Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 11:15
Static task
static1
Behavioral task
behavioral1
Sample
Document-v09-42-38.js
Resource
win7-20241010-en
General
-
Target
Document-v09-42-38.js
-
Size
314KB
-
MD5
c6fb0358f8de59651faf7c4b62c7fdd9
-
SHA1
91d070e6bc128ff227b348d1a67d03d8fc38d6ca
-
SHA256
06a9283d0374be0ba13f645b13cca80601595d7d608aa18c9a4c9ce323af03db
-
SHA512
bab372f9d096a782b6aa6cee4fae2d302ace3829be509a4b1c885422ad87c666d39ffb3597012d53741de67447bea8b38cbc5f84f0a951993303f86ebad623c0
-
SSDEEP
6144:myyIU4OXwc0BO3ulgc6rG51le79tKNnI6c3PZNyioAOfaqkG05pW:AV8x1lkKNwU8rW
Malware Config
Signatures
-
Blocklisted process makes network request 12 IoCs
Processes:
msiexec.exerundll32.exeflow pid Process 5 2804 msiexec.exe 9 2088 rundll32.exe 12 2088 rundll32.exe 14 2088 rundll32.exe 16 2088 rundll32.exe 18 2088 rundll32.exe 20 2088 rundll32.exe 22 2088 rundll32.exe 24 2088 rundll32.exe 30 2088 rundll32.exe 31 2088 rundll32.exe 32 2088 rundll32.exe -
Executes dropped EXE 1 IoCs
Processes:
MSI8FF6.tmppid Process 2816 MSI8FF6.tmp -
Loads dropped DLL 11 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid Process 2924 MsiExec.exe 2924 MsiExec.exe 2924 MsiExec.exe 2200 rundll32.exe 2200 rundll32.exe 2200 rundll32.exe 2200 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc Process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe -
Drops file in Windows directory 9 IoCs
Processes:
msiexec.exedescription ioc Process File opened for modification C:\Windows\Installer\MSI89A9.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8D74.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8FF6.tmp msiexec.exe File opened for modification C:\Windows\Installer\f768e0f.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI8C3A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8D34.tmp msiexec.exe File created C:\Windows\Installer\f768e0f.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI8FA6.tmp msiexec.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
MsiExec.exeMSI8FF6.tmprundll32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSI8FF6.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
msiexec.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad msiexec.exe -
Processes:
rundll32.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exerundll32.exepid Process 2804 msiexec.exe 2804 msiexec.exe 2088 rundll32.exe 2088 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
Processes:
wscript.exemsiexec.exedescription pid Process Token: SeShutdownPrivilege 2876 wscript.exe Token: SeIncreaseQuotaPrivilege 2876 wscript.exe Token: SeRestorePrivilege 2804 msiexec.exe Token: SeTakeOwnershipPrivilege 2804 msiexec.exe Token: SeSecurityPrivilege 2804 msiexec.exe Token: SeCreateTokenPrivilege 2876 wscript.exe Token: SeAssignPrimaryTokenPrivilege 2876 wscript.exe Token: SeLockMemoryPrivilege 2876 wscript.exe Token: SeIncreaseQuotaPrivilege 2876 wscript.exe Token: SeMachineAccountPrivilege 2876 wscript.exe Token: SeTcbPrivilege 2876 wscript.exe Token: SeSecurityPrivilege 2876 wscript.exe Token: SeTakeOwnershipPrivilege 2876 wscript.exe Token: SeLoadDriverPrivilege 2876 wscript.exe Token: SeSystemProfilePrivilege 2876 wscript.exe Token: SeSystemtimePrivilege 2876 wscript.exe Token: SeProfSingleProcessPrivilege 2876 wscript.exe Token: SeIncBasePriorityPrivilege 2876 wscript.exe Token: SeCreatePagefilePrivilege 2876 wscript.exe Token: SeCreatePermanentPrivilege 2876 wscript.exe Token: SeBackupPrivilege 2876 wscript.exe Token: SeRestorePrivilege 2876 wscript.exe Token: SeShutdownPrivilege 2876 wscript.exe Token: SeDebugPrivilege 2876 wscript.exe Token: SeAuditPrivilege 2876 wscript.exe Token: SeSystemEnvironmentPrivilege 2876 wscript.exe Token: SeChangeNotifyPrivilege 2876 wscript.exe Token: SeRemoteShutdownPrivilege 2876 wscript.exe Token: SeUndockPrivilege 2876 wscript.exe Token: SeSyncAgentPrivilege 2876 wscript.exe Token: SeEnableDelegationPrivilege 2876 wscript.exe Token: SeManageVolumePrivilege 2876 wscript.exe Token: SeImpersonatePrivilege 2876 wscript.exe Token: SeCreateGlobalPrivilege 2876 wscript.exe Token: SeRestorePrivilege 2804 msiexec.exe Token: SeTakeOwnershipPrivilege 2804 msiexec.exe Token: SeRestorePrivilege 2804 msiexec.exe Token: SeTakeOwnershipPrivilege 2804 msiexec.exe Token: SeRestorePrivilege 2804 msiexec.exe Token: SeTakeOwnershipPrivilege 2804 msiexec.exe Token: SeRestorePrivilege 2804 msiexec.exe Token: SeTakeOwnershipPrivilege 2804 msiexec.exe Token: SeRestorePrivilege 2804 msiexec.exe Token: SeTakeOwnershipPrivilege 2804 msiexec.exe Token: SeRestorePrivilege 2804 msiexec.exe Token: SeTakeOwnershipPrivilege 2804 msiexec.exe Token: SeRestorePrivilege 2804 msiexec.exe Token: SeTakeOwnershipPrivilege 2804 msiexec.exe Token: SeRestorePrivilege 2804 msiexec.exe Token: SeTakeOwnershipPrivilege 2804 msiexec.exe Token: SeRestorePrivilege 2804 msiexec.exe Token: SeTakeOwnershipPrivilege 2804 msiexec.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
msiexec.exerundll32.exedescription pid Process procid_target PID 2804 wrote to memory of 2924 2804 msiexec.exe 31 PID 2804 wrote to memory of 2924 2804 msiexec.exe 31 PID 2804 wrote to memory of 2924 2804 msiexec.exe 31 PID 2804 wrote to memory of 2924 2804 msiexec.exe 31 PID 2804 wrote to memory of 2924 2804 msiexec.exe 31 PID 2804 wrote to memory of 2924 2804 msiexec.exe 31 PID 2804 wrote to memory of 2924 2804 msiexec.exe 31 PID 2804 wrote to memory of 2816 2804 msiexec.exe 32 PID 2804 wrote to memory of 2816 2804 msiexec.exe 32 PID 2804 wrote to memory of 2816 2804 msiexec.exe 32 PID 2804 wrote to memory of 2816 2804 msiexec.exe 32 PID 2804 wrote to memory of 2816 2804 msiexec.exe 32 PID 2804 wrote to memory of 2816 2804 msiexec.exe 32 PID 2804 wrote to memory of 2816 2804 msiexec.exe 32 PID 2200 wrote to memory of 2088 2200 rundll32.exe 34 PID 2200 wrote to memory of 2088 2200 rundll32.exe 34 PID 2200 wrote to memory of 2088 2200 rundll32.exe 34 PID 2200 wrote to memory of 2088 2200 rundll32.exe 34
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Document-v09-42-38.js1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2876
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding AD8E0E12C1D442FC43C0031B630089DB2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2924
-
-
C:\Windows\Installer\MSI8FF6.tmp"C:\Windows\Installer\MSI8FF6.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\Admin\AppData\Roaming\apptext.dll, Object2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2816
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Roaming\apptext.dll, Object1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\system32\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Roaming\apptext.dll, Object2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2088
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD549d54912489a43727637dcf3848b733a
SHA1fbfd705b528a1ccdffe7964d8018b3afa34a4210
SHA2564f097bcf8a1c30fb933272ad7f1694180ecf7cba405ded14e79e66f1a14a5eb4
SHA512cebcd7bde916cc064e832f188ffeba0b7b99483c73a916878ba3b79cbe4645efaa36b2ef2ab95a17cc7928a8c8291b5c413fc8301595e7483b28b3011cc20fca
-
Filesize
1.6MB
MD586b57c9deafed093d4b47b03823b4d14
SHA147947da463dd6f4ecf61ae960235a35144e903a8
SHA256f8e3eef1fda5969a7aabcc8fb5cc9f5fe245bbf6cc8e480459977b8e91eab9bd
SHA5125f855ed0a3ecf561c45608d7f4579d6e4b1f1953863e97e0b5fea1f33b38d0e03fef16207d88864d2d936a4e65b677cd259ec248dbf06447b50f9e0488acead3
-
Filesize
2.0MB
MD5c65899e2519f4ad21fb4b97f0a113362
SHA1a1f854c29a69c19949499fca5e24b02b97be46fd
SHA256025abbec1724b9180b369fe116da9d90ae47a4996f6a4e28e8a947bac1e0c741
SHA512eca93cb24187735ec54d4b4e99675f87f1957e255f59c5432498bbc2c47c77b6ccfdf48861a2f78eb377307ce8f6e6458eaf4b766b96e6c2faea1fb87e3dcbb4
-
Filesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
Filesize
389KB
MD5b9545ed17695a32face8c3408a6a3553
SHA1f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83
SHA2561e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a
SHA512f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04