Analysis

  • max time kernel
    133s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 09:58

General

  • Target

    Document-v09-42-38.js

  • Size

    314KB

  • MD5

    c6fb0358f8de59651faf7c4b62c7fdd9

  • SHA1

    91d070e6bc128ff227b348d1a67d03d8fc38d6ca

  • SHA256

    06a9283d0374be0ba13f645b13cca80601595d7d608aa18c9a4c9ce323af03db

  • SHA512

    bab372f9d096a782b6aa6cee4fae2d302ace3829be509a4b1c885422ad87c666d39ffb3597012d53741de67447bea8b38cbc5f84f0a951993303f86ebad623c0

  • SSDEEP

    6144:myyIU4OXwc0BO3ulgc6rG51le79tKNnI6c3PZNyioAOfaqkG05pW:AV8x1lkKNwU8rW

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 14 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 10 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Document-v09-42-38.js
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1776
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4680
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding A1C3A5A669134947CAA134CD9CB53D24
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:4188
    • C:\Windows\Installer\MSIB5D9.tmp
      "C:\Windows\Installer\MSIB5D9.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\Admin\AppData\Roaming\apptext.dll, Object
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2536
  • C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Roaming\apptext.dll, Object
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2304
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Roaming\apptext.dll, Object
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      PID:4760

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e57b558.rbs

    Filesize

    1KB

    MD5

    455b926082a1e1ab25385ebf640350d3

    SHA1

    248e3eeb80421789728c96038a86bb0f6111f708

    SHA256

    9f81041eacf460d6fe835895eb369ec3319353b16b580a62da0dc281bc9a43f3

    SHA512

    5256723c6e8a95d2068ecfe508b12f73259cf3adc7161212f570f5b2bc364cf58a1db49284adf6a18648833bc9be7de4bfe69c47661b996ebcfba310001655f1

  • C:\Users\Admin\AppData\Roaming\apptext.dll

    Filesize

    1.6MB

    MD5

    86b57c9deafed093d4b47b03823b4d14

    SHA1

    47947da463dd6f4ecf61ae960235a35144e903a8

    SHA256

    f8e3eef1fda5969a7aabcc8fb5cc9f5fe245bbf6cc8e480459977b8e91eab9bd

    SHA512

    5f855ed0a3ecf561c45608d7f4579d6e4b1f1953863e97e0b5fea1f33b38d0e03fef16207d88864d2d936a4e65b677cd259ec248dbf06447b50f9e0488acead3

  • C:\Windows\Installer\MSIB1CB.tmp

    Filesize

    2.0MB

    MD5

    c65899e2519f4ad21fb4b97f0a113362

    SHA1

    a1f854c29a69c19949499fca5e24b02b97be46fd

    SHA256

    025abbec1724b9180b369fe116da9d90ae47a4996f6a4e28e8a947bac1e0c741

    SHA512

    eca93cb24187735ec54d4b4e99675f87f1957e255f59c5432498bbc2c47c77b6ccfdf48861a2f78eb377307ce8f6e6458eaf4b766b96e6c2faea1fb87e3dcbb4

  • C:\Windows\Installer\MSIB3FF.tmp

    Filesize

    436KB

    MD5

    475d20c0ea477a35660e3f67ecf0a1df

    SHA1

    67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

    SHA256

    426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

    SHA512

    99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

  • C:\Windows\Installer\MSIB5D9.tmp

    Filesize

    389KB

    MD5

    b9545ed17695a32face8c3408a6a3553

    SHA1

    f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83

    SHA256

    1e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a

    SHA512

    f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04

  • memory/4760-46-0x000001DB41AC0000-0x000001DB41B0C000-memory.dmp

    Filesize

    304KB

  • memory/4760-73-0x000001DB41AC0000-0x000001DB41B0C000-memory.dmp

    Filesize

    304KB