221ac462d4732eb250cd5607a10833667e71fc9f884b11376547da6152db744a

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2024, 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

node.js.exe
Size

154.5MB
MD5

5cf7ce1f5ddeac73f8050cf4d133f101
SHA1

40f1d4b3bb03d41d1c1c29c4fc49ad408f5831af
SHA256

1d0929e44ce33759ae47483d86f82b5dfd111e270c6447bc49ffc968bdcdb4d5
SHA512

f9f93de5935864603372ca6d6d507e0d5d3dcf4b00f57db02da9508b8b24636e47b69814d87fd30f02490dc321f990f193ec26c15fcec8988225b1315795d264
SSDEEP

1572864:QCquurbtqKajQe7vqrTU4PrCsdCXrBngPE1cG7VOWe2IkBmUgq3Fd6iU3x6VCdbm:qDAgZi

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
3376	node.js.exe
3376	node.js.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1684	node.js.exe
1684	node.js.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3376	node.js.exe
Token: SeCreatePagefilePrivilege	3376	node.js.exe
Token: SeShutdownPrivilege	3376	node.js.exe
Token: SeCreatePagefilePrivilege	3376	node.js.exe
Token: SeShutdownPrivilege	3376	node.js.exe
Token: SeCreatePagefilePrivilege	3376	node.js.exe
Token: SeShutdownPrivilege	3376	node.js.exe
Token: SeCreatePagefilePrivilege	3376	node.js.exe
Token: SeShutdownPrivilege	3376	node.js.exe
Token: SeCreatePagefilePrivilege	3376	node.js.exe
Token: SeShutdownPrivilege	3376	node.js.exe
Token: SeCreatePagefilePrivilege	3376	node.js.exe
Token: SeShutdownPrivilege	3376	node.js.exe
Token: SeCreatePagefilePrivilege	3376	node.js.exe
Token: SeShutdownPrivilege	3376	node.js.exe
Token: SeCreatePagefilePrivilege	3376	node.js.exe
Token: SeShutdownPrivilege	3376	node.js.exe
Token: SeCreatePagefilePrivilege	3376	node.js.exe
Token: SeShutdownPrivilege	3376	node.js.exe
Token: SeCreatePagefilePrivilege	3376	node.js.exe
Token: SeShutdownPrivilege	3376	node.js.exe
Token: SeCreatePagefilePrivilege	3376	node.js.exe
Token: SeShutdownPrivilege	3376	node.js.exe
Token: SeCreatePagefilePrivilege	3376	node.js.exe
Token: SeShutdownPrivilege	3376	node.js.exe
Token: SeCreatePagefilePrivilege	3376	node.js.exe
Token: SeShutdownPrivilege	3376	node.js.exe
Token: SeCreatePagefilePrivilege	3376	node.js.exe
Token: SeShutdownPrivilege	3376	node.js.exe
Token: SeCreatePagefilePrivilege	3376	node.js.exe
Token: SeShutdownPrivilege	3376	node.js.exe
Token: SeCreatePagefilePrivilege	3376	node.js.exe
Token: SeShutdownPrivilege	3376	node.js.exe
Token: SeCreatePagefilePrivilege	3376	node.js.exe
Token: SeShutdownPrivilege	3376	node.js.exe
Token: SeCreatePagefilePrivilege	3376	node.js.exe
Token: SeShutdownPrivilege	3376	node.js.exe
Token: SeCreatePagefilePrivilege	3376	node.js.exe
Token: SeShutdownPrivilege	3376	node.js.exe
Token: SeCreatePagefilePrivilege	3376	node.js.exe
Token: SeShutdownPrivilege	3376	node.js.exe
Token: SeCreatePagefilePrivilege	3376	node.js.exe
Token: SeShutdownPrivilege	3376	node.js.exe
Token: SeCreatePagefilePrivilege	3376	node.js.exe
Token: SeShutdownPrivilege	3376	node.js.exe
Token: SeCreatePagefilePrivilege	3376	node.js.exe
Token: SeShutdownPrivilege	3376	node.js.exe
Token: SeCreatePagefilePrivilege	3376	node.js.exe
Token: SeShutdownPrivilege	3376	node.js.exe
Token: SeCreatePagefilePrivilege	3376	node.js.exe
Token: SeShutdownPrivilege	3376	node.js.exe
Token: SeCreatePagefilePrivilege	3376	node.js.exe
Token: SeShutdownPrivilege	3376	node.js.exe
Token: SeCreatePagefilePrivilege	3376	node.js.exe
Token: SeShutdownPrivilege	3376	node.js.exe
Token: SeCreatePagefilePrivilege	3376	node.js.exe
Token: SeShutdownPrivilege	3376	node.js.exe
Token: SeCreatePagefilePrivilege	3376	node.js.exe
Token: SeShutdownPrivilege	3376	node.js.exe
Token: SeCreatePagefilePrivilege	3376	node.js.exe
Token: SeShutdownPrivilege	3376	node.js.exe
Token: SeCreatePagefilePrivilege	3376	node.js.exe
Token: SeShutdownPrivilege	3376	node.js.exe
Token: SeCreatePagefilePrivilege	3376	node.js.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 3376 wrote to memory of 2504	3376	node.js.exe	83
PID 3376 wrote to memory of 2504	3376	node.js.exe	83
PID 3376 wrote to memory of 2504	3376	node.js.exe	83
PID 3376 wrote to memory of 2504	3376	node.js.exe	83
PID 3376 wrote to memory of 2504	3376	node.js.exe	83
PID 3376 wrote to memory of 2504	3376	node.js.exe	83
PID 3376 wrote to memory of 2504	3376	node.js.exe	83
PID 3376 wrote to memory of 2504	3376	node.js.exe	83
PID 3376 wrote to memory of 2504	3376	node.js.exe	83
PID 3376 wrote to memory of 2504	3376	node.js.exe	83
PID 3376 wrote to memory of 2504	3376	node.js.exe	83
PID 3376 wrote to memory of 2504	3376	node.js.exe	83
PID 3376 wrote to memory of 2504	3376	node.js.exe	83
PID 3376 wrote to memory of 2504	3376	node.js.exe	83
PID 3376 wrote to memory of 2504	3376	node.js.exe	83
PID 3376 wrote to memory of 2504	3376	node.js.exe	83
PID 3376 wrote to memory of 2504	3376	node.js.exe	83
PID 3376 wrote to memory of 2504	3376	node.js.exe	83
PID 3376 wrote to memory of 2504	3376	node.js.exe	83
PID 3376 wrote to memory of 2504	3376	node.js.exe	83
PID 3376 wrote to memory of 2504	3376	node.js.exe	83
PID 3376 wrote to memory of 2504	3376	node.js.exe	83
PID 3376 wrote to memory of 2504	3376	node.js.exe	83
PID 3376 wrote to memory of 2504	3376	node.js.exe	83
PID 3376 wrote to memory of 2504	3376	node.js.exe	83
PID 3376 wrote to memory of 2504	3376	node.js.exe	83
PID 3376 wrote to memory of 2504	3376	node.js.exe	83
PID 3376 wrote to memory of 2504	3376	node.js.exe	83
PID 3376 wrote to memory of 2504	3376	node.js.exe	83
PID 3376 wrote to memory of 2504	3376	node.js.exe	83
PID 3376 wrote to memory of 2504	3376	node.js.exe	83
PID 3376 wrote to memory of 2928	3376	node.js.exe	84
PID 3376 wrote to memory of 2928	3376	node.js.exe	84
PID 3376 wrote to memory of 1684	3376	node.js.exe	92
PID 3376 wrote to memory of 1684	3376	node.js.exe	92

