Analysis
-
max time kernel
63s -
max time network
64s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
23-10-2024 16:56
Static task
static1
General
-
Target
Document.js
-
Size
398KB
-
MD5
0f0fee1596c63af8028223a76c52d7c9
-
SHA1
76d1c27a66bc108fc2dd8d54d53d37dd627a142d
-
SHA256
ec36a58d2c606d1a11bd33be885873b7fd655d0fa0f157ac26e0c9b84ba82075
-
SHA512
742ac969ed0d7f047a3a006468162f5a7d313ea831506a3a5a54e2f47588057dddde7165c0ca8b9b46edeee1a63ce28e23ce962e6aa21757db270178ab8843fb
-
SSDEEP
6144:MOAtECbWK27qMwU16+whfYFp96kra1h3B2lH5XOEAnK3FtjIV2qRQcKHjQi:M9BWK7+whfAMJTR2vXejR4HUi
Malware Config
Signatures
-
Blocklisted process makes network request 14 IoCs
Processes:
wscript.exemsiexec.exerundll32.exeflow pid process 2 1452 wscript.exe 4 1452 wscript.exe 7 1452 wscript.exe 9 596 msiexec.exe 14 1128 rundll32.exe 16 1128 rundll32.exe 18 1128 rundll32.exe 23 1128 rundll32.exe 25 1128 rundll32.exe 27 1128 rundll32.exe 29 1128 rundll32.exe 34 1128 rundll32.exe 37 1128 rundll32.exe 40 1128 rundll32.exe -
Executes dropped EXE 1 IoCs
Processes:
MSI67E9.tmppid process 1892 MSI67E9.tmp -
Loads dropped DLL 6 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 2464 MsiExec.exe 2464 MsiExec.exe 2464 MsiExec.exe 2464 MsiExec.exe 2036 rundll32.exe 1128 rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\N: msiexec.exe -
Drops file in Windows directory 10 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI65A0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI666D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI670B.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI6798.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI61C7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI66AC.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI67E9.tmp msiexec.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
MsiExec.exeMSI67E9.tmprundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSI67E9.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Processes:
wscript.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 wscript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 wscript.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
msiexec.exerundll32.exepid process 596 msiexec.exe 596 msiexec.exe 1128 rundll32.exe 1128 rundll32.exe 1128 rundll32.exe 1128 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
Processes:
wscript.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 1452 wscript.exe Token: SeIncreaseQuotaPrivilege 1452 wscript.exe Token: SeSecurityPrivilege 596 msiexec.exe Token: SeCreateTokenPrivilege 1452 wscript.exe Token: SeAssignPrimaryTokenPrivilege 1452 wscript.exe Token: SeLockMemoryPrivilege 1452 wscript.exe Token: SeIncreaseQuotaPrivilege 1452 wscript.exe Token: SeMachineAccountPrivilege 1452 wscript.exe Token: SeTcbPrivilege 1452 wscript.exe Token: SeSecurityPrivilege 1452 wscript.exe Token: SeTakeOwnershipPrivilege 1452 wscript.exe Token: SeLoadDriverPrivilege 1452 wscript.exe Token: SeSystemProfilePrivilege 1452 wscript.exe Token: SeSystemtimePrivilege 1452 wscript.exe Token: SeProfSingleProcessPrivilege 1452 wscript.exe Token: SeIncBasePriorityPrivilege 1452 wscript.exe Token: SeCreatePagefilePrivilege 1452 wscript.exe Token: SeCreatePermanentPrivilege 1452 wscript.exe Token: SeBackupPrivilege 1452 wscript.exe Token: SeRestorePrivilege 1452 wscript.exe Token: SeShutdownPrivilege 1452 wscript.exe Token: SeDebugPrivilege 1452 wscript.exe Token: SeAuditPrivilege 1452 wscript.exe Token: SeSystemEnvironmentPrivilege 1452 wscript.exe Token: SeChangeNotifyPrivilege 1452 wscript.exe Token: SeRemoteShutdownPrivilege 1452 wscript.exe Token: SeUndockPrivilege 1452 wscript.exe Token: SeSyncAgentPrivilege 1452 