Analysis Overview
SHA256
356e87a4ef1469bba5cfc99c19161b37f0fdaa766043705a4d51b4bae8b134d3
Threat Level: Known bad
The file Ref_87021929821US20240709031221656.js was found to be: Known bad.
Malicious Activity Summary
NanoCore
Blocklisted process makes network request
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Checks whether UAC is enabled
Drops file in Program Files directory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-11 07:47
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-11 07:47
Reported
2024-08-11 07:49
Platform
win7-20240705-en
Max time kernel
141s
Max time network
145s
Command Line
Signatures
NanoCore
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mYIv.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DSL Service = "C:\\Program Files (x86)\\DSL Service\\dslsv.exe" | C:\Users\Admin\AppData\Local\Temp\mYIv.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\mYIv.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\DSL Service\dslsv.exe | C:\Users\Admin\AppData\Local\Temp\mYIv.exe | N/A |
| File opened for modification | C:\Program Files (x86)\DSL Service\dslsv.exe | C:\Users\Admin\AppData\Local\Temp\mYIv.exe | N/A |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\mYIv.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mYIv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mYIv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mYIv.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mYIv.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\mYIv.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2148 wrote to memory of 2844 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WScript.exe |
| PID 2148 wrote to memory of 2844 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WScript.exe |
| PID 2148 wrote to memory of 2844 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WScript.exe |
| PID 2844 wrote to memory of 2812 | N/A | C:\Windows\System32\WScript.exe | C:\Users\Admin\AppData\Local\Temp\mYIv.exe |
| PID 2844 wrote to memory of 2812 | N/A | C:\Windows\System32\WScript.exe | C:\Users\Admin\AppData\Local\Temp\mYIv.exe |
| PID 2844 wrote to memory of 2812 | N/A | C:\Windows\System32\WScript.exe | C:\Users\Admin\AppData\Local\Temp\mYIv.exe |
| PID 2844 wrote to memory of 2812 | N/A | C:\Windows\System32\WScript.exe | C:\Users\Admin\AppData\Local\Temp\mYIv.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Ref_87021929821US20240709031221656.js
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TEZDIY.js"
C:\Users\Admin\AppData\Local\Temp\mYIv.exe
"C:\Users\Admin\AppData\Local\Temp\mYIv.exe"
Network
| Country | Destination | Domain | Proto |
| US | 192.210.215.11:80 | 192.210.215.11 | tcp |
| US | 8.8.8.8:53 | chongmei33.publicvm.com | udp |
| SE | 46.246.14.67:5569 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | chongmei33.publicvm.com | udp |
| SE | 46.246.14.67:5569 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | chongmei33.publicvm.com | udp |
| SE | 46.246.14.67:5569 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | jinvestments.duckdns.org | udp |
| SE | 46.246.14.67:5569 | jinvestments.duckdns.org | tcp |
| US | 8.8.8.8:53 | jinvestments.duckdns.org | udp |
| SE | 46.246.14.67:5569 | jinvestments.duckdns.org | tcp |
| US | 8.8.8.8:53 | jinvestments.duckdns.org | udp |
| SE | 46.246.14.67:5569 | jinvestments.duckdns.org | tcp |
| US | 8.8.8.8:53 | chongmei33.publicvm.com | udp |
| SE | 46.246.14.67:5569 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | chongmei33.publicvm.com | udp |
| SE | 46.246.14.67:5569 | chongmei33.publicvm.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\TEZDIY.js
| MD5 | dc0bce4906594a89e2707870b3455a71 |
| SHA1 | 693e646c87bcc184658c53e191196bb9243c3242 |
| SHA256 | 9332806b808c9d72d0366841aa990fe5dbde39f88eccd73962adc6a91da0548d |
| SHA512 | 8c7aa5673700eb5989f8a60750689b87685e1a6ddc0a2e7f3c9fb288b8376c685a90639fc7745ff4757b18125373c240383e2475c3425628581cee8f40030f83 |
C:\Users\Admin\AppData\Local\Temp\mYIv.exe
| MD5 | 842793f4ae0abae1c4e0d1d00c3b1b36 |
| SHA1 | 45cc5efe42d8ff19e8f4eafdcfe9e2cc0c62bb76 |