C:\Users\Admin\AppData\Local\Temp\node.js.exe
"C:\Users\Admin\AppData\Local\Temp\node.js.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3376
- C:\Users\Admin\AppData\Local\Temp\node.js.exe
  "C:\Users\Admin\AppData\Local\Temp\node.js.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\node.js" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1744 --field-trial-handle=1864,i,5273057662123735931,3189355874783398471,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:2504
- C:\Users\Admin\AppData\Local\Temp\node.js.exe
  "C:\Users\Admin\AppData\Local\Temp\node.js.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\node.js" --mojo-platform-channel-handle=2080 --field-trial-handle=1864,i,5273057662123735931,3189355874783398471,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  PID:2928
- C:\Users\Admin\AppData\Local\Temp\node.js.exe
  "C:\Users\Admin\AppData\Local\Temp\node.js.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\node.js" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=892 --field-trial-handle=1864,i,5273057662123735931,3189355874783398471,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\16a7fd24-abc9-4eac-b0b1-d89095e8635f.tmp.node

Filesize
1.4MB

MD5
87f2661da9a09dc36a1e39b53692e172

SHA1
fc6a37bfcd72d7d70a3afb6fbd752bf1e0b0990f

SHA256
7d2532530cd09d589348e1d6c2a46af4d3de73ee72941a4ee5b65cd21c17ddea

SHA512
7187b2761245b470f4dbdbaa258e8d3cc1f2491bea2f7649212d8abcef1ccfb4c4b7fe4d0a37ca47840dd21eea9d799c94367af43c98027ba6f1247162a9e713

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a2d64c4-e4fb-4e0c-8492-5ec34f523b62.tmp.node

Filesize
137KB

MD5
04bfbfec8db966420fe4c7b85ebb506a

SHA1
939bb742a354a92e1dcd3661a62d69e48030a335

SHA256
da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd

SHA512
4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65

Download Submit
memory/1684-13-0x000001A218140000-0x000001A218141000-memory.dmp

Filesize
4KB

Download
memory/1684-15-0x000001A218140000-0x000001A218141000-memory.dmp

Filesize
4KB

Download
memory/1684-14-0x000001A218140000-0x000001A218141000-memory.dmp

Filesize
4KB

Download
memory/1684-19-0x000001A218140000-0x000001A218141000-memory.dmp

Filesize
4KB

Download
memory/1684-21-0x000001A218140000-0x000001A218141000-memory.dmp

Filesize
4KB

Download
memory/1684-25-0x000001A218140000-0x000001A218141000-memory.dmp

Filesize
4KB

Download
memory/1684-24-0x000001A218140000-0x000001A218141000-memory.dmp

Filesize
4KB

Download
memory/1684-23-0x000001A218140000-0x000001A218141000-memory.dmp

Filesize
4KB

Download
memory/1684-22-0x000001A218140000-0x000001A218141000-memory.dmp

Filesize
4KB

Download
memory/1684-20-0x000001A218140000-0x000001A218141000-memory.dmp

Filesize
4KB

Download