wscript.exe Token: SeEnableDelegationPrivilege 1452 wscript.exe Token: SeManageVolumePrivilege 1452 wscript.exe Token: SeImpersonatePrivilege 1452 wscript.exe Token: SeCreateGlobalPrivilege 1452 wscript.exe Token: SeRestorePrivilege 596 msiexec.exe Token: SeTakeOwnershipPrivilege 596 msiexec.exe Token: SeRestorePrivilege 596 msiexec.exe Token: SeTakeOwnershipPrivilege 596 msiexec.exe Token: SeRestorePrivilege 596 msiexec.exe Token: SeTakeOwnershipPrivilege 596 msiexec.exe Token: SeRestorePrivilege 596 msiexec.exe Token: SeTakeOwnershipPrivilege 596 msiexec.exe Token: SeRestorePrivilege 596 msiexec.exe Token: SeTakeOwnershipPrivilege 596 msiexec.exe Token: SeRestorePrivilege 596 msiexec.exe Token: SeTakeOwnershipPrivilege 596 msiexec.exe Token: SeRestorePrivilege 596 msiexec.exe Token: SeTakeOwnershipPrivilege 596 msiexec.exe Token: SeRestorePrivilege 596 msiexec.exe Token: SeTakeOwnershipPrivilege 596 msiexec.exe Token: SeRestorePrivilege 596 msiexec.exe Token: SeTakeOwnershipPrivilege 596 msiexec.exe Token: SeRestorePrivilege 596 msiexec.exe Token: SeTakeOwnershipPrivilege 596 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
msiexec.exerundll32.exedescription pid process target process PID 596 wrote to memory of 2464 596 msiexec.exe MsiExec.exe PID 596 wrote to memory of 2464 596 msiexec.exe MsiExec.exe PID 596 wrote to memory of 2464 596 msiexec.exe MsiExec.exe PID 596 wrote to memory of 1892 596 msiexec.exe MSI67E9.tmp PID 596 wrote to memory of 1892 596 msiexec.exe MSI67E9.tmp PID 596 wrote to memory of 1892 596 msiexec.exe MSI67E9.tmp PID 2036 wrote to memory of 1128 2036 rundll32.exe rundll32.exe PID 2036 wrote to memory of 1128 2036 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Document.js1⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1452
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 760A8F6A4D7E1BC885EE63A1E55702642⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2464 -
C:\Windows\Installer\MSI67E9.tmp"C:\Windows\Installer\MSI67E9.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\Admin\AppData\Roaming\twist.dll, GetDaemonVersion2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1892
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Roaming\twist.dll, GetDaemonVersion1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\system32\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Roaming\twist.dll, GetDaemonVersion2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1128
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ca76b802cc2641eab2b2fc4a3476aad2
SHA1177691d3fa9cace346b52d356a870de72c01a320
SHA256ad5c1ce0a13a97dfef519f8dbf8bf2e0f1bd0b0c1e7d157f5feb4de4c2a9d9e8
SHA5127818c31650e241169db7a99fea6ba1add3cc1be3e93e9bf80ff6fef4e4f4a5ceba8cfe2abe3d8802df2dfa719e1e140eb0eff78b3256556343ec2adc14ccb279
-
Filesize
1.4MB
MD56d442f75976839c2efdee6fdd41a3db3
SHA15a789643626244ce0efa82d3140f4304cf51514d
SHA256e9a554d7dd46963f468398eb2d53f6a849df03605a8dbca1e9f857d02377714b
SHA51275a68ca4774c63e0b8a37053e1e4c70c24a8c8179e25648ece0fe787830f57838884348ca6cddcc08da7e67e7a2fec6535d4aa82ee313ec50dc1e90693fc35fb
-
Filesize
1.9MB
MD50c969f5bc086f20736f925a9a2e172e5
SHA1784ee3d5ac7b78b568e4e336022b1942a368a55f
SHA256db25019854bff21f76d23a0eec433907e8a218448605d18b333e7aaf2e6a6d51
SHA51255d6dbf1d6374d1d76490606e43fd8050d5571dc0075c57fe4e4f589a69fce2db61574974d64db083ca7590b2795091d4e95a872158f9e6c1801a61577d12390
-
Filesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
Filesize
389KB
MD5b9545ed17695a32face8c3408a6a3553
SHA1f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83
SHA2561e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a
SHA512f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04