| SHA256 | f87b7426970122ba506c6dc25e7877f93af482db93df438bd613cea22b06a3b2 |
| SHA512 | 681dcfe8fa0c401e234064b9ecfbe5eef5f84e3fba9c09c0a1355d0221288e97d94ab8e42c7b96d39318c71cdab18a7d563e636b5d3e5638d7d959fe812eef1d |
memory/2812-13-0x0000000000790000-0x00000000007D0000-memory.dmp
memory/2812-16-0x0000000000790000-0x00000000007D0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-11 07:47
Reported
2024-08-11 07:49
Platform
win10v2004-20240802-en
Max time kernel
139s
Max time network
142s
Command Line
Signatures
NanoCore
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mYIv.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NAS Monitor = "C:\\Program Files (x86)\\NAS Monitor\\nasmon.exe" | C:\Users\Admin\AppData\Local\Temp\mYIv.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\mYIv.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\NAS Monitor\nasmon.exe | C:\Users\Admin\AppData\Local\Temp\mYIv.exe | N/A |
| File opened for modification | C:\Program Files (x86)\NAS Monitor\nasmon.exe | C:\Users\Admin\AppData\Local\Temp\mYIv.exe | N/A |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\mYIv.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings | C:\Windows\system32\wscript.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mYIv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mYIv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mYIv.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mYIv.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\mYIv.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1928 wrote to memory of 2544 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WScript.exe |
| PID 1928 wrote to memory of 2544 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WScript.exe |
| PID 2544 wrote to memory of 3856 | N/A | C:\Windows\System32\WScript.exe | C:\Users\Admin\AppData\Local\Temp\mYIv.exe |
| PID 2544 wrote to memory of 3856 | N/A | C:\Windows\System32\WScript.exe | C:\Users\Admin\AppData\Local\Temp\mYIv.exe |
| PID 2544 wrote to memory of 3856 | N/A | C:\Windows\System32\WScript.exe | C:\Users\Admin\AppData\Local\Temp\mYIv.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Ref_87021929821US20240709031221656.js
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TEZDIY.js"
C:\Users\Admin\AppData\Local\Temp\mYIv.exe
"C:\Users\Admin\AppData\Local\Temp\mYIv.exe"
Network
| Country | Destination | Domain | Proto |
| US | 192.210.215.11:80 | 192.210.215.11 | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.215.210.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chongmei33.publicvm.com | udp |
| SE | 46.246.14.67:5569 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | chongmei33.publicvm.com | udp |
| SE | 46.246.14.67:5569 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | chongmei33.publicvm.com | udp |
| SE | 46.246.14.67:5569 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | jinvestments.duckdns.org | udp |
| SE | 46.246.14.67:5569 | jinvestments.duckdns.org | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | jinvestments.duckdns.org | udp |
| SE | 46.246.14.67:5569 | jinvestments.duckdns.org | tcp |
| US | 8.8.8.8:53 | jinvestments.duckdns.org | udp |
| SE | 46.246.14.67:5569 | jinvestments.duckdns.org | tcp |
| US | 8.8.8.8:53 | chongmei33.publicvm.com | udp |
| SE | 46.246.14.67:5569 | chongmei33.publicvm.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\TEZDIY.js
| MD5 | dc0bce4906594a89e2707870b3455a71 |
| SHA1 | 693e646c87bcc184658c53e191196bb9243c3242 |
| SHA256 | 9332806b808c9d72d0366841aa990fe5dbde39f88eccd73962adc6a91da0548d |
| SHA512 | 8c7aa5673700eb5989f8a60750689b87685e1a6ddc0a2e7f3c9fb288b8376c685a90639fc7745ff4757b18125373c240383e2475c3425628581cee8f40030f83 |
C:\Users\Admin\AppData\Local\Temp\mYIv.exe
| MD5 | 842793f4ae0abae1c4e0d1d00c3b1b36 |
| SHA1 | 45cc5efe42d8ff19e8f4eafdcfe9e2cc0c62bb76 |
| SHA256 | f87b7426970122ba506c6dc25e7877f93af482db93df438bd613cea22b06a3b2 |
| SHA512 | 681dcfe8fa0c401e234064b9ecfbe5eef5f84e3fba9c09c0a1355d0221288e97d94ab8e42c7b96d39318c71cdab18a7d563e636b5d3e5638d7d959fe812eef1d |