Analysis
-
max time kernel
143s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 09:58
Static task
static1
Behavioral task
behavioral1
Sample
Document-v09-42-38.js
Resource
win7-20240903-en
General
-
Target
Document-v09-42-38.js
-
Size
314KB
-
MD5
c6fb0358f8de59651faf7c4b62c7fdd9
-
SHA1
91d070e6bc128ff227b348d1a67d03d8fc38d6ca
-
SHA256
06a9283d0374be0ba13f645b13cca80601595d7d608aa18c9a4c9ce323af03db
-
SHA512
bab372f9d096a782b6aa6cee4fae2d302ace3829be509a4b1c885422ad87c666d39ffb3597012d53741de67447bea8b38cbc5f84f0a951993303f86ebad623c0
-
SSDEEP
6144:myyIU4OXwc0BO3ulgc6rG51le79tKNnI6c3PZNyioAOfaqkG05pW:AV8x1lkKNwU8rW
Malware Config
Signatures
-
Blocklisted process makes network request 13 IoCs
Processes:
msiexec.exerundll32.exeflow pid Process 5 1052 msiexec.exe 9 2996 rundll32.exe 11 2996 rundll32.exe 13 2996 rundll32.exe 15 2996 rundll32.exe 17 2996 rundll32.exe 19 2996 rundll32.exe 21 2996 rundll32.exe 23 2996 rundll32.exe 26 2996 rundll32.exe 28 2996 rundll32.exe 37 2996 rundll32.exe 39 2996 rundll32.exe -
Executes dropped EXE 1 IoCs
Processes:
MSIF35A.tmppid Process 1992 MSIF35A.tmp -
Loads dropped DLL 11 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid Process 2796 MsiExec.exe 2796 MsiExec.exe 2796 MsiExec.exe 2980 rundll32.exe 2980 rundll32.exe 2980 rundll32.exe 2980 rundll32.exe 2996 rundll32.exe 2996 rundll32.exe 2996 rundll32.exe 2996 rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc Process File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Drops file in Windows directory 9 IoCs
Processes:
msiexec.exedescription ioc Process File opened for modification C:\Windows\Installer\MSIF153.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIF31A.tmp msiexec.exe File opened for modification C:\Windows\Installer\f76f20e.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIED6B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIEFFB.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF1B2.tmp msiexec.exe File created C:\Windows\Installer\f76f20e.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIF35A.tmp msiexec.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
MsiExec.exeMSIF35A.tmprundll32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSIF35A.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
msiexec.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad msiexec.exe -
Processes:
rundll32.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
msiexec.exerundll32.exepid Process 1052 msiexec.exe 1052 msiexec.exe 2996 rundll32.exe 2996 rundll32.exe 2996 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
Processes:
wscript.exemsiexec.exedescription pid Process Token: SeShutdownPrivilege 1648 wscript.exe Token: SeIncreaseQuotaPrivilege 1648 wscript.exe Token: SeRestorePrivilege 1052 msiexec.exe Token: SeTakeOwnershipPrivilege 1052 msiexec.exe Token: SeSecurityPrivilege 1052 msiexec.exe Token: SeCreateTokenPrivilege 1648 wscript.exe Token: SeAssignPrimaryTokenPrivilege 1648 wscript.exe Token: SeLockMemoryPrivilege 1648 wscript.exe Token: SeIncreaseQuotaPrivilege 1648 wscript.exe Token: SeMachineAccountPrivilege 1648 wscript.exe Token: SeTcbPrivilege 1648 wscript.exe Token: SeSecurityPrivilege 1648 wscript.exe Token: SeTakeOwnershipPrivilege 1648 wscript.exe Token: SeLoadDriverPrivilege 1648 wscript.exe Token: SeSystemProfilePrivilege 1648 wscript.exe Token: SeSystemtimePrivilege 1648 wscript.exe Token: SeProfSingleProcessPrivilege 1648 wscript.exe Token: SeIncBasePriorityPrivilege 1648 wscript.exe Token: SeCreatePagefilePrivilege 1648 wscript.exe Token: SeCreatePermanentPrivilege 1648 wscript.exe Token: SeBackupPrivilege 1648 wscript.exe Token: SeRestorePrivilege 1648 wscript.exe Token: SeShutdownPrivilege 1648 wscript.exe Token: SeDebugPrivilege 1648 wscript.exe Token: SeAuditPrivilege 1648 wscript.exe Token: SeSystemEnvironmentPrivilege 1648 wscript.exe Token: SeChangeNotifyPrivilege 1648 wscript.exe Token: SeRemoteShutdownPrivilege 1648 wscript.exe Token: SeUndockPrivilege 1648 wscript.exe Token: SeSyncAgentPrivilege 1648 wscript.exe Token: SeEnableDelegationPrivilege 