f0018e9ee52604745ab35648d582debe47b01e73fdd86ebd9a08c513c2206e39

General

Target

ПАО «Группа Компаний ПИК» подробности заказа.js
Size

6KB
MD5

41a7eca4bffa6a286f47a0ff9b96d153
SHA1

eab7b5c4bd2d4087d03a1219f0827496f02fbb72
SHA256

eb81490c72ee724acace8b5bcfa8c20a95b53da6f29b9126456ea438bbe65331
SHA512

47f520459faaed8642d27a3b56c451ed478b2aa60ca1d5e0ce325b12bd27c93fad96d1554bb08b00f37ec878ad4e99bc0a3976d3ac638de2a7f89dd4bb9d7baf
SSDEEP

192:fyjM5NfQGUNp+thIqaAxtzPeWEusrplXd847YYe:KjM5NRvIRiBx0rmFYe

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	956	wscript.exe
7	956	wscript.exe
9	956	wscript.exe

Deletes itself 1 IoCs

pid	Process
956	wscript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\tmp_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\tmp_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.tmp	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.tmp\ = "tmp_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\tmp_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\tmp_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\tmp_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\tmp_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	wscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2556	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2556	AcroRd32.exe
2556	AcroRd32.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 3044	956	wscript.exe	30
PID 956 wrote to memory of 3044	956	wscript.exe	30
PID 956 wrote to memory of 3044	956	wscript.exe	30
PID 3044 wrote to memory of 2624	3044	cmd.exe	32
PID 3044 wrote to memory of 2624	3044	cmd.exe	32
PID 3044 wrote to memory of 2624	3044	cmd.exe	32
PID 2624 wrote to memory of 2556	2624	rundll32.exe	33
PID 2624 wrote to memory of 2556	2624	rundll32.exe	33
PID 2624 wrote to memory of 2556	2624	rundll32.exe	33
PID 2624 wrote to memory of 2556	2624	rundll32.exe	33

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\ПАО «Группа Компаний ПИК» подробности заказа.js"
1⤵
- Blocklisted process makes network request
- Deletes itself
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:956
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\radEC969.tmp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\radEC969.tmp
    3⤵
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\radEC969.tmp"
      4⤵
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

1

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\radEC969.tmp

Filesize
1KB

MD5
6585c1de7f396694e7cd1ad817422214

SHA1
42a647c9f88eca0e293d28d00925d46f15884e25

SHA256
095f290e529fd9e997892c05496a41d5b23464975da0b499d68ed074c1aa3315

SHA512
6e7ccb3338efb40b1d7fe2cda58d4ce862853ea2a241f9a77891d2cc6b77a86d09fc4490e80c3d5e32d9547dfc25a0d47fcb4298c889db4d147bd304222e59fc

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
96aec78eb3733b45251e63cfc2dd515b

SHA1
9677be6d5cfc6216a4647246e14b6bda30e988da

SHA256
84e9d6f820190b48df0d0112bf9bd1562562e204214aadae1fc16f212370e8a8

SHA512
22c39c9e126179e9edc93dc713ad3b42f21bb97e606329f1e2e6ce71752b72d1a1e00dab106afdc9a9bc5d05e9bd3079d02260f47e59bc7844894017cd4b5095

Download Submit

Analysis

Sharing