Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24-03-2023 06:40
Static task
static1
Behavioral task
behavioral1
Sample
Orden_de_embargo__pdf.scr
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Orden_de_embargo__pdf.scr
Resource
win10v2004-20230220-en
General
-
Target
Orden_de_embargo__pdf.scr
-
Size
697KB
-
MD5
08d0d2ae2030e26e3257869f0c1129e4
-
SHA1
c82aa06abed5ea9ead115e5a83d49183519f20de
-
SHA256
4c3bf5e59687731fbbbfbce763a4e097cd3863fd39773fc2e6189a2658dfb1a5
-
SHA512
65fb86ed49c510ea4a3f622b4cb9affed0358ff50f96d937b7345d1b0e92916a9bc527a4558ffbe9205be6b6c86f4403d60afc5e0d1d1ab29e03cdfcc8e4e3dc
-
SSDEEP
12288:soVl2TmnvZAdJ41JHQbYEAmDJAb8f+jtT6vcxXiFmxG4yeXnCugYUU87UF:9VgmnudJ41JhQLmT6ijxr3zUH7UF
Malware Config
Signatures
-
Blocklisted process makes network request 50 IoCs
Processes:
wscript.exewscript.exewscript.exeflow pid process 21 3272 wscript.exe 23 1644 wscript.exe 24 4948 wscript.exe 37 1644 wscript.exe 42 3272 wscript.exe 43 4948 wscript.exe 48 1644 wscript.exe 49 4948 wscript.exe 50 3272 wscript.exe 53 1644 wscript.exe 54 3272 wscript.exe 55 4948 wscript.exe 56 1644 wscript.exe 68 3272 wscript.exe 69 4948 wscript.exe 70 1644 wscript.exe 72 4948 wscript.exe 73 3272 wscript.exe 77 1644 wscript.exe 78 4948 wscript.exe 79 3272 wscript.exe 80 1644 wscript.exe 82 1644 wscript.exe 83 3272 wscript.exe 84 4948 wscript.exe 87 1644 wscript.exe 88 4948 wscript.exe 89 3272 wscript.exe 90 1644 wscript.exe 91 4948 wscript.exe 92 3272 wscript.exe 94 1644 wscript.exe 96 4948 wscript.exe 97 3272 wscript.exe 98 1644 wscript.exe 99 4948 wscript.exe 100 3272 wscript.exe 101 1644 wscript.exe 107 4948 wscript.exe 108 3272 wscript.exe 109 1644 wscript.exe 110 1644 wscript.exe 111 4948 wscript.exe 112 3272 wscript.exe 120 1644 wscript.exe 123 4948 wscript.exe 125 3272 wscript.exe 126 1644 wscript.exe 127 4948 wscript.exe 128 3272 wscript.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Documento-pdf.exeWScript.exewscript.exeOrden_de_embargo__pdf.scrdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation Documento-pdf.exe Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation Orden_de_embargo__pdf.scr -
Drops startup file 5 IoCs
Processes:
wscript.exewscript.exewscript.exeWScript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtWlbrTJaO.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Documento-pdf.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtWlbrTJaO.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Documento-pdf.js WScript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtWlbrTJaO.js wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
Documento-pdf.exepid process 4648 Documento-pdf.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
wscript.exeWScript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Documento-pdf = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Documento-pdf.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Documento-pdf = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Documento-pdf.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Documento-pdf = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Documento-pdf.js\"" WScript.exe Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Documento-pdf = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Documento-pdf.js\"" WScript.exe Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\software\microsoft\windows\currentversion\run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
Documento-pdf.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings Documento-pdf.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Orden_de_embargo__pdf.scrcmd.exeDocumento-pdf.exeWScript.exewscript.exedescription pid process target process PID 3608 wrote to memory of 4640 3608 Orden_de_embargo__pdf.scr cmd.exe PID 3608 wrote to memory of 4640 3608 Orden_de_embargo__pdf.scr cmd.exe PID 3608 wrote to memory of 4640 3608 Orden_de_embargo__pdf.scr cmd.exe PID 4640 wrote to memory of 4648 4640 cmd.exe Documento-pdf.exe PID 4640 wrote to memory of 4648 4640 cmd.exe Documento-pdf.exe PID 4640 wrote to memory of 4648 4640 cmd.exe Documento-pdf.exe PID 4648 wrote to memory of 2896 4648 Documento-pdf.exe WScript.exe PID 4648 wrote to memory of 2896 4648 Documento-pdf.exe WScript.exe PID 4648 wrote to memory of 2896 4648 Documento-pdf.exe WScript.exe PID 2896 wrote to memory of 3272 2896 