Resubmissions

22/10/2024, 19:51

241022-yk8gtstckl 7

22/10/2024, 19:48

241022-yjkpdatbnk 7

21/10/2024, 21:25

241021-z9xx3axema 7

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/10/2024, 19:48

General

  • Target

    $PLUGINSDIR/app/js/libs/jquery-1.10.2.min.js

  • Size

    90KB

  • MD5

    44e3f0db3e4ab6fedc5758c05cf27591

  • SHA1

    2d408aa1d35661019c95adcc60b78c0727ed25b4

  • SHA256

    bc44d3631ffef1df7960e359f02002d3ada45ee05205c2cf1edd85da2f518144

  • SHA512

    4d4844e53e686fc59a52e86588f328dca3ed6fdad7195c58942a98c51755a24981b903ee7c7b27785375eaad5a7d9501cf74b999674b79f214e66103bad9efdc

  • SSDEEP

    1536:O4mCgi8DyCuXXFiJ+L0kJQsJVPEKuQRZdC/RAfDknv+p0WzH/Io9Z7qABZnu0JFV:OGsKYAI2p0WP9bDrJ7fak

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 2 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app\js\libs\jquery-1.10.2.min.js
    1⤵
      PID:4896
    • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
      "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
      1⤵
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3344
      • C:\Windows\SysWOW64\unregmp2.exe
        "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:896
        • C:\Windows\system32\unregmp2.exe
          "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
          3⤵
          • Enumerates connected drives
          • Suspicious use of AdjustPrivilegeToken
          PID:344
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
      1⤵
      • Drops file in Windows directory
      PID:4784
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\OutConvertTo.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      1⤵
      • System Location Discovery: System Language Discovery
      PID:1736
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\OutConvertTo.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      1⤵
      • System Location Discovery: System Language Discovery
      PID:3884

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

            Filesize

            64KB

            MD5

            987a07b978cfe12e4ce45e513ef86619

            SHA1

            22eec9a9b2e83ad33bedc59e3205f86590b7d40c

            SHA256

            f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8

            SHA512

            39b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa

          • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

            Filesize

            1024KB

            MD5

            2b1039cf0b6d90ed67b37999ad9c4a88

            SHA1

            dd33ad9c1f8e60455eff5267b687079b12373da4

            SHA256

            e69afb87d5e91ce354e732dcecbbf7f5566cda14d2041e3316e9cc8045c8ee72

            SHA512

            0ee8491ff174bb41a1410b4bec57a1b8d38feb9ad18f3a1aaab35b092a0193f20b640af0c16c3eb3755f0e6642d7c5baae3a35c3c07e3869a66b96935857fa33

          • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

            Filesize

            498B

            MD5

            90be2701c8112bebc6bd58a7de19846e

            SHA1

            a95be407036982392e2e684fb9ff6602ecad6f1e

            SHA256

            644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

            SHA512

            d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

          • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

            Filesize

            9KB

            MD5

            5433eab10c6b5c6d55b7cbd302426a39

            SHA1

            c5b1604b3350dab290d081eecd5389a895c58de5

            SHA256

            23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131

            SHA512

            207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

          • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

            Filesize

            9KB

            MD5

            7050d5ae8acfbe560fa11073fef8185d

            SHA1

            5bc38e77ff06785fe0aec5a345c4ccd15752560e

            SHA256

            cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

            SHA512

            a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

          • C:\Users\Admin\AppData\Local\Temp\wmsetup.log

            Filesize

            1KB

            MD5

            850c3a082ccdac56b751f528d6a703cf

            SHA1

            8ca18642f863ff5111720e97fa5d3e9d3027dea1

            SHA256

            6ea924895c28ae5d8aaefa6748e487a80c79ed0f6262df28bd755b215bf01af3

            SHA512

            ffcf9b0000c117163b6a7961488cbf3f41f4441de8178462bdb2e590e4ce28f26f053ffc83cf0b554501971ddaa50a1bf94a59034a8dbc4a0e084b285d4cd579

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

            Filesize

            1KB

            MD5

            37bd2c57d991d73310e4f2de2cf67fc6

            SHA1

            937ad6bfaa583513cfbd180d8119a366f8c67d7f

            SHA256

            2d624d9d62a141e47ca2e68f6cd37624719e48ff92bba517eb7fbaab758d21ae

            SHA512

            d966cfcc8574580a535f2992237e04f1acc7ee25117ff08229827f068106800b873a0c217b5bee55eebaa6fa896a39715a66842bb34c27907f550a390e41f703

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

            Filesize

            3KB

            MD5

            0d0d27256b45a5655259b95359af0055

            SHA1

            51bff56944ed8df695b19d790f651b91da462952

            SHA256

            393cf676da125538fedcfcdc6d32e593ba55819bcff8c7c270f36fab0183cca5

            SHA512

            c36cb201a37fabd1e8029f2c1109e9760392510f61f762097aca714c8bee961133eb9e87ac7d2c208654855f5fb0395dfcd8f30352888cc6f96be4983c50465f