX/////QSHvRAn7i6wkwBcBAIH1sgLiR4Hl4gDPg0SLtCTAFwEAQYH24gDPg0WJ90GB57IC4kdEi6QkwBcBAEGB9P////9BgeTiAM+DQYHm/////0QJ/UUJ9EQx5UWJxkEh3kEx2EUJxkSLhCTAFwEAQYHwsgLiR4nrg/P/RIu8JMAXAQBBgffyzmauRYnEQYHk8s5mrkWJ/UGB5bIC4keJ34Hn8s5mrkQh/UUJ7AnvQTH8QQnYQYPw/0GBz/LOZq5FIfhFCcRFifBBg/D/QYHg/////4u8JMAXAQCB9/////9BIf5FCfBBg/T/RInHRDHnRCHHRIuEJPwWAQBBg/D/QYHgKdR/k4ucJMAXAQCB8yn3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:600
-
-
C:\Windows\hh.exeHh /////0SLjCTAFwEAQYHx/////0UhzkQJ8USLjCTAFwEAQYHx/////4nPRCHPg/H/geH/////Cc+D9/+LjCTAFwEAgfH/////RIuMJMAXAQBBgfGKzaJNCc9BgcmKzaJNg/f/RCHPRInZg/H/QYnxQTHJQSHxifGD8f+B4bmJFW2LrCTAFwEAgfW5iRVtIe5Fid5Bg/b/QYHmuYkVbUEh6wnxRQneRDHxRYnLQSHLQTHJRQnLidmD8f9BiflBg/H/i7QkwBcBAIH2DfwiyUQJyYHODfwiyYPx/yHxQYnZQYPx/0GB4ULKlCGLtCTAFwEAgfZCypQhIfOJ/YP1/4HlQsqUISH3QQnZCf1BMemJzoP2/0SJz4P3/4ucJMAXAQCB8xLrs5KJ9YHlEuuzkiHZQYn+QYHmEuuzkkEh2QnNRQnORDH1Cf6D9v+ByxLrs5Ih3gn1RInZg/H/geH/////RIuMJMAXAQBBgfH/////RIneRCHOCfGD8f+B8R5gZpeB4R5gZpd3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1564
-
-
C:\Windows\hh.exeHh /////0SLhCSQ3QAAQYHw/////0SLtCRIwgAARSHGRAnxQYP1/0GJyEUx6EEhyInpg/H/geF5UIAvRIu0JJDdAABBgfZ5UIAvQYnsRSH0RIusJJDdAABBgfX/////QYHleVCAL0GB5v////9ECeFFCfVEMemD8f+B8ec6f+qB4ec6f+pEi7QkkN0AAEGB9uc6f+pBgeb/////RIukJJDdAABBgfT/////QYHk5zp/6kUJ5oP1/0WJ9EGD9P9Ei6wkkN0AAEGB9YcUyMNECeVBgc2HFMjDg/X/RCHtQYn0QYP0/0GB5BGBP/VEi6wkkN0AAEGB9RGBP/VBifJFIeqJjCREwgAAi4wkkN0AAIHx/////4HhEYE/9UGB5f////9FCdRECelBMcxBg/T/i4wkkN0AAIHx5zp/6kSLlCSQ3QAAQYHyFATckUEJzEGByhQE3JFBg/T/RSHUg/b/QYP2/4uMJJDdAACB8V+qNLFECfaByV+qNLGD9v8hzouMJETCAACD8f93⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2444
-
-
C:\Windows\hh.exeHh /////0wJ8E0Jykwx0EmB9P////9INf////9JuPQG2zsj3lHVTIuMJNCtAABNMcFJCcRNCcFJgfT/////TSHMSInISDX/////TYngSYHw/////0m5J2yymf1tFFNMi5Qk0K0AAE0xykiJw0why0wh0U2Jxk0hzk0h1EgJy00J5kwx80wJwEg1/////00Jykwh0EgJw0iJ8Eg1/////0i5L3D5LXLDYQBIIchMi4Qk0K0AAEkxyEmJ8U0hwUyLlCTQrQAASYHy/////0khykmB4P////9MCchNCcJMMdBINf////9IubQ8Vgql6K3TSDHISCHITIuEJNCtAABJMchJub/TSse3cXqsTSHITIuUJNCtAABNMcpNidZJIc5Mi7wk0K0AAEmB9/////9NIc9JgeL/////TQnwTQnXTTH4SYnxSYHx/////02JwkmB8v////9JvsAGDgjDusLkTIu8JNCtAABNMfdNCdFNCfdJgfH/////TSH5TIuUJNCtAABJgfL////3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2096
-
-
C:\Windows\system32\findstr.exefindstr /V pokeskip ""C:\Users\Admin\AppData\Local\Temp\\geeserecord.bat""3⤵PID:2960