1648 wscript.exe Token: SeManageVolumePrivilege 1648 wscript.exe Token: SeImpersonatePrivilege 1648 wscript.exe Token: SeCreateGlobalPrivilege 1648 wscript.exe Token: SeRestorePrivilege 1052 msiexec.exe Token: SeTakeOwnershipPrivilege 1052 msiexec.exe Token: SeRestorePrivilege 1052 msiexec.exe Token: SeTakeOwnershipPrivilege 1052 msiexec.exe Token: SeRestorePrivilege 1052 msiexec.exe Token: SeTakeOwnershipPrivilege 1052 msiexec.exe Token: SeRestorePrivilege 1052 msiexec.exe Token: SeTakeOwnershipPrivilege 1052 msiexec.exe Token: SeRestorePrivilege 1052 msiexec.exe Token: SeTakeOwnershipPrivilege 1052 msiexec.exe Token: SeRestorePrivilege 1052 msiexec.exe Token: SeTakeOwnershipPrivilege 1052 msiexec.exe Token: SeRestorePrivilege 1052 msiexec.exe Token: SeTakeOwnershipPrivilege 1052 msiexec.exe Token: SeRestorePrivilege 1052 msiexec.exe Token: SeTakeOwnershipPrivilege 1052 msiexec.exe Token: SeRestorePrivilege 1052 msiexec.exe Token: SeTakeOwnershipPrivilege 1052 msiexec.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
msiexec.exerundll32.exedescription pid Process procid_target PID 1052 wrote to memory of 2796 1052 msiexec.exe 32 PID 1052 wrote to memory of 2796 1052 msiexec.exe 32 PID 1052 wrote to memory of 2796 1052 msiexec.exe 32 PID 1052 wrote to memory of 2796 1052 msiexec.exe 32 PID 1052 wrote to memory of 2796 1052 msiexec.exe 32 PID 1052 wrote to memory of 2796 1052 msiexec.exe 32 PID 1052 wrote to memory of 2796 1052 msiexec.exe 32 PID 1052 wrote to memory of 1992 1052 msiexec.exe 33 PID 1052 wrote to memory of 1992 1052 msiexec.exe 33 PID 1052 wrote to memory of 1992 1052 msiexec.exe 33 PID 1052 wrote to memory of 1992 1052 msiexec.exe 33 PID 1052 wrote to memory of 1992 1052 msiexec.exe 33 PID 1052 wrote to memory of 1992 1052 msiexec.exe 33 PID 1052 wrote to memory of 1992 1052 msiexec.exe 33 PID 2980 wrote to memory of 2996 2980 rundll32.exe 35 PID 2980 wrote to memory of 2996 2980 rundll32.exe 35 PID 2980 wrote to memory of 2996 2980 rundll32.exe 35 PID 2980 wrote to memory of 2996 2980 rundll32.exe 35
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Document-v09-42-38.js1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1648
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding ADC04617A463DD29CC63D0020F42A74D2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2796
-
-
C:\Windows\Installer\MSIF35A.tmp"C:\Windows\Installer\MSIF35A.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\Admin\AppData\Roaming\apptext.dll, Object2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1992
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Roaming\apptext.dll, Object1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\system32\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Roaming\apptext.dll, Object2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2996
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD522c10f866d29734fbf132e9f6d3fc479
SHA1e58151bf116902e8063aa5d3cb1f8764892ebe04
SHA256ef401e453dd9878c21e09484384440f5f65b9f65a35e71b71fdbe0c00843f6e1
SHA51206bdda4b3cfc7b7946ccb9a5d6b09457e7aa9c82a5c9b1edd2a559be58908ad0e3bdb2ec455a238371b19974104d74607eb8587c0ab7d091f780d2abdc49ad37
-
Filesize
1.6MB
MD586b57c9deafed093d4b47b03823b4d14
SHA147947da463dd6f4ecf61ae960235a35144e903a8
SHA256f8e3eef1fda5969a7aabcc8fb5cc9f5fe245bbf6cc8e480459977b8e91eab9bd
SHA5125f855ed0a3ecf561c45608d7f4579d6e4b1f1953863e97e0b5fea1f33b38d0e03fef16207d88864d2d936a4e65b677cd259ec248dbf06447b50f9e0488acead3
-
Filesize
2.0MB
MD5c65899e2519f4ad21fb4b97f0a113362
SHA1a1f854c29a69c19949499fca5e24b02b97be46fd
SHA256025abbec1724b9180b369fe116da9d90ae47a4996f6a4e28e8a947bac1e0c741
SHA512eca93cb24187735ec54d4b4e99675f87f1957e255f59c5432498bbc2c47c77b6ccfdf48861a2f78eb377307ce8f6e6458eaf4b766b96e6c2faea1fb87e3dcbb4
-
Filesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
Filesize
389KB
MD5b9545ed17695a32face8c3408a6a3553
SHA1f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83
SHA2561e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a
SHA512f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04