Analysis
-
max time kernel
133s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 09:58
Static task
static1
Behavioral task
behavioral1
Sample
Document-v09-42-38.js
Resource
win7-20240903-en
General
-
Target
Document-v09-42-38.js
-
Size
314KB
-
MD5
c6fb0358f8de59651faf7c4b62c7fdd9
-
SHA1
91d070e6bc128ff227b348d1a67d03d8fc38d6ca
-
SHA256
06a9283d0374be0ba13f645b13cca80601595d7d608aa18c9a4c9ce323af03db
-
SHA512
bab372f9d096a782b6aa6cee4fae2d302ace3829be509a4b1c885422ad87c666d39ffb3597012d53741de67447bea8b38cbc5f84f0a951993303f86ebad623c0
-
SSDEEP
6144:myyIU4OXwc0BO3ulgc6rG51le79tKNnI6c3PZNyioAOfaqkG05pW:AV8x1lkKNwU8rW
Malware Config
Signatures
-
Blocklisted process makes network request 14 IoCs
Processes:
msiexec.exerundll32.exeflow pid Process 4 4680 msiexec.exe 18 4760 rundll32.exe 20 4760 rundll32.exe 22 4760 rundll32.exe 27 4760 rundll32.exe 29 4760 rundll32.exe 31 4760 rundll32.exe 33 4760 rundll32.exe 35 4760 rundll32.exe 55 4760 rundll32.exe 63 4760 rundll32.exe 66 4760 rundll32.exe 67 4760 rundll32.exe 68 4760 rundll32.exe -
Executes dropped EXE 1 IoCs
Processes:
MSIB5D9.tmppid Process 2536 MSIB5D9.tmp -
Loads dropped DLL 6 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid Process 4188 MsiExec.exe 4188 MsiExec.exe 4188 MsiExec.exe 4188 MsiExec.exe 2304 rundll32.exe 4760 rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc Process File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe -
Drops file in Windows directory 10 IoCs
Processes:
msiexec.exedescription ioc Process File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIB57A.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIB4FA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB52A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB5D9.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB1CB.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB3FF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB54A.tmp msiexec.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
MsiExec.exeMSIB5D9.tmprundll32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSIB5D9.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
msiexec.exerundll32.exepid Process 4680 msiexec.exe 4680 msiexec.exe 4760 rundll32.exe 4760 rundll32.exe 4760 rundll32.exe 4760 rundll32.exe 4760 rundll32.exe 4760 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
wscript.exemsiexec.exedescription pid Process Token: SeShutdownPrivilege 1776 wscript.exe Token: SeIncreaseQuotaPrivilege 1776 wscript.exe Token: SeSecurityPrivilege 4680 msiexec.exe Token: SeCreateTokenPrivilege 1776 wscript.exe Token: SeAssignPrimaryTokenPrivilege 1776 wscript.exe Token: SeLockMemoryPrivilege 1776 wscript.exe Token: SeIncreaseQuotaPrivilege 1776 wscript.exe Token: SeMachineAccountPrivilege 1776 wscript.exe Token: SeTcbPrivilege 1776 wscript.exe Token: SeSecurityPrivilege 1776 wscript.exe Token: SeTakeOwnershipPrivilege 1776 wscript.exe Token: SeLoadDriverPrivilege 1776 wscript.exe Token: SeSystemProfilePrivilege 1776 wscript.exe Token: SeSystemtimePrivilege 1776 wscript.exe Token: SeProfSingleProcessPrivilege 1776 wscript.exe Token: SeIncBasePriorityPrivilege 1776 wscript.exe Token: SeCreatePagefilePrivilege 1776 wscript.exe Token: SeCreatePermanentPrivilege 1776 wscript.exe Token: SeBackupPrivilege 1776 wscript.exe Token: SeRestorePrivilege 1776 wscript.exe Token: SeShutdownPrivilege 1776 wscript.exe Token: SeDebugPrivilege 1776 wscript.exe Token: SeAuditPrivilege 1776 wscript.exe Token: SeSystemEnvironmentPrivilege 1776 wscript.exe Token: SeChangeNotifyPrivilege 1776 wscript.exe Token: SeRemoteShutdownPrivilege 1776 wscript.exe Token: SeUndockPrivilege 