-
-
C:\Windows\system32\certutil.execertutil -f -decode merezephyr seemlyvegetable.dll3⤵PID:1716
-
-
C:\Windows\system32\cmd.execmd /c rundll32 seemlyvegetable.dll,m3⤵
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\system32\rundll32.exerundll32 seemlyvegetable.dll,m4⤵
- Loads dropped DLL
PID:2972
-
-
-
-
C:\Windows\System32\Notepad.exe"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\StopProtect.vbe1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:1904
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\StopProtect.vbe"1⤵PID:700
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4K0WM73A\errorPageStrings[2]
Filesize2KB
MD5e3e4a98353f119b80b323302f26b78fa
SHA120ee35a370cdd3a8a7d04b506410300fd0a6a864
SHA2569466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66
SHA512d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4K0WM73A\httpErrorPagesScripts[1]
Filesize8KB
MD53f57b781cb3ef114dd0b665151571b7b
SHA1ce6a63f996df3a1cccb81720e21204b825e0238c
SHA25646e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad
SHA5128cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa
-
Filesize
6.4MB
MD59ad0dc56c7f7492b4555812c774fe3d6
SHA14b18214b4b08864f0073f56d098e2b4f0f1997ec
SHA256dbd9dcd47010476f23da069f9d2c41c9f20b08bf3eb506c5c8bdb6dfa6811c4d
SHA51201195cd51e6e47026d12b1c07c235704abe3e953e518ae14d0bcde6ee724667d318420d5e1b4e0784fcd52a388fd44046a44eacca017cd7e2da7e15d561707d2
-
Filesize
4.1MB
MD5a0c8c19362df1bd5d90bb4b055935992
SHA1a5f6aafa96b5c0dd85d9f6ed8c2192febdee1b71
SHA2560f03c75d4e91d78c504977856a8f6320e1742e52aaf83967a9bc6193218c408b
SHA51261e87193de5613990ebb87a2e76b10149bccfe9055cc71cd13b9f8c70822bea09be011a5d1a22cc5b08ad26aa32beb3433f1fe34c6224dbce1af252e33003878
-
Filesize
4.3MB
MD5ea54ab5eea76e4481dda3ccb96c1afbf
SHA1403fba15b57edd61049d58dd2ce834c758663169
SHA2561941291021f094ca1bf945637320c446d4fd2a80db9a44f127528ad521163e8d
SHA51219e4af52104639212ece742304005734a5d2be5a5204217b8464a4d3b9bc1222febf093b5425cf10c9be0d05458257ee3b9c5a16caa1a0e0812d34d080087a35
-
Filesize
4.8MB
MD5ee0c3b7659ffba9c02a7d05dd53f1215
SHA17105afbf492cf6fffcd18bec16b59f2f3e24d260
SHA256142994f123a1238d2387d00a58b709b2a07429cf1d024f65f97279afa01dfc74
SHA51257f6d26b226f99d459e1de57ea7c72480cd316267095c615e564db190a053daa82338bf66ffdbd463d5e39ef2057667d2f23bc42ee5a4abe7bcc0679bbfeb319