WScript.exe wscript.exe PID 2896 wrote to memory of 3272 2896 WScript.exe wscript.exe PID 2896 wrote to memory of 3272 2896 WScript.exe wscript.exe PID 2896 wrote to memory of 1644 2896 WScript.exe wscript.exe PID 2896 wrote to memory of 1644 2896 WScript.exe wscript.exe PID 2896 wrote to memory of 1644 2896 WScript.exe wscript.exe PID 1644 wrote to memory of 4948 1644 wscript.exe wscript.exe PID 1644 wrote to memory of 4948 1644 wscript.exe wscript.exe PID 1644 wrote to memory of 4948 1644 wscript.exe wscript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Orden_de_embargo__pdf.scr"C:\Users\Admin\AppData\Local\Temp\Orden_de_embargo__pdf.scr" /S1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Users\Admin\AppData\Local\Temp\Documento-pdf.exeDocumento-pdf.exe -pDocumento -dC:\Users\Admin\AppData\Local\Temp3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Documento-pdf.js"4⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\FtWlbrTJaO.js"5⤵
- Blocklisted process makes network request
- Drops startup file
PID:3272 -
C:\Windows\SysWOW64\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Documento-pdf.js"5⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\FtWlbrTJaO.js"6⤵
- Blocklisted process makes network request
- Drops startup file
PID:4948
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
38B
MD5eb06c33b8a3d3d5b97437290a6c6667a
SHA101cf7cc470719780ac7426f81e9377a5a2fde2b0
SHA256f59a9c3d70113758d4df71aac1b3c7cc4ab7b008625296656ff63889e483f5af
SHA512e843113f9dc0a7e2222d99081f78ce3df94aadcef40295d811b459d835ae491913dc5f83a4407f877dcaaf71cfbd848be29f1335474bb8e6e9fa52c95617857c
-
Filesize
499KB
MD561f92ceaeff088131346a89da5aea358
SHA1280b8377dcabe6a87919f301606cbd19ee2cf94b
SHA256ece3ab55fbecc5699b7e363b666b06f328b17da05e065e637c87ce08a7c38b2d
SHA512cdd8f17d65e2e7669a0d8a53df879330b5c4d2ad62b26d4c08c127091bde48e11faf9cbd0e7d3ce7fa392767710cbbe712e3275b102083df87f2478a319847f1
-
Filesize
499KB
MD561f92ceaeff088131346a89da5aea358
SHA1280b8377dcabe6a87919f301606cbd19ee2cf94b
SHA256ece3ab55fbecc5699b7e363b666b06f328b17da05e065e637c87ce08a7c38b2d
SHA512cdd8f17d65e2e7669a0d8a53df879330b5c4d2ad62b26d4c08c127091bde48e11faf9cbd0e7d3ce7fa392767710cbbe712e3275b102083df87f2478a319847f1
-
Filesize
3.0MB
MD500ff505f8de6f97f92a8277e89ed91a0
SHA1eb96b024221ad9ea73f4d8ab0ec23e99c007c02c
SHA256c9ed8584cf9b6fd071b98e94a056d00a84223ca1994a3e514a40e486320b0dd6
SHA512ad9e23a5512fddf43b8ff462a1e2dbdb42dd80c97359b614b3aad816116a47003debb77137d2ec4f3fccdbae0fae279404dbf1cc913ebe028f1cc05653b7cc9f
-
Filesize
3.0MB
MD500ff505f8de6f97f92a8277e89ed91a0
SHA1eb96b024221ad9ea73f4d8ab0ec23e99c007c02c
SHA256c9ed8584cf9b6fd071b98e94a056d00a84223ca1994a3e514a40e486320b0dd6
SHA512ad9e23a5512fddf43b8ff462a1e2dbdb42dd80c97359b614b3aad816116a47003debb77137d2ec4f3fccdbae0fae279404dbf1cc913ebe028f1cc05653b7cc9f
-
Filesize
3.0MB
MD500ff505f8de6f97f92a8277e89ed91a0
SHA1eb96b024221ad9ea73f4d8ab0ec23e99c007c02c
SHA256c9ed8584cf9b6fd071b98e94a056d00a84223ca1994a3e514a40e486320b0dd6
SHA512ad9e23a5512fddf43b8ff462a1e2dbdb42dd80c97359b614b3aad816116a47003debb77137d2ec4f3fccdbae0fae279404dbf1cc913ebe028f1cc05653b7cc9f
-
Filesize
346KB
MD520610ce7393521f1f07bc5f77ae2935e
SHA1ec8d679edf1d334ec9bcf1275060ab29b69b71cc
SHA256cb774141828a2cba93d3b7ec9aa1052a160af7088e769b24a45bd8095c0dedda
SHA512d63adb503083752371ad1c40c2b92fcd75428eaff30d128d4e55c247a8aab9e78d27e0f7547fcec4cbb56c2d7a2943766d337c715c3536ea400f4ed9c44906a2
-
Filesize
346KB
MD520610ce7393521f1f07bc5f77ae2935e
SHA1ec8d679edf1d334ec9bcf1275060ab29b69b71cc
SHA256cb774141828a2cba93d3b7ec9aa1052a160af7088e769b24a45bd8095c0dedda
SHA512d63adb503083752371ad1c40c2b92fcd75428eaff30d128d4e55c247a8aab9e78d27e0f7547fcec4cbb56c2d7a2943766d337c715c3536ea400f4ed9c44906a2
-
Filesize
3.0MB
MD500ff505f8de6f97f92a8277e89ed91a0
SHA1eb96b024221ad9ea73f4d8ab0ec23e99c007c02c
SHA256c9ed8584cf9b6fd071b98e94a056d00a84223ca1994a3e514a40e486320b0dd6
SHA512ad9e23a5512fddf43b8ff462a1e2dbdb42dd80c97359b614b3aad816116a47003debb77137d2ec4f3fccdbae0fae279404dbf1cc913ebe028f1cc05653b7cc9f
-
Filesize
346KB
MD520610ce7393521f1f07bc5f77ae2935e
SHA1ec8d679edf1d334ec9bcf1275060ab29b69b71cc
SHA256cb774141828a2cba93d3b7ec9aa1052a160af7088e769b24a45bd8095c0dedda
SHA512d63adb503083752371ad1c40c2b92fcd75428eaff30d128d4e55c247a8aab9e78d27e0f7547fcec4cbb56c2d7a2943766d337c715c3536ea400f4ed9c44906a2