1776 wscript.exe Token: SeSyncAgentPrivilege 1776 wscript.exe Token: SeEnableDelegationPrivilege 1776 wscript.exe Token: SeManageVolumePrivilege 1776 wscript.exe Token: SeImpersonatePrivilege 1776 wscript.exe Token: SeCreateGlobalPrivilege 1776 wscript.exe Token: SeRestorePrivilege 4680 msiexec.exe Token: SeTakeOwnershipPrivilege 4680 msiexec.exe Token: SeRestorePrivilege 4680 msiexec.exe Token: SeTakeOwnershipPrivilege 4680 msiexec.exe Token: SeRestorePrivilege 4680 msiexec.exe Token: SeTakeOwnershipPrivilege 4680 msiexec.exe Token: SeRestorePrivilege 4680 msiexec.exe Token: SeTakeOwnershipPrivilege 4680 msiexec.exe Token: SeRestorePrivilege 4680 msiexec.exe Token: SeTakeOwnershipPrivilege 4680 msiexec.exe Token: SeRestorePrivilege 4680 msiexec.exe Token: SeTakeOwnershipPrivilege 4680 msiexec.exe Token: SeRestorePrivilege 4680 msiexec.exe Token: SeTakeOwnershipPrivilege 4680 msiexec.exe Token: SeRestorePrivilege 4680 msiexec.exe Token: SeTakeOwnershipPrivilege 4680 msiexec.exe Token: SeRestorePrivilege 4680 msiexec.exe Token: SeTakeOwnershipPrivilege 4680 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
msiexec.exerundll32.exedescription pid Process procid_target PID 4680 wrote to memory of 4188 4680 msiexec.exe 88 PID 4680 wrote to memory of 4188 4680 msiexec.exe 88 PID 4680 wrote to memory of 4188 4680 msiexec.exe 88 PID 4680 wrote to memory of 2536 4680 msiexec.exe 89 PID 4680 wrote to memory of 2536 4680 msiexec.exe 89 PID 4680 wrote to memory of 2536 4680 msiexec.exe 89 PID 2304 wrote to memory of 4760 2304 rundll32.exe 91 PID 2304 wrote to memory of 4760 2304 rundll32.exe 91
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Document-v09-42-38.js1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1776
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A1C3A5A669134947CAA134CD9CB53D242⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4188
-
-
C:\Windows\Installer\MSIB5D9.tmp"C:\Windows\Installer\MSIB5D9.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\Admin\AppData\Roaming\apptext.dll, Object2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2536
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Roaming\apptext.dll, Object1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\system32\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Roaming\apptext.dll, Object2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4760
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5455b926082a1e1ab25385ebf640350d3
SHA1248e3eeb80421789728c96038a86bb0f6111f708
SHA2569f81041eacf460d6fe835895eb369ec3319353b16b580a62da0dc281bc9a43f3
SHA5125256723c6e8a95d2068ecfe508b12f73259cf3adc7161212f570f5b2bc364cf58a1db49284adf6a18648833bc9be7de4bfe69c47661b996ebcfba310001655f1
-
Filesize
1.6MB
MD586b57c9deafed093d4b47b03823b4d14
SHA147947da463dd6f4ecf61ae960235a35144e903a8
SHA256f8e3eef1fda5969a7aabcc8fb5cc9f5fe245bbf6cc8e480459977b8e91eab9bd
SHA5125f855ed0a3ecf561c45608d7f4579d6e4b1f1953863e97e0b5fea1f33b38d0e03fef16207d88864d2d936a4e65b677cd259ec248dbf06447b50f9e0488acead3
-
Filesize
2.0MB
MD5c65899e2519f4ad21fb4b97f0a113362
SHA1a1f854c29a69c19949499fca5e24b02b97be46fd
SHA256025abbec1724b9180b369fe116da9d90ae47a4996f6a4e28e8a947bac1e0c741
SHA512eca93cb24187735ec54d4b4e99675f87f1957e255f59c5432498bbc2c47c77b6ccfdf48861a2f78eb377307ce8f6e6458eaf4b766b96e6c2faea1fb87e3dcbb4
-
Filesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
Filesize
389KB
MD5b9545ed17695a32face8c3408a6a3553
SHA1f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83
SHA2561e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a
SHA512f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04