Malware Analysis Report

2024-10-16 05:31

Sample ID 240710-txpg9szfph
Target sample
SHA256 2a66921df80a7aae81231bcaf7eac77c4d755bb9418d08fad256c999d937492d
Tags
execution
score
3/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
3/10

SHA256

2a66921df80a7aae81231bcaf7eac77c4d755bb9418d08fad256c999d937492d

Threat Level: Likely benign

The file sample was found to be: Likely benign.

Malicious Activity Summary

execution

Command and Scripting Interpreter: JavaScript

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-10 16:26

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-10 16:26

Reported

2024-07-10 16:29

Platform

win7-20240708-en

Max time kernel

120s

Max time network

122s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\sample.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\sample.js

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-10 16:26

Reported

2024-07-10 16:29

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

156s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\sample.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\sample.js

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\GetUninstall.docx" /o ""

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ConvertFromOptimize.mpg"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/1376-0-0x00007FFD85450000-0x00007FFD85460000-memory.dmp

memory/1376-1-0x00007FFD85450000-0x00007FFD85460000-memory.dmp

memory/1376-3-0x00007FFD85450000-0x00007FFD85460000-memory.dmp

memory/1376-4-0x00007FFDC546D000-0x00007FFDC546E000-memory.dmp

memory/1376-5-0x00007FFD85450000-0x00007FFD85460000-memory.dmp

memory/1376-2-0x00007FFD85450000-0x00007FFD85460000-memory.dmp

memory/1376-7-0x00007FFDC53D0000-0x00007FFDC55C5000-memory.dmp

memory/1376-8-0x00007FFDC53D0000-0x00007FFDC55C5000-memory.dmp

memory/1376-10-0x00007FFDC53D0000-0x00007FFDC55C5000-memory.dmp

memory/1376-9-0x00007FFDC53D0000-0x00007FFDC55C5000-memory.dmp

memory/1376-6-0x00007FFDC53D0000-0x00007FFDC55C5000-memory.dmp

memory/1376-14-0x00007FFDC53D0000-0x00007FFDC55C5000-memory.dmp

memory/1376-13-0x00007FFDC53D0000-0x00007FFDC55C5000-memory.dmp

memory/1376-12-0x00007FFD830C0000-0x00007FFD830D0000-memory.dmp

memory/1376-11-0x00007FFDC53D0000-0x00007FFDC55C5000-memory.dmp

memory/1376-15-0x00007FFD830C0000-0x00007FFD830D0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 a5202d96f3d41e49b851ad0b3b991c22
SHA1 a010eb382c54d16dd20feaa69f22fd54438dc3ee
SHA256 9f5864c8de92bef78580c1368562493646b7a5aface06188d5b967b2f5f237be
SHA512 beff460cb8390061ec640f5736df1cc9189d7fcc6188532216bc5e17e8bf6440d1aedf9652f7f7ef9c2e05a0d8d11409467d9659c8d46ea9c781b3cbf1a19725

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 d29962abc88624befc0135579ae485ec
SHA1 e40a6458296ec6a2427bcb280572d023a9862b31
SHA256 a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA512 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/1376-65-0x00007FFD85450000-0x00007FFD85460000-memory.dmp

memory/1376-68-0x00007FFD85450000-0x00007FFD85460000-memory.dmp

memory/1376-66-0x00007FFD85450000-0x00007FFD85460000-memory.dmp

memory/1376-67-0x00007FFD85450000-0x00007FFD85460000-memory.dmp

memory/1376-69-0x00007FFDC53D0000-0x00007FFDC55C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.GW4568

MD5 8b52e9eee0e6c446fb94efccae9e43fc
SHA1 d9fd83a13085eb31e2c64a75b53ea24e06a79c57
SHA256 ea4b912f8f7015faf0b481ba10b85c39f49f7d936ed803d16e0fec60e66a3d12
SHA512 925cb0e04aa4022f0453ba1e45091e9e5466fab84d4f8d4a4e6c9139b71b7fbe31822d7b996f3a77ba4936eaa62295d85c6f1d85669695131a24868bc2e40db1

memory/4568-93-0x00007FF7E3470000-0x00007FF7E3568000-memory.dmp

memory/4568-94-0x00007FFDBB470000-0x00007FFDBB4A4000-memory.dmp

memory/4568-95-0x00007FFDA76C0000-0x00007FFDA7976000-memory.dmp

memory/4568-96-0x00007FFDA5AB0000-0x00007FFDA6B60000-memory.dmp