60d5859ff992ae890c4fc73031cb14ae1722bf90d884b52e83391732112bb362

Resubmissions

19-09-2024 21:39

240919-1hv5tssapf 5

19-09-2024 21:25

240919-z9xx3a1flc 5

Analysis

max time kernel
300s
max time network
268s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
19-09-2024 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.js
Size

1.0MB
MD5

a1321924d8c6b6fd01777d097f0aa055
SHA1

d0293e26f615a05d0577692761639ddc577b5bc8
SHA256

3ff914f8e79247c3328e971256119eb71f4dd88024f4cb2ffccef91860126db8
SHA512

356aa288859cb1243d690d958c7b06f99f32a9aa354e8e87bb242af6a9fa070d5b4dc999edb83c60484162161311146601864bdc8a6cb11664ab21fc3cd9f670
SSDEEP

12288:AhMXL2rn65hYlWiOFC+Mu1F2KPe9OfzaBexvk3ldQXXBPvZX5nhb6Q:dQn652lOF5K9Ve5nX5jwQ

Score

5^/10

execution

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	SearchProtocolHost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	SearchIndexer.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3g2\UserChoice\ProgId = "AppX6eg8h5sxqq90pv53845wmnbewywdqq5h"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe\UserChoice\Hash = "l6jTGX/4YKA="	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw\UserChoice\Hash = "yInVRt8huzg="	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.wmv = "1"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\UserChoice\Hash = "YQ0cmxi3ME0="	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.m4a = "1"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\UserChoice	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa\UserChoice\ProgId = "AppXqj98qxeaynz6dv4459ayz6bnqxbyaqcs"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\UserChoice\Hash = "jeK4PA34iF4="	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa\UserChoice\Hash = "a/I6gXBjQXQ="	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{45670FA8-ED97-4F44-BC93-305082590BFB} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007e0811c9da0adb01	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.raw = "1"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\UserChoice	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe\UserChoice\ProgId = "AppX43hnxtbyyps62jhe9sqpdzxn1790zetc"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.html = "1"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.3gpp = "1"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.bmp = "1"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.HTM\UserChoice\ProgId = "AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\UserChoice\Hash = "mk8C76u56Z4="	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.crw = "1"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fa7a3bceda0adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice\ProgId = "AppXd4nrz8ff68srnhf9t5a8sbjyar1cr723"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gpp\UserChoice\Hash = "3M7vnserQ9k="	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe\UserChoice	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw\UserChoice	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\UserChoice	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.jpg = "1"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.pdf = "1"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.3g2 = "1"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\UserChoice\ProgId = "AppX43hnxtbyyps62jhe9sqpdzxn1790zetc"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.jpeg = "1"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000790c50cfda0adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\UserChoice\ProgId = "AppX43hnxtbyyps62jhe9sqpdzxn1790zetc"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: 33	1396	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 3952	1396	SearchIndexer.exe	78
PID 1396 wrote to memory of 3952	1396	SearchIndexer.exe	78
PID 1396 wrote to memory of 1304	1396	SearchIndexer.exe	79
PID 1396 wrote to memory of 1304	1396	SearchIndexer.exe	79

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\.js
1⤵
PID:3152

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:3952
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 684 688 696 8192 692
  2⤵
  - Modifies data under HKEY_USERS
  PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1304-67-0x00000243BC820000-0x00000243BC830000-memory.dmp

Filesize
64KB

Download
memory/1304-66-0x00000243BC820000-0x00000243BC830000-memory.dmp

Filesize
64KB

Download
memory/1304-88-0x00000243BC820000-0x00000243BC830000-memory.dmp

Filesize
64KB

Download
memory/1304-85-0x00000243BC820000-0x00000243BC830000-memory.dmp

Filesize
64KB

Download
memory/1304-62-0x00000243BC820000-0x00000243BC830000-memory.dmp

Filesize
64KB

Download
memory/1304-83-0x00000243BC820000-0x00000243BC830000-memory.dmp

Filesize
64KB

Download
memory/1304-84-0x00000243BC820000-0x00000243BC830000-memory.dmp

Filesize
64KB

Download
memory/1304-65-0x00000243BC820000-0x00000243BC830000-memory.dmp

Filesize
64KB

Download
memory/1304-82-0x00000243BC820000-0x00000243BC830000-memory.dmp

Filesize
64KB

Download
memory/1304-68-0x00000243BC820000-0x00000243BC830000-memory.dmp

Filesize
64KB

Download
memory/1304-51-0x00000243BC820000-0x00000243BC830000-memory.dmp

Filesize
64KB

Download
memory/1304-54-0x00000243BC820000-0x00000243BC830000-memory.dmp

Filesize
64KB

Download
memory/1304-58-0x00000243BC820000-0x00000243BC830000-memory.dmp

Filesize
64KB

Download
memory/1304-59-0x00000243BC820000-0x00000243BC830000-memory.dmp

Filesize
64KB

Download
memory/1304-57-0x00000243BC820000-0x00000243BC830000-memory.dmp

Filesize
64KB

Download
memory/1304-56-0x00000243BC820000-0x00000243BC830000-memory.dmp

Filesize
64KB

Download
memory/1304-81-0x00000243BC820000-0x00000243BC830000-memory.dmp

Filesize
64KB

Download
memory/1304-78-0x00000243BC820000-0x00000243BC830000-memory.dmp

Filesize
64KB

Download
memory/1304-49-0x00000243BC7C0000-0x00000243BC7D0000-memory.dmp

Filesize
64KB

Download
memory/1304-69-0x00000243BC820000-0x00000243BC830000-memory.dmp

Filesize
64KB

Download
memory/1304-73-0x00000243BC820000-0x00000243BC830000-memory.dmp

Filesize
64KB

Download
memory/1304-75-0x00000243BC820000-0x00000243BC830000-memory.dmp

Filesize
64KB

Download
memory/1304-74-0x00000243BC820000-0x00000243BC830000-memory.dmp

Filesize
64KB

Download
memory/1304-72-0x00000243BC820000-0x00000243BC830000-memory.dmp

Filesize
64KB

Download
memory/1304-77-0x00000243BC7C0000-0x00000243BC7D0000-memory.dmp

Filesize
64KB

Download
memory/1396-0-0x000001B8B4070000-0x000001B8B4080000-memory.dmp

Filesize
64KB

Download
memory/1396-17-0x000001B8B4230000-0x000001B8B4240000-memory.dmp

Filesize
64KB

Download
memory/1396-44-0x000001B8BD100000-0x000001B8BD108000-memory.dmp

Filesize
32KB

Download
memory/1396-38-0x000001B8BCAB0000-0x000001B8BCAB8000-memory.dmp

Filesize
32KB

Download
memory/1396-45-0x000001B8BA110000-0x000001B8BA111000-memory.dmp

Filesize
4KB

Download
memory/1396-42-0x000001B8BCFB0000-0x000001B8BCFB8000-memory.dmp

Filesize
32KB

Download
memory/1396-40-0x000001B8B9C20000-0x000001B8B9C28000-memory.dmp

Filesize
32KB

Download
memory/1396-36-0x000001B8BB9B0000-0x000001B8BB9B8000-memory.dmp

Filesize
32KB

Download
memory/1396-32-0x000001B8B86D0000-0x000001B8B86D8000-memory.dmp

Filesize
32